Validate secrets

Author: r4victor

…versions/8d99ec1a4e87_add_secretmodel.py …versions/7b754317d91e_add_secretmodel.pysrc/dstack/_internal/server/migrations/versions/8d99ec1a4e87_add_secretmodel.py renamed to src/dstack/_internal/server/migrations/versions/7b754317d91e_add_secretmodel.py src/dstack/_internal/server/migrations/versions/8d99ec1a4e87_add_secretmodel.py renamed to src/dstack/_internal/server/migrations/versions/7b754317d91e_add_secretmodel.py

@@ -1,8 +1,8 @@
 """Add SecretModel
 
-Revision ID: 8d99ec1a4e87
+Revision ID: 7b754317d91e
 Revises: 35e90e1b0d3e
-Create Date: 2025-06-26 14:04:45.440433
+Create Date: 2025-06-30 10:20:07.288474
 
 """
 
@@ -13,7 +13,7 @@
 import dstack._internal.server.models
 
 # revision identifiers, used by Alembic.
-revision = "8d99ec1a4e87"
+revision = "7b754317d91e"
 down_revision = "35e90e1b0d3e"
 branch_labels = None
 depends_on = None
@@ -30,9 +30,7 @@ def upgrade() -> None:
         sa.Column("created_at", dstack._internal.server.models.NaiveDateTime(), nullable=False),
         sa.Column("updated_at", dstack._internal.server.models.NaiveDateTime(), nullable=False),
         sa.Column("name", sa.String(length=200), nullable=False),
-        sa.Column(
-            "value", dstack._internal.server.models.EncryptedString(length=2000), nullable=False
-        ),
+        sa.Column("value", dstack._internal.server.models.EncryptedString(), nullable=False),
         sa.ForeignKeyConstraint(
             ["project_id"],
             ["projects.id"],

src/dstack/_internal/server/models.py

@@ -728,4 +728,4 @@ class SecretModel(BaseModel):
     updated_at: Mapped[datetime] = mapped_column(NaiveDateTime, default=get_current_datetime)
 
     name: Mapped[str] = mapped_column(String(200))
-    value: Mapped[DecryptedString] = mapped_column(EncryptedString(2000))
+    value: Mapped[DecryptedString] = mapped_column(EncryptedString())

src/dstack/_internal/server/services/secrets.py

@@ -1,17 +1,26 @@
+import re
 from typing import Dict, List, Optional
 
 import sqlalchemy.exc
 from sqlalchemy import delete, select, update
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from dstack._internal.core.errors import ResourceExistsError, ResourceNotExistsError
+from dstack._internal.core.errors import (
+    ResourceExistsError,
+    ResourceNotExistsError,
+    ServerClientError,
+)
 from dstack._internal.core.models.secrets import Secret
 from dstack._internal.server.models import DecryptedString, ProjectModel, SecretModel
 from dstack._internal.utils.logging import get_logger
 
 logger = get_logger(__name__)
 
 
+_SECRET_NAME_REGEX = "^[A-Za-z0-9-_]{1,200}$"
+_SECRET_VALUE_MAX_LENGTH = 2000
+
+
 async def list_secrets(
     session: AsyncSession,
     project: ProjectModel,
@@ -49,6 +58,7 @@ async def create_or_update_secret(
     name: str,
     value: str,
 ) -> Secret:
+    _validate_secret(name=name, value=value)
     try:
         secret_model = await create_secret(
             session=session,
@@ -177,3 +187,18 @@ async def update_secret(
     if secret_model is None:
         raise ResourceNotExistsError()
     return secret_model
+
+
+def _validate_secret(name: str, value: str):
+    _validate_secret_name(name)
+    _validate_secret_value(value)
+
+
+def _validate_secret_name(name: str):
+    if re.match(_SECRET_NAME_REGEX, name) is None:
+        raise ServerClientError(f"Secret name should match regex '{_SECRET_NAME_REGEX}")
+
+
+def _validate_secret_value(value: str):
+    if len(value) > _SECRET_VALUE_MAX_LENGTH:
+        raise ServerClientError(f"Secret value length must not exceed {_SECRET_VALUE_MAX_LENGTH}")

src/tests/_internal/server/routers/test_secrets.py

@@ -166,6 +166,39 @@ async def test_updates_secret(self, test_db, session: AsyncSession, client: Asyn
         await session.refresh(secret)
         assert secret.value.get_plaintext_or_error() == "new_value"
 
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize("test_db", ["sqlite", "postgres"], indirect=True)
+    @pytest.mark.parametrize(
+        "name, value",
+        [
+            ("too_long_secret_value", "a" * 2001),
+            ("", "empty_name"),
+            ("@7&.", "wierd_name_chars"),
+        ],
+    )
+    async def test_rejects_bad_names_values(
+        self,
+        test_db,
+        session: AsyncSession,
+        client: AsyncClient,
+        name: str,
+        value,
+    ):
+        user = await create_user(session=session, global_role=GlobalRole.USER)
+        project = await create_project(session=session, owner=user)
+        await add_project_member(
+            session=session, project=project, user=user, project_role=ProjectRole.ADMIN
+        )
+        response = await client.post(
+            f"/api/project/{project.name}/secrets/create_or_update",
+            headers=get_auth_headers(user.token),
+            json={"name": name, "value": value},
+        )
+        assert response.status_code == 400
+        res = await session.execute(select(SecretModel))
+        secret_model = res.scalar()
+        assert secret_model is None
+
 
 class TestDeleteSecrets:
     @pytest.mark.asyncio