add valid key checks

JerT33 · droctothorpe · commit 1ba052c2cfd1 · 2026-01-29T07:14:17.000-08:00
Signed-off-by: JerT33 &lt;trestjeremiah@gmail.com&gt;

format code

Signed-off-by: JerT33 &lt;trestjeremiah@gmail.com&gt;

change error response to 500

Signed-off-by: JerT33 &lt;trestjeremiah@gmail.com&gt;
diff --git a/frontend/server/handlers/artifacts.ts b/frontend/server/handlers/artifacts.ts
@@ -19,6 +19,7 @@ import {
   findFileOnPodVolume,
   parseJSONString,
   isAllowedResourceName,
+  isAllowedObjectKey,
 } from '../utils';
 import { createMinioClient, getObjectStream } from '../minio-helper';
 import * as serverInfo from '../helpers/server-info';
@@ -124,6 +125,10 @@ export function getArtifactsHandler({
       res.status(500).send('Storage key is missing from artifact request');
       return;
     }
+    if (!isAllowedObjectKey(key)) {
+      res.status(500).send('Invalid object key');
+      return;
+    }
     console.log(`Getting storage artifact at: ${source}: ${bucket}/${key}`);
 
     let client: MinioClient;
diff --git a/frontend/server/integration-tests/artifact-get.test.ts b/frontend/server/integration-tests/artifact-get.test.ts
@@ -838,6 +838,35 @@ describe('/artifacts', () => {
         .get(`/artifacts/get?source=volume&bucket=artifact&key=subartifact/notxist.csv`)
         .expect(500, 'Failed to open volume.', done);
     });
+
+    it('rejects keys with encoded XSS payloads', done => {
+      const configs = loadConfigs(argv, {
+        AWS_ACCESS_KEY_ID: 'aws123',
+        AWS_SECRET_ACCESS_KEY: 'awsSecret123',
+      });
+      app = new UIServer(configs);
+      const request = requests(app.start());
+      request
+        .get(
+          '/artifacts/get?source=s3&namespace=test&peek=256&bucket=ml-pipeline&key=%3Cscript%3Ealert(1)%3C%2Fscript%3E',
+        )
+        .expect(500, 'Invalid object key', done);
+    });
+
+    it('rejects keys with repeated unsafe characters', done => {
+      const configs = loadConfigs(argv, {
+        AWS_ACCESS_KEY_ID: 'aws123',
+        AWS_SECRET_ACCESS_KEY: 'awsSecret123',
+      });
+      app = new UIServer(configs);
+      const request = requests(app.start());
+      request
+        .get(
+          '/artifacts/get?source=s3&namespace=test&peek=256&bucket=ml-pipeline&key=' +
+            '%2b['.repeat(300),
+        )
+        .expect(500, 'Invalid object key', done);
+    });
   });
 
   describe('/:source/:bucket/:key', () => {
diff --git a/frontend/server/utils.ts b/frontend/server/utils.ts
@@ -304,3 +304,7 @@ function parseK8sError(error: any): ErrorDetails | undefined {
 export function isAllowedResourceName(name: string): boolean {
   return name.length > 0 && name.length <= 63 && /^[a-z0-9]([-a-z0-9]*[a-z0-9])?$/.test(name);
 }
+
+export function isAllowedObjectKey(key: string): boolean {
+  return key.length > 0 && key.length <= 1024 && /^[a-zA-Z0-9\/\-_.]+$/.test(key);
+}

Original file line number	Diff line number	Diff line change
`@@ -304,3 +304,7 @@ function parseK8sError(error: any): ErrorDetails \| undefined {`
`304`	`304`	`export function isAllowedResourceName(name: string): boolean {`
`305`	`305`	`return name.length > 0 && name.length <= 63 && /^[a-z0-9]([-a-z0-9]*[a-z0-9])?$/.test(name);`
`306`	`306`	`}`
	`307`	`+`
	`308`	`+export function isAllowedObjectKey(key: string): boolean {`
	`309`	`+ return key.length > 0 && key.length <= 1024 && /^[a-zA-Z0-9\/\-_.]+$/.test(key);`
	`310`	`+}`