Fix: prevent invalid helm names (#250)

helm-wrapper/src/main/java/io/github/inseefrlab/helmwrapper/service/HelmInstallService.java

@@ -12,6 +12,7 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.TimeoutException;
+import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
@@ -23,6 +24,9 @@ public class HelmInstallService {
 
     private final Logger logger = LoggerFactory.getLogger(HelmInstallService.class);
 
+    private final Pattern helmNamePattern =
+            Pattern.compile("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$");
+
     public HelmInstallService() {}
 
     public HelmInstaller installChart(
@@ -36,7 +40,8 @@ public HelmInstaller installChart(
             Map<String, String> env,
             final boolean skipTlsVerify,
             String caFile)
-            throws InvalidExitValueException, IOException, InterruptedException, TimeoutException {
+            throws InvalidExitValueException, IOException, InterruptedException, TimeoutException,
+                    IllegalArgumentException {
         String command = "helm upgrade --install ";
         if (skipTlsVerify) {
             command = command.concat("--insecure-skip-tls-verify ");
@@ -45,7 +50,14 @@ public HelmInstaller installChart(
                     command.concat(
                             "--ca-file " + System.getenv("CACERTS_DIR") + "/" + caFile + " ");
         }
+
         if (name != null) {
+            if (!helmNamePattern.matcher(name).matches() || name.length() > 53) {
+                throw new IllegalArgumentException(
+                        "Invalid release name "
+                                + name
+                                + " , must match regex ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ and the length must not be longer than 53");
+            }
             command = command.concat(name + " ");
         } else {
             command = command.concat("--generate-name ");

onyxia-api/src/main/java/fr/insee/onyxia/api/services/impl/HelmAppsService.java

@@ -160,21 +160,24 @@ public String getInitScript(
         mapperHelm.writeValue(values, fusion);
         String namespaceId =
                 kubernetesService.determineNamespaceAndCreateIfNeeded(region, project, user);
-        HelmInstaller res =
-                getHelmInstallService()
-                        .installChart(
-                                getHelmConfiguration(region, user),
-                                catalogId + "/" + pkg.getName(),
-                                namespaceId,
-                                requestDTO.getName(),
-                                requestDTO.getPackageVersion(),
-                                requestDTO.isDryRun(),
-                                values,
-                                null,
-                                skipTlsVerify,
-                                caFile);
-        values.delete();
-        return List.of(res.getManifest());
+        try {
+            HelmInstaller res =
+                    getHelmInstallService()
+                            .installChart(
+                                    getHelmConfiguration(region, user),
+                                    catalogId + "/" + pkg.getName(),
+                                    namespaceId,
+                                    requestDTO.getName(),
+                                    requestDTO.getPackageVersion(),
+                                    requestDTO.isDryRun(),
+                                    values,
+                                    null,
+                                    skipTlsVerify,
+                                    caFile);
+            return List.of(res.getManifest());
+        } catch (IllegalArgumentException e) {
+            throw new AccessDeniedException(e.getMessage());
+        }
     }
 
     @Override