From 0ef25a4cbda2118b069505d0b1b0dfdab25e01bd Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Wed, 14 Nov 2018 16:10:49 +1300
Subject: [PATCH] fix(schedules): add schedule name validation and remove
 endpoint name prefix (#2470)

---
 api/docker/job.go                             |  2 +-
 api/http/handler/schedules/schedule_create.go | 12 ++++++++++--
 api/http/handler/schedules/schedule_update.go |  5 +++++
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/api/docker/job.go b/api/docker/job.go
index ea343e91c..7765f5f2e 100644
--- a/api/docker/job.go
+++ b/api/docker/job.go
@@ -83,7 +83,7 @@ func (service *JobService) ExecuteScript(endpoint *portainer.Endpoint, nodeName,
 	}
 
 	if schedule != nil {
-		err = cli.ContainerRename(context.Background(), body.ID, endpoint.Name+"_"+schedule.Name+"_"+body.ID)
+		err = cli.ContainerRename(context.Background(), body.ID, schedule.Name+"_"+body.ID)
 		if err != nil {
 			return err
 		}
diff --git a/api/http/handler/schedules/schedule_create.go b/api/http/handler/schedules/schedule_create.go
index d09f94860..4dca4c3f3 100644
--- a/api/http/handler/schedules/schedule_create.go
+++ b/api/http/handler/schedules/schedule_create.go
@@ -37,13 +37,17 @@ type scheduleCreateFromFileContentPayload struct {
 func (payload *scheduleCreateFromFilePayload) Validate(r *http.Request) error {
 	name, err := request.RetrieveMultiPartFormValue(r, "Name", false)
 	if err != nil {
-		return errors.New("Invalid name")
+		return errors.New("Invalid schedule name")
+	}
+
+	if !govalidator.Matches(name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
+		return errors.New("Invalid schedule name format. Allowed characters are: [a-zA-Z0-9_.-]")
 	}
 	payload.Name = name
 
 	image, err := request.RetrieveMultiPartFormValue(r, "Image", false)
 	if err != nil {
-		return errors.New("Invalid image")
+		return errors.New("Invalid schedule image")
 	}
 	payload.Image = image
 
@@ -80,6 +84,10 @@ func (payload *scheduleCreateFromFileContentPayload) Validate(r *http.Request) e
 		return portainer.Error("Invalid schedule name")
 	}
 
+	if !govalidator.Matches(payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
+		return errors.New("Invalid schedule name format. Allowed characters are: [a-zA-Z0-9_.-]")
+	}
+
 	if govalidator.IsNull(payload.Image) {
 		return portainer.Error("Invalid schedule image")
 	}
diff --git a/api/http/handler/schedules/schedule_update.go b/api/http/handler/schedules/schedule_update.go
index 12284181c..ed680dfa1 100644
--- a/api/http/handler/schedules/schedule_update.go
+++ b/api/http/handler/schedules/schedule_update.go
@@ -1,9 +1,11 @@
 package schedules
 
 import (
+	"errors"
 	"net/http"
 	"strconv"
 
+	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
@@ -22,6 +24,9 @@ type scheduleUpdatePayload struct {
 }
 
 func (payload *scheduleUpdatePayload) Validate(r *http.Request) error {
+	if payload.Name != nil && !govalidator.Matches(*payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
+		return errors.New("Invalid schedule name format. Allowed characters are: [a-zA-Z0-9_.-]")
+	}
 	return nil
 }