Skip to content

feat(validate): add custom template input validation (#565)#703

Merged
ArangoGutierrez merged 2 commits intoNVIDIA:mainfrom
ArangoGutierrez:feat/565-custom-template-validation
Mar 5, 2026
Merged

feat(validate): add custom template input validation (#565)#703
ArangoGutierrez merged 2 commits intoNVIDIA:mainfrom
ArangoGutierrez:feat/565-custom-template-validation

Conversation

@ArangoGutierrez
Copy link
Copy Markdown
Collaborator

@ArangoGutierrez ArangoGutierrez commented Mar 4, 2026

Summary

Test plan

  • 9 new test cases covering all validation rules
  • All existing validation tests continue to pass
  • go build ./... passes
  • go vet ./... passes

@ArangoGutierrez
feat(validate): add custom template input validation (NVIDIA#565)
22d2e10 
Validates template name, phase, source exclusivity, URL scheme (HTTPS
only), file path safety (including path traversal), checksum format
(sha256), and duplicate names.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
@coveralls
Copy link
Copy Markdown

coveralls commented Mar 4, 2026

Pull Request Test Coverage Report for Build 22684960905

Details

  • 55 of 59 (93.22%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.5%) to 48.9%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pkg/provisioner/templates/validate.go 55 59 93.22%
Totals Coverage Status
Change from base Build 22684231249: 0.5%
Covered Lines: 2712
Relevant Lines: 5546
💛 - Coveralls

@ArangoGutierrez
fix(validate): add env var key validation and fix path traversal check (
b18be4d 
NVIDIA#565)

Address review feedback on PR NVIDIA#703:
- R1: Validate env var keys against [a-zA-Z_][a-zA-Z0-9_]* to prevent
  command injection via export statements in the executor
- R2: Check for ".." as a path component (split on "/") instead of
  substring match, allowing legitimate filenames like "foo..bar.sh"

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
@ArangoGutierrez ArangoGutierrez marked this pull request as ready for review March 5, 2026 10:33
Copilot AI review requested due to automatic review settings March 5, 2026 10:33
@ArangoGutierrez ArangoGutierrez merged commit dc89b78 into NVIDIA:main Mar 5, 2026
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ArangoGutierrez @coveralls