enhance the behavior of verifying keys (#3000)

Author: Xiaochao8

api/v1/translation/handler_trans.go

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 VMware, Inc.
+ * Copyright 2022-2024 VMware, Inc.
  * SPDX-License-Identifier: EPL-2.0
  */
 
@@ -286,7 +286,7 @@ func GetString(c *gin.Context) {
 	uriPart := struct {
 		ProductName string `uri:"productName" binding:"alphanum"`
 		Component   string `uri:"component" binding:"component"`
-		Key         string `uri:"key" binding:"key"`
+		Key         string `uri:"key" binding:"nonHTML,key"`
 	}{}
 	formPart := struct {
 		Version string `form:"version" binding:"version"`
@@ -325,7 +325,7 @@ func GetString3(c *gin.Context) {
 	uriPart := struct {
 		ProductName string `uri:"productName" binding:"alphanum"`
 		Component   string
-		Key         string `uri:"key" binding:"key"`
+		Key         string `uri:"key" binding:"nonHTML,key"`
 	}{Component: "default"}
 	formPart := struct {
 		Version string `form:"version" binding:"version"`

api/v1/translation/types_trans.go

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 VMware, Inc.
+ * Copyright 2022-2024 VMware, Inc.
  * SPDX-License-Identifier: EPL-2.0
  */
 
@@ -14,7 +14,7 @@ type (
 		ReleaseID
 		Locale    string `form:"locale" binding:"locale"`
 		Component string `form:"component" binding:"component"`
-		Key       string `form:"key" binding:"key"`
+		Key       string `form:"key" binding:"nonHTML,key"`
 		Source    string `form:"source"`
 		Pseudo    bool   `form:"pseudo" binding:"omitempty"`
 	}

api/v2/translation/handler_trans.go

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 VMware, Inc.
+ * Copyright 2022-2024 VMware, Inc.
  * SPDX-License-Identifier: EPL-2.0
  */
 
@@ -237,7 +237,7 @@ func GetBundle(c *gin.Context) {
 func GetStrings(c *gin.Context) {
 	uriPart := BundleID{}
 	formPart := struct {
-		Keys   string `form:"keys" binding:"required"`
+		Keys   string `form:"keys" binding:"nonHTML,sgtnkeys"`
 		Pseudo bool   `form:"pseudo"`
 	}{}
 	if err := api.ExtractParameters(c, &uriPart, &formPart); err != nil {

api/v2/translation/types_trans.go

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 VMware, Inc.
+ * Copyright 2022-2024 VMware, Inc.
  * SPDX-License-Identifier: EPL-2.0
  */
 
@@ -28,7 +28,7 @@ type (
 
 	StringID struct {
 		BundleID
-		Key string `uri:"key" binding:"key"`
+		Key string `uri:"key" binding:"nonHTML,key"`
 	}
 
 	GetStringReq struct {

api/validator.go

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 VMware, Inc.
+ * Copyright 2022-2024 VMware, Inc.
  * SPDX-License-Identifier: EPL-2.0
  */
 
@@ -35,6 +35,8 @@ var (
 	localesRegex                    = componentsRegex
 	patternScopeRegex               = regexp.MustCompile(`^(\s*[a-zA-Z]+\s*)(,\s*[a-zA-Z]+\s*)*$`)
 	asciiCharsRegex                 = regexp.MustCompile(`\A[[:ascii:]]+\z`)
+	multiASCIIStringRegex           = regexp.MustCompile(`\A([[:ascii:]]+)(,[[:ascii:]]+)*\z`)
+	hTMLRegex                       = regexp.MustCompile(`<[/]?([a-zA-Z]+).*?>`)
 )
 
 var validatorInfoArray = [][]interface{}{
@@ -49,6 +51,8 @@ var validatorInfoArray = [][]interface{}{
 	{ComponentsAPIKey, componentsRegex, fmt.Sprintf(letterAndNumberAndValidCharStringError, ComponentsAPIKey)},
 	{LocalesAPIKey, localesRegex, fmt.Sprintf(letterAndNumberAndValidCharStringError, LocalesAPIKey)},
 	{KeyAPIKey, asciiCharsRegex, "'{0}' is invalid(only standard ASCII characters are allowed)"},
+	{"sgtnkeys", multiASCIIStringRegex, "'{0}' is invalid(only standard ASCII characters are allowed)"},
+	{"nonHTML", func(fl validator.FieldLevel) bool { return !hTMLRegex.MatchString(fl.Field().String()) }, "HTML tags aren't allowed"},
 }
 
 var enTranslator ut.Translator
@@ -70,11 +74,20 @@ func InitValidator() {
 	}
 
 	for _, info := range validatorInfoArray {
-		name, r := info[0].(string), info[1].(*regexp.Regexp)
-		err := validate.RegisterValidation(name,
-			func(fl validator.FieldLevel) bool {
-				return r.MatchString(fl.Field().String())
-			})
+		name, verification := info[0].(string), info[1]
+		var err error
+		switch actual := verification.(type) {
+		case *regexp.Regexp:
+			err = validate.RegisterValidation(name,
+				func(fl validator.FieldLevel) bool {
+					return actual.MatchString(fl.Field().String())
+				})
+		case func(fl validator.FieldLevel) bool:
+			err = validate.RegisterValidation(name, actual)
+		default:
+			logger.SLog.Fatal("wrong validator method: %v", name)
+		}
+
 		if err == nil {
 			err = validate.RegisterTranslation(name, enTranslator,
 				func(ut ut.Translator) error {