RSPEED-2465: add character pattern validation to rlsapi v1 fields

major · major · commit 674d880a27a9 · 2026-02-25T09:56:59.000-06:00
Add Pydantic pattern validators to RlsapiV1SystemInfo (os, version, arch, system_id) and RlsapiV1CLA (nevra, version) to restrict the character set on fields that flow into Splunk telemetry. Prevents injection of control characters, newlines, and HTML/script tags.

Signed-off-by: Major Hayden &lt;major@redhat.com&gt;
diff --git a/src/models/rlsapi/requests.py b/src/models/rlsapi/requests.py
@@ -4,6 +4,22 @@
 
 from models.config import ConfigurationBase
 
+# Character validation patterns for fields flowing into Splunk telemetry.
+# Restrict the character set to prevent injection of control characters,
+# HTML/script tags, or other malicious content into the telemetry pipeline.
+
+# Alphanumeric, dots, underscores, spaces, and hyphens.
+_SAFE_TEXT_PATTERN = r"^[a-zA-Z0-9._ \-]*$"
+
+# Machine IDs: alphanumeric, dots, underscores, and hyphens (no spaces).
+_MACHINE_ID_PATTERN = r"^[a-zA-Z0-9._\-]*$"
+
+# NEVRA (Name-Epoch:Version-Release.Arch): also needs colons, plus, and tilde.
+_NEVRA_PATTERN = r"^[a-zA-Z0-9._:+~\-]*$"
+
+# Version strings: alphanumeric, dots, underscores, and hyphens.
+_VERSION_PATTERN = r"^[a-zA-Z0-9._\-]*$"
+
 
 class RlsapiV1Attachment(ConfigurationBase):
     """Attachment data from rlsapi v1 context.
@@ -49,16 +65,28 @@ class RlsapiV1SystemInfo(ConfigurationBase):
         system_id: The id of the client machine.
     """
 
-    os: str = Field(default="", description="Operating system name", examples=["RHEL"])
+    os: str = Field(
+        default="",
+        pattern=_SAFE_TEXT_PATTERN,
+        description="Operating system name",
+        examples=["RHEL"],
+    )
     version: str = Field(
-        default="", description="Operating system version", examples=["9.3", "8.10"]
+        default="",
+        pattern=_SAFE_TEXT_PATTERN,
+        description="Operating system version",
+        examples=["9.3", "8.10"],
     )
     arch: str = Field(
-        default="", description="System architecture", examples=["x86_64", "aarch64"]
+        default="",
+        pattern=_SAFE_TEXT_PATTERN,
+        description="System architecture",
+        examples=["x86_64", "aarch64"],
     )
     system_id: str = Field(
         default="",
         alias="id",
+        pattern=_MACHINE_ID_PATTERN,
         description="Client machine ID",
         examples=["01JDKR8N7QW9ZMXVGK3PB5TQWZ"],
     )
@@ -76,11 +104,13 @@ class RlsapiV1CLA(ConfigurationBase):
 
     nevra: str = Field(
         default="",
+        pattern=_NEVRA_PATTERN,
         description="CLA NEVRA identifier",
         examples=["command-line-assistant-0:0.2.0-1.el9.noarch"],
     )
     version: str = Field(
         default="",
+        pattern=_VERSION_PATTERN,
         description="Command line assistant version",
         examples=["0.2.0"],
     )
diff --git a/tests/unit/models/rlsapi/test_requests.py b/tests/unit/models/rlsapi/test_requests.py
@@ -431,9 +431,173 @@ def test_input_combinations(
         )
         assert request.get_input_source() == expected
 
-    # -------------------------------------------------------------------------
-    # Edge cases
-    # -------------------------------------------------------------------------
+
+# ---------------------------------------------------------------------------
+# Character pattern validation tests — RlsapiV1SystemInfo
+# ---------------------------------------------------------------------------
+
+
+class TestSystemInfoCharacterValidation:
+    """Test character pattern validation for RlsapiV1SystemInfo fields."""
+
+    @pytest.mark.parametrize(
+        ("field", "value"),
+        [
+            pytest.param("os", "RHEL", id="os-simple"),
+            pytest.param("os", "Red Hat Enterprise Linux", id="os-with-spaces"),
+            pytest.param("os", "CentOS-Stream", id="os-with-hyphen"),
+            pytest.param("os", "RHEL_9", id="os-with-underscore"),
+            pytest.param("os", "", id="os-empty-default"),
+            pytest.param("version", "9.3", id="version-major-minor"),
+            pytest.param("version", "8.10", id="version-two-digit-minor"),
+            pytest.param("version", "9.3.0", id="version-three-part"),
+            pytest.param("arch", "x86_64", id="arch-x86"),
+            pytest.param("arch", "aarch64", id="arch-arm"),
+            pytest.param("arch", "ppc64le", id="arch-ppc"),
+            pytest.param("arch", "s390x", id="arch-s390"),
+        ],
+    )
+    def test_valid_values_accepted(self, field: str, value: str) -> None:
+        """Test that valid system info values are accepted."""
+        sysinfo = RlsapiV1SystemInfo(**{field: value})
+        assert getattr(sysinfo, field) == value
+
+    @pytest.mark.parametrize(
+        ("field", "value"),
+        [
+            pytest.param("os", "<script>alert('xss')</script>", id="os-html-script"),
+            pytest.param("os", "RHEL\n", id="os-newline"),
+            pytest.param("os", "RHEL\t", id="os-tab"),
+            pytest.param("os", "RHEL\x00", id="os-null-byte"),
+            pytest.param("version", "9.3<br>", id="version-html-tag"),
+            pytest.param("version", "9.3\r\n", id="version-crlf"),
+            pytest.param("arch", "x86_64; rm -rf /", id="arch-semicolon"),
+            pytest.param("arch", "x86_64\x0b", id="arch-vertical-tab"),
+        ],
+    )
+    def test_invalid_values_rejected(self, field: str, value: str) -> None:
+        """Test that invalid characters are rejected in system info fields."""
+        with pytest.raises(ValidationError, match="String should match pattern"):
+            RlsapiV1SystemInfo(**{field: value})
+
+    @pytest.mark.parametrize(
+        "value",
+        [
+            pytest.param("01JDKR8N7QW9ZMXVGK3PB5TQWZ", id="ulid"),
+            pytest.param("550e8400-e29b-41d4-a716-446655440000", id="uuid"),
+            pytest.param("machine-001", id="hostname-style"),
+            pytest.param("", id="empty-default"),
+        ],
+    )
+    def test_valid_system_id(self, value: str) -> None:
+        """Test that valid machine IDs are accepted."""
+        sysinfo = RlsapiV1SystemInfo(
+            system_id=value  # pyright: ignore[reportCallIssue]
+        )
+        assert sysinfo.system_id == value
+
+    @pytest.mark.parametrize(
+        "value",
+        [
+            pytest.param("machine id with spaces", id="spaces"),
+            pytest.param("id<script>", id="html-tag"),
+            pytest.param("id\ninjection", id="newline"),
+        ],
+    )
+    def test_invalid_system_id(self, value: str) -> None:
+        """Test that invalid characters are rejected in system_id."""
+        with pytest.raises(ValidationError, match="String should match pattern"):
+            RlsapiV1SystemInfo(system_id=value)  # pyright: ignore[reportCallIssue]
+
+
+# ---------------------------------------------------------------------------
+# Character pattern validation tests — RlsapiV1CLA
+# ---------------------------------------------------------------------------
+
+
+class TestCLACharacterValidation:
+    """Test character pattern validation for RlsapiV1CLA fields."""
+
+    @pytest.mark.parametrize(
+        ("field", "value"),
+        [
+            pytest.param(
+                "nevra",
+                "command-line-assistant-0:0.2.0-1.el9.noarch",
+                id="nevra-with-epoch",
+            ),
+            pytest.param(
+                "nevra",
+                "command-line-assistant-0.1.0-1.el9.noarch",
+                id="nevra-without-epoch",
+            ),
+            pytest.param(
+                "nevra",
+                "pkg~pre1+post1-0:1.0-1.el9.x86_64",
+                id="nevra-tilde-plus",
+            ),
+            pytest.param("nevra", "", id="nevra-empty-default"),
+            pytest.param("version", "0.2.0", id="version-semver"),
+            pytest.param("version", "1.0.0-rc1", id="version-prerelease"),
+            pytest.param("version", "0.2.0.dev1", id="version-dev"),
+            pytest.param("version", "", id="version-empty-default"),
+        ],
+    )
+    def test_valid_values_accepted(self, field: str, value: str) -> None:
+        """Test that valid CLA values are accepted."""
+        cla = RlsapiV1CLA(**{field: value})
+        assert getattr(cla, field) == value
+
+    @pytest.mark.parametrize(
+        ("field", "value"),
+        [
+            pytest.param("nevra", "pkg<script>", id="nevra-html-tag"),
+            pytest.param("nevra", "pkg\nnewline", id="nevra-newline"),
+            pytest.param("nevra", "pkg name spaces", id="nevra-spaces"),
+            pytest.param("version", "0.2.0\x00", id="version-null-byte"),
+            pytest.param("version", "0.2.0<br>", id="version-html"),
+            pytest.param("version", "0.2.0\t", id="version-tab"),
+        ],
+    )
+    def test_invalid_values_rejected(self, field: str, value: str) -> None:
+        """Test that invalid characters are rejected in CLA fields."""
+        with pytest.raises(ValidationError, match="String should match pattern"):
+            RlsapiV1CLA(**{field: value})
+
+
+# ---------------------------------------------------------------------------
+# get_input_source() tests (continued edge cases)
+# ---------------------------------------------------------------------------
+
+
+class TestGetInputSourceEdgeCases:
+    """Edge case tests for RlsapiV1InferRequest.get_input_source()."""
+
+    @pytest.fixture(name="make_request")
+    def make_request_fixture(self) -> Any:
+        """Factory fixture to build requests with specific context values."""
+
+        class _RequestBuilder:  # pylint: disable=too-few-public-methods
+            """Helper to construct requests with variable context."""
+
+            @staticmethod
+            def build(
+                question: str = "q",
+                stdin: str = "",
+                attachment: str = "",
+                terminal: str = "",
+            ) -> RlsapiV1InferRequest:
+                """Build an RlsapiV1InferRequest with specified context values."""
+                return RlsapiV1InferRequest(
+                    question=question,
+                    context=RlsapiV1Context(
+                        stdin=stdin,
+                        attachments=RlsapiV1Attachment(contents=attachment),
+                        terminal=RlsapiV1Terminal(output=terminal),
+                    ),
+                )
+
+        return _RequestBuilder
 
     def test_preserves_content_formatting(self, make_request: Any) -> None:
         """Test that content formatting (newlines, special chars) is preserved."""
