Documentation
¶
Index ¶
- Variables
- func AllowedDomains() []string
- func Alphanumeric(s string) string
- func Contains[T comparable](item T, slice []T) bool
- func SanitizeFilename(s string) (string, error)
- func SanitizeIdentifier(s string) (string, error)
- func SanitizeModuleName(s string) (string, error)
- func SanitizePath(path string) (string, error)
- func ValidateCIDR(s string) error
- func ValidateChartReference(chart string) error
- func ValidateDNSName(s string) error
- func ValidateHexToken(s string) error
- func ValidateHostPort(s string) error
- func ValidateIdentifier(s string) error
- func ValidateInputFile(filePath string) (string, error)
- func ValidateOperationID(s string) error
- func ValidatePathWithinBase(basePath, targetPath string) (string, error)
- func ValidatePort(s string) error
- func ValidateStorageSize(size string) error
- func ValidateURL(rawURL string, opts *ValidateURLOptions) error
- func ValidateUsername(s string) error
- func ValidateVersion(version string) error
- type ValidateURLOptions
Constants ¶
This section is empty.
Variables ¶
var ( // ErrInvalidName is returned by Sanitize* helpers when the input contains // no valid characters and would otherwise sanitize to an empty string. ErrInvalidName = errorx.IllegalArgument.New("invalid name") )
Functions ¶
func AllowedDomains ¶
func AllowedDomains() []string
AllowedDomains returns the allowlist of trusted domains for software downloads.
func Alphanumeric ¶
Alphanumeric ensures the input string to be ascii alphanumeric
func Contains ¶ added in v0.12.0
func Contains[T comparable](item T, slice []T) bool
Contains checks if a slice contains a specific item. It uses the equality operator (==) for comparison.
func SanitizeFilename ¶ added in v0.17.0
SanitizeFilename strips any non-filename characters from s and returns the cleaned form. Today the character set matches SanitizeIdentifier; the function is kept distinct so future relaxation (e.g. to permit '.' in real filenames) can diverge without touching identifier or kernel-module callers.
func SanitizeIdentifier ¶ added in v0.17.0
SanitizeIdentifier strips any non-identifier characters from s and returns the cleaned form. Identifier characters are alphanumerics, underscore, and hyphen ([A-Za-z0-9_-]). Returns ErrInvalidName when no valid characters remain. Use ValidateIdentifier when callers must reject (rather than rewrite) inputs containing invalid characters.
func SanitizeModuleName ¶ added in v0.17.0
SanitizeModuleName strips any non-module-name characters from s and returns the cleaned form. Today the character set matches SanitizeIdentifier; the function is kept distinct so future tightening (e.g. to drop '-' since the Linux kernel module convention is '_') can diverge without touching identifier or filename callers.
func SanitizePath ¶
SanitizePath validates and sanitizes the given path according to strict security rules.
Specifically, it:
- Rejects paths containing shell metacharacters (e.g., ; & | $ ` < > ( ) { } [ ] * ? ~).
- Rejects path traversal attempts (e.g., segments like "../", "/..", or paths ending with "..").
- Converts relative paths to absolute paths.
- Normalizes the path by removing redundant slashes and dot directories (using filepath.Clean).
- May return a cleaned version of the input path that differs from the original.
Returns the sanitized (cleaned) absolute path, or an error if the input is invalid or unsafe.
func ValidateCIDR ¶ added in v0.21.0
ValidateCIDR rejects any string that is not a syntactically valid IPv4 or IPv6 CIDR (e.g. "10.0.0.0/8", "2001:db8::/32"). It is the boundary check for management / in-cluster CIDRs that flow into the `inet host` nftables ruleset rendered to disk and applied via `nft -f`; a malformed value must never reach the renderer, where it could break the atomic transaction or smuggle in nft syntax. A bare IP without a prefix length is rejected — callers must be explicit about the mask.
func ValidateChartReference ¶ added in v0.6.0
ValidateChartReference validates a Helm chart reference (OCI URL or repo/chart name). This prevents injection attacks through chart parameters while allowing legitimate chart references. Accepts:
- OCI references: oci://registry.example.com/path/to/chart
- Repository URLs: https://charts.example.com/chart-name
- Simple chart names: my-chart, repo/chart-name
func ValidateDNSName ¶ added in v0.15.0
ValidateDNSName validates that a string is a valid DNS hostname. It allows alphanumeric characters, hyphens, and dots — the characters permitted in DNS names per RFC 952/1123. This is less restrictive than ValidateIdentifier (which rejects dots) but still rejects shell metacharacters and other unsafe input. Use this for values that may be FQDNs, such as cluster names derived from hostnames.
func ValidateHexToken ¶ added in v0.7.0
ValidateHexToken validates that a string is a valid hexadecimal token. This is used for tokens like Teleport join tokens which are hex strings. The token must:
- Not be empty
- Contain only hexadecimal characters (0-9, a-f, A-F)
- Have a reasonable maximum length (4096 characters) to prevent buffer overflow attacks
func ValidateHostPort ¶ added in v0.7.0
ValidateHostPort validates a host:port string. Accepts formats like:
- hostname (assumes default port)
- hostname:port
- IP:port (e.g., 192.168.1.1:3080)
Does NOT allow:
- Path traversal sequences
- Shell metacharacters
- URLs (use ValidateURL for those)
func ValidateIdentifier ¶ added in v0.6.0
ValidateIdentifier validates that a string contains only safe identifier characters without sanitizing/modifying it. It rejects any string that contains invalid characters. This is stricter than Identifier() which sanitizes by removing invalid characters. Use this when you need to ensure the input is already clean and reject invalid input.
func ValidateInputFile ¶
ValidateInputFile validates a file path intended for reading user-provided input files.
This function provides comprehensive validation to prevent path traversal attacks and ensure the file is safe to read. It:
- Converts relative paths to absolute paths
- Sanitizes the path to prevent path traversal and shell injection
- Verifies the file exists
- Ensures the path points to a regular file (not a directory, device, socket, etc.)
This is designed to be used in defense-in-depth scenarios where the same validation is applied at multiple layers (CLI entry point and internal APIs).
Returns the sanitized absolute path or an error if validation fails.
func ValidateOperationID ¶ added in v0.20.0
ValidateOperationID validates a consensus-node operationId. The id is either authored by the orbit reconciler (NetworkUpgradeExecute CR spec.operationId) or constructed by solo-weaver itself (e.g. the migration flow derives "migration-<timestamp>"). Either way it flows into .bak archive filenames written by the self-upgrade swap as root, so it must be safe to embed in a path: [A-Za-z0-9_.-], non-empty, no ".." traversal sequence, no shell metacharacters. The '.' is permitted so operationIds can embed dotted version strings (e.g. "upgrade-v0.76.0-20060102T150405Z").
func ValidatePathWithinBase ¶
ValidatePathWithinBase validates that a path is within a specific base directory.
This function:
- Sanitizes the input path
- Ensures the sanitized path starts with the base directory
- Prevents path traversal outside the base directory
Returns the sanitized path or an error if the path is outside the base directory.
func ValidatePort ¶ added in v0.21.0
ValidatePort rejects any string that is not a valid TCP/UDP port number in the range 1–65535. It is the boundary check for `--in-cluster-port` values before they are rendered into the `inet host` nftables ruleset.
func ValidateStorageSize ¶ added in v0.6.0
ValidateStorageSize validates a Kubernetes storage size string. Accepts sizes like: "5Gi", "10Mi", "1Ti", "100Gi", etc. This prevents injection attacks through storage size parameters while ensuring the size matches Kubernetes quantity format requirements. The numeric value must be greater than zero.
func ValidateURL ¶
func ValidateURL(rawURL string, opts *ValidateURLOptions) error
ValidateURL validates a URL to ensure it's safe to use.
This function provides security protection by checking that:
- The URL is not empty and can be parsed
- The scheme is HTTPS only (or HTTP if AllowHTTP is true)
- The host is not empty
- The URL contains only ASCII characters (prevents homograph attacks)
- The host is in the allowed domain list (if AllowedDomains is provided)
Returns an error if the URL is invalid or unsafe.
func ValidateUsername ¶ added in v0.17.0
ValidateUsername rejects any username string that would be unsafe to pass downstream to OS / shell / Helm operations.
It is particularly important for environment variables like SUDO_USER, which can be manipulated by attackers. ValidateUsername errors if the input:
- Is empty
- Contains a path-traversal sequence ("..")
- Contains shell metacharacters
- Contains any character outside the username set ([A-Za-z0-9_.-] — alphanumerics, underscore, hyphen, dot)
Dots are permitted to support common firstname.lastname Linux account conventions (e.g. via SSSD/AD-joined hosts); ".." is still rejected.
Returns nil when the input is safe; the caller can then use s as-is.
func ValidateVersion ¶ added in v0.6.0
ValidateVersion validates a semantic version string to ensure it's safe to use. Accepts versions like: "1.0.0", "1.0.0-alpha", "1.0.0-beta.1", "0.24.0", etc. This prevents injection attacks through version parameters. From the bottom of the page at https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string
Types ¶
type ValidateURLOptions ¶ added in v0.9.0
type ValidateURLOptions struct {
// AllowedDomains restricts URLs to specific domains. If nil or empty, any domain is allowed.
AllowedDomains []string
// AllowHTTP permits HTTP scheme in addition to HTTPS. Default is HTTPS only.
AllowHTTP bool
}
ValidateURLOptions provides options for URL validation.