feat(chore): add pattern validation logic

Author: joe0BAB

pkg/engine/engine.go

@@ -66,7 +66,7 @@ func envelopeErr(req secrets.Request, err error) secrets.Envelope {
 type pluginRegistration struct {
 	name string
 	//version  string
-	pattern  string
+	pattern  secrets.Pattern
 	provider secrets.Resolver
 }
 
@@ -76,10 +76,14 @@ func (e *Engine) Register(name, _, pattern string, provider secrets.Resolver) er
 	}) {
 		return fmt.Errorf("provider name %q already registered", name)
 	}
+	p, err := secrets.ParsePattern(pattern)
+	if err != nil {
+		return err
+	}
 
 	e.plugins = append(e.plugins, pluginRegistration{
 		name:     name,
-		pattern:  pattern,
+		pattern:  p,
 		provider: provider,
 	})
 

pkg/secrets/identifiers.go

@@ -76,9 +76,9 @@ func isValidRune(c rune) bool {
 // - "*" matches a single component
 // - "**" matches zero or more components
 // - "/" is the separator
-func (id ID) Match(pattern string) bool {
+func (id ID) Match(pattern Pattern) bool {
 	pathParts := split(string(id))
-	patternParts := split(pattern)
+	patternParts := split(string(pattern))
 
 	return match(patternParts, pathParts)
 }

pkg/secrets/identifiers_test.go

@@ -37,7 +37,7 @@ func TestParseID(t *testing.T) {
 
 func TestMatch(t *testing.T) {
 	tests := []struct {
-		pattern   string
+		pattern   Pattern
 		matches   []string
 		noMatches []string
 	}{
@@ -67,7 +67,7 @@ func TestMatch(t *testing.T) {
 		},
 	}
 	for _, tc := range tests {
-		t.Run(tc.pattern, func(t *testing.T) {
+		t.Run(string(tc.pattern), func(t *testing.T) {
 			for _, m := range tc.matches {
 				id, err := ParseID(m)
 				assert.NoError(t, err)

pkg/secrets/pattern.go

@@ -0,0 +1,86 @@
+package secrets
+
+import (
+	"errors"
+	"fmt"
+)
+
+var (
+	ErrInvalidPattern = errors.New("invalid pattern")
+)
+
+type Pattern string
+
+func ParsePattern(pattern string) (Pattern, error) {
+	p := Pattern(pattern)
+	if err := p.Valid(); err != nil {
+		return "", fmt.Errorf("parse pattern: %w", err)
+	}
+	return p, nil
+}
+
+func (p Pattern) Valid() error {
+	if !validPattern(string(p)) {
+		return ErrInvalidPattern
+	}
+	return nil
+}
+
+func (p Pattern) Match(id ID) bool {
+	pathParts := split(string(id))
+	patternParts := split(string(p))
+
+	return match(patternParts, pathParts)
+}
+
+// validPattern checks if a pattern is valid without using regexp or unicode.
+// Rules:
+// - Components separated by '/'
+// - Each component is non-empty
+// - Only characters A-Z, a-z, 0-9, '.', '-', '_' or '*'
+// - No leading, trailing, or double slashes
+// - '*' can be used in two ways: '*' matches a single component, '**' matches zero or more components
+func validPattern(s string) bool {
+	if len(s) == 0 {
+		return false
+	}
+
+	componentLen := 0
+	wildcardLen := 0
+	for _, r := range s {
+		switch {
+		case r == '/':
+			if componentLen == 0 {
+				// Empty component (leading, trailing, or double slash)
+				return false
+			}
+			if wildcardLen > 2 {
+				// No more than two wildcards per component
+				return false
+			}
+			if wildcardLen > 0 && wildcardLen != componentLen {
+				// Wildcard can't be mixed with other characters in the same component
+				return false
+			}
+			componentLen = 0
+			wildcardLen = 0
+		case isValidPatternRune(r):
+			componentLen++
+			if r == '*' {
+				wildcardLen++
+			}
+		default:
+			return false
+		}
+	}
+
+	// Final component must not be empty
+	return componentLen > 0
+}
+
+func isValidPatternRune(c rune) bool {
+	return (c >= 'A' && c <= 'Z') ||
+		(c >= 'a' && c <= 'z') ||
+		(c >= '0' && c <= '9') ||
+		c == '.' || c == '-' || c == '_' || c == '*'
+}

pkg/secrets/pattern_test.go

@@ -0,0 +1,41 @@
+package secrets
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParsePattern(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  string
+		outErr bool
+	}{
+		{"valid pattern with single component", "foo", false},
+		{"valid pattern with multiple components", "foo/bar/baz", false},
+		{"valid pattern only with asterisk", "*", false},
+		{"valid pattern only with double asterisk", "**", false},
+		{"valid pattern starting with asterisk", "*/bar", false},
+		{"valid pattern ending with asterisk", "foo/*/baz", false},
+		{"valid pattern starting with double asterisk", "**/bar", false},
+		{"valid pattern ending with double asterisk", "foo/**/baz", false},
+		{"valid pattern with mix of components and wildcards", "foo/*/baz/**/*", false},
+		{"invalid pattern with leading slash", "/foo/bar", true},
+		{"invalid pattern with trailing slash", "foo/bar/", true},
+		{"invalid pattern with empty component", "foo//bar", true},
+		{"invalid empty pattern", "", true},
+		{"invalid pattern only with slash", "/", true},
+		{"invalid pattern with mix of asterisks and allowed characters", "foo/*a*/baz", true},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := ParsePattern(tc.input)
+			if tc.outErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}