Fix #35523: validate app instance name on server

Author: LEDfan

src/main/java/eu/openanalytics/shinyproxy/AppRequestInfo.java

@@ -29,7 +29,7 @@ public class AppRequestInfo {
 
     private static final Pattern APP_INSTANCE_PATTERN = Pattern.compile(".*?/(app_i|app_direct_i)/([^/]*)/([^/]*)(/?.*)");
     private static final Pattern APP_PATTERN = Pattern.compile(".*?/(app|app_direct)/([^/]*)(/?.*)");
-    private static final Pattern INSTANCE_NAME_PATTERN = Pattern.compile("^[a-zA-Z0-9_.-]*$");
+    public static final Pattern INSTANCE_NAME_PATTERN = Pattern.compile("^[a-zA-Z0-9_.-]*$");
 
     private final String appName;
     private final String appInstance;

src/main/java/eu/openanalytics/shinyproxy/controllers/AppController.java

@@ -85,6 +85,7 @@
 import java.util.Optional;
 import java.util.UUID;
 
+import static eu.openanalytics.shinyproxy.AppRequestInfo.INSTANCE_NAME_PATTERN;
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
 @Controller
@@ -255,6 +256,11 @@ public ResponseEntity<ApiResponse<Proxy>> startApp(@PathVariable String specId,
         if (!userService.canAccess(spec)) {
             return ApiResponse.failForbidden();
         }
+
+        if (appInstanceName.length() > 64 || !INSTANCE_NAME_PATTERN.matcher(appInstanceName).matches()) {
+            return ApiResponse.fail("Invalid app instance name");
+        }
+
         Proxy proxy = findUserProxy(specId, appInstanceName);
         if (proxy != null) {
             return ApiResponse.fail("You already have an instance of this app with the given name");