Restrict project ID parameters for GAR setup scripts
What does this MR do and why?
Restrict project ID parameters for GAR setup scripts
These scripts currently allow any string parameters, but they are expecting a Google Project ID. We should restrict these parameters so that shell special characters cannot be passed into the scripts through URL parameters.
This MR does not change the wlif.sh endpoint, because it will be removed in !156699 (merged) . This MR is independent of that one, and can be merged at any time.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
- Ensure you are simulating a SaaS environment
- curl the integrations API endpoint with an invalid project ID:
curl "https://gdk.test:3443/api/v4/projects/8/google_cloud/setup/integrations.sh?google_cloud_artifact_registry_project_id=%5C$%5C(curl%20capybara.net%5C)&enable_google_cloud_artifact_registry=true" \ -H 'Authorization: Bearer ADMIN_TOKEN' \ -H 'Accept: *' - Verify you receive a
400response with"error": "google_cloud_artifact_registry_project_id is invalid" - curl the runners API endpoint with an invalid project ID:
curl "https://gdk.test:3443/api/v4/projects/8/google_cloud/setup/runner_deployment_project.sh?google_cloud_project_id=%5C$%5C(curl%20capybara.net%5C)" \ -H 'Authorization: Bearer ADMIN_TOKEN' \ -H 'Accept: *' - Verify you receive a
400response with"error": "google_cloud_project_id is invalid"
Related to #457804
Edited by Andrew Evans