From a560d1e206b87ac9d5e51a266dd6327cabe4f2cb Mon Sep 17 00:00:00 2001
From: Zane Bitter <zbitter@redhat.com>
Date: Wed, 12 Dec 2012 13:47:33 +0100
Subject: [PATCH] Don't allow slashes in Stack or Resource names

There is no way for the ReST API to handle Stack or Resource names that
contain slashes since WSGI decodes the path before passing it to the
application, such that even correctly url-encoded slashes are
indistinguishable from path separators. Therefore, prohibit slashes in
Stack and Resource names.

bug 1088928

Change-Id: Ie6fa5a1bc7b5ae7054300419644008c5cc42187e
Signed-off-by: Zane Bitter <zbitter@redhat.com>
---
 heat/engine/parser.py             |  4 ++++
 heat/engine/resource.py           |  3 +++
 heat/tests/test_engine_service.py | 19 +++++++++++++++++++
 3 files changed, 26 insertions(+)

diff --git a/heat/engine/parser.py b/heat/engine/parser.py
index de415d21..56cb057a 100644
--- a/heat/engine/parser.py
+++ b/heat/engine/parser.py
@@ -58,6 +58,10 @@ class Stack(object):
         Parameters object. The database ID may also be initialised, if the
         stack is already in the database.
         '''
+
+        if '/' in stack_name:
+            raise ValueError(_('Stack name may not contain "/"'))
+
         self.id = stack_id
         self.context = context
         self.clients = Clients(context)
diff --git a/heat/engine/resource.py b/heat/engine/resource.py
index c71602be..cc16e41b 100644
--- a/heat/engine/resource.py
+++ b/heat/engine/resource.py
@@ -106,6 +106,9 @@ class Resource(object):
         return ResourceClass(name, json, stack)
 
     def __init__(self, name, json_snippet, stack):
+        if '/' in name:
+            raise ValueError(_('Resource name may not contain "/"'))
+
         self.references = []
         self.stack = stack
         self.context = stack.context
diff --git a/heat/tests/test_engine_service.py b/heat/tests/test_engine_service.py
index e2a79a8f..dc9e8402 100644
--- a/heat/tests/test_engine_service.py
+++ b/heat/tests/test_engine_service.py
@@ -217,6 +217,25 @@ class stackServiceCreateUpdateDeleteTest(unittest.TestCase):
         self.assertEqual(result, {'Description': error})
         self.m.VerifyAll()
 
+    def test_stack_create_invalid_stack_name(self):
+        stack_name = 'service_create/test_stack'
+        stack = get_wordpress_stack('test_stack', self.ctx)
+
+        self.assertRaises(ValueError, self.man.create_stack,
+                                      self.ctx, stack_name,
+                                      stack.t, {}, {})
+
+    def test_stack_create_invalid_resource_name(self):
+        stack_name = 'service_create_test_stack_invalid_res'
+        stack = get_wordpress_stack(stack_name, self.ctx)
+        tmpl = dict(stack.t)
+        tmpl['Resources']['Web/Server'] = tmpl['Resources']['WebServer']
+        del tmpl['Resources']['WebServer']
+
+        self.assertRaises(ValueError, self.man.create_stack,
+                                      self.ctx, stack_name,
+                                      stack.t, {}, {})
+
     def test_stack_delete(self):
         stack_name = 'service_delete_test_stack'
         stack = get_wordpress_stack(stack_name, self.ctx)
-- 
2.45.2