Check index or plugin name safety in cmd

[ahmetb]

tl;dr: Some krew cmds are currently susceptible to path manipulation through positional arguments. Low-level machinery isn't responsible for this, so move them to cmd + add tests.

Moving plugin name or index name safety checks to cmd/ where they are given by
the user to the program. This way we shift the need for validation from being
unit tests of low-level machinery to the integration_test which tests
user-facing concerns.

Note: Checks will fail until #582 is merged and this patch is rebased on it.

Fixes #581
/assign @corneliusweig
/assign @chriskim06

[corneliusweig]

I'd feel better if we validate plugin names in batch upfront. One way we could achieve this is by changing the API to

func IsSafePluginName(names ...string) bool { .. }

(same in several other places)

Also, it seems that unsafePluginNameErr() could be returned from this function (making it obsolete), so that we have instead:

func CheckSafePluginName(names ...string) error { .. }

[ahmetb]

yeah although there's another method in validation.go that's geared towards plugin authors (and therefore it prints a regexp) as it runs during manifest validation tests.

return errors.Errorf("the plugin name %q is not allowed, must match %q", name, safePluginRegexp.String())

that's why I kept it like this.

[corneliusweig]

I understand that you want to keep the API in validation consistent.

Maybe this helper can be put in cmd/internal instead? Just an idea. It's fine as it stands, but validating upfront would be even better IMO.

[corneliusweig]

How is /receipt/ different from /default/? Why is this needed?
Otherwise, let's remove it.

[ahmetb]

receipt/ is needed because we need to point this to a receipt file. and at the moment all these paths parseable as a Receipt

[corneliusweig]

The list of test cases is repeated 3 times (if my question about receipt applies). Should we extract this to a central place?

[chriskim06]

Also the test unsafe functions are all relatively similar (some of the error messaging is slightly different). The cases, expected error string, and arguments to test.Krew are the only differences. I think this could be useful as a testutil function like test.AssertFailureWithUnsafeName (not really sure what a good name would be)

[ahmetb]

I think duplication in tests aren't as bad, and each test actually has a slightly different things it's looking at, so I'm not entirely sure if the de-duplication helps.

[corneliusweig]

It would be nice to have the unsafe names in a variable, so that it is easily re-used without the need to copy. But let's merge as-is and iterate from there.

[corneliusweig]

Test failure seems legit:

You used fmt.Errorf; use pkg/errors.Errorf instead to preserve stack traces:
cmd/krew/cmd/uninstall.go:58:func unsafePluginNameErr(n string) error { return fmt.Errorf("plugin name %q not allowed", n) }

[ahmetb]

Another round of reviews please. 🙏

[corneliusweig]

@ahmetb Can you take a final look and rebase? Then I'll lgtm.

[ahmetb]

Rebased + test run https://github.com/ahmetb/krew/runs/559418218 actually has captured a legitimate bug. Posted a fix.

[corneliusweig]

/lgtm
/approve
Thanks for finding and fixing this loophole!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahmetb, corneliusweig

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ahmetb,corneliusweig]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment