opensearch-project · dhrubo-os · Apr 29, 2025 · Apr 29, 2025 · Apr 29, 2025 · Apr 30, 2025
@@ -6,11 +6,14 @@
 package org.opensearch.ml.common.transport.connector;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.validateFields;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.UncheckedIOException;
+import java.util.HashMap;
+import java.util.Map;
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
@@ -38,12 +41,14 @@ public MLCreateConnectorRequest(StreamInput in) throws IOException {
 
     @Override
     public ActionRequestValidationException validate() {
-        ActionRequestValidationException exception = null;
         if (mlCreateConnectorInput == null) {
-            exception = addValidationError("ML Connector input can't be null", exception);
+            return addValidationError("ML Connector input can't be null", null);
         }
+        Map<String, String> fieldsToValidate = new HashMap<>();
+        fieldsToValidate.put("Model connector name", mlCreateConnectorInput.getName());
+        fieldsToValidate.put("Model connector description", mlCreateConnectorInput.getDescription());
 
-        return exception;
+        return validateFields(fieldsToValidate);
     }
 
     @Override

@@ -6,11 +6,14 @@
 package org.opensearch.ml.common.transport.connector;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.validateFields;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.UncheckedIOException;
+import java.util.HashMap;
+import java.util.Map;
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
@@ -57,8 +60,12 @@ public ActionRequestValidationException validate() {
 
         if (updateContent == null) {
             exception = addValidationError("Update connector content can't be null", exception);
+        } else {
+            Map<String, String> fieldsToValidate = new HashMap<>();
+            fieldsToValidate.put("Model connector name", updateContent.getName());
+            fieldsToValidate.put("Model connector description", updateContent.getDescription());
+            exception = validateFields(fieldsToValidate);
         }
-
         return exception;
     }
 

@@ -6,11 +6,14 @@
 package org.opensearch.ml.common.transport.model;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.validateFields;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.UncheckedIOException;
+import java.util.HashMap;
+import java.util.Map;
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
@@ -44,12 +47,13 @@ public MLUpdateModelRequest(StreamInput in) throws IOException {
 
     @Override
     public ActionRequestValidationException validate() {
-        ActionRequestValidationException exception = null;
         if (updateModelInput == null) {
-            exception = addValidationError("Update Model Input can't be null", exception);
+            return addValidationError("Update Model Input can't be null", null);
         }
-
-        return exception;
+        Map<String, String> fieldsToValidate = new HashMap<>();
+        fieldsToValidate.put("Model Name", updateModelInput.getName());
+        fieldsToValidate.put("Model Description", updateModelInput.getDescription());
+        return validateFields(fieldsToValidate);
     }
 
     @Override

@@ -6,11 +6,14 @@
 package org.opensearch.ml.common.transport.model_group;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.validateFields;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.UncheckedIOException;
+import java.util.HashMap;
+import java.util.Map;
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
@@ -44,12 +47,15 @@ public MLRegisterModelGroupRequest(StreamInput in) throws IOException {
 
     @Override
     public ActionRequestValidationException validate() {
-        ActionRequestValidationException exception = null;
         if (registerModelGroupInput == null) {
-            exception = addValidationError("Model meta input can't be null", exception);
+            return addValidationError("Model group input can't be null", null);
         }
 
-        return exception;
+        Map<String, String> fieldsToValidate = new HashMap<>();
+        fieldsToValidate.put("Model group name", registerModelGroupInput.getName());
+        fieldsToValidate.put("Model group description", registerModelGroupInput.getDescription());
+
+        return validateFields(fieldsToValidate);
     }
 
     @Override

@@ -6,11 +6,14 @@
 package org.opensearch.ml.common.transport.model_group;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.validateFields;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.UncheckedIOException;
+import java.util.HashMap;
+import java.util.Map;
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
@@ -44,12 +47,15 @@ public MLUpdateModelGroupRequest(StreamInput in) throws IOException {
 
     @Override
     public ActionRequestValidationException validate() {
-        ActionRequestValidationException exception = null;
         if (updateModelGroupInput == null) {
-            exception = addValidationError("Update Model group input can't be null", exception);
+            return addValidationError("Update Model group input can't be null", null);
         }
 
-        return exception;
+        Map<String, String> fieldsToValidate = new HashMap<>();
+        fieldsToValidate.put("Model group name", updateModelGroupInput.getName());
+        fieldsToValidate.put("Model group description", updateModelGroupInput.getDescription());
+
+        return validateFields(fieldsToValidate);
     }
 
     @Override

@@ -6,11 +6,14 @@
 package org.opensearch.ml.common.transport.register;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.validateFields;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.UncheckedIOException;
+import java.util.HashMap;
+import java.util.Map;
 
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionRequestValidationException;
@@ -44,12 +47,15 @@ public MLRegisterModelRequest(StreamInput in) throws IOException {
 
     @Override
     public ActionRequestValidationException validate() {
-        ActionRequestValidationException exception = null;
         if (registerModelInput == null) {
-            exception = addValidationError("ML input can't be null", exception);
+            return addValidationError("ML input can't be null", null);
         }
 
-        return exception;
+        Map<String, String> fieldsToValidate = new HashMap<>();
+        fieldsToValidate.put("Model name", registerModelInput.getModelName());
+        fieldsToValidate.put("Model description", registerModelInput.getDescription());
+
+        return validateFields(fieldsToValidate);
     }
 
     @Override

@@ -5,6 +5,8 @@
 
 package org.opensearch.ml.common.utils;
 
+import static org.opensearch.action.ValidateActions.addValidationError;
+
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.security.AccessController;
@@ -28,6 +30,7 @@
 import org.json.JSONException;
 import org.json.JSONObject;
 import org.opensearch.OpenSearchParseException;
+import org.opensearch.action.ActionRequestValidationException;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
@@ -60,6 +63,9 @@ public class StringUtils {
         + "      return input;"
         + "\n    }\n";
 
+    // Regex allows letters, digits, spaces, hyphens, underscores, and dots.
+    private static final String SAFE_INPUT_REGEX = "^[a-zA-Z0-9 _\\-\\.:,'()]+$";
+
     public static final Gson gson;
 
     static {
@@ -497,4 +503,44 @@ public static String hashString(String input) {
         }
     }
 
+    /**
+     * Checks if the input is safe (non-null, non-blank, matches safe character set).
+     *
+     * @param value The input string to validate
+     * @return true if input is safe, false otherwise
+     */
+    public static boolean isSafeText(String value) {
+        if (value == null || value.isBlank()) {
+            return false;
+        }
+        return value.matches(SAFE_INPUT_REGEX);
+    }
+
+    /**
+     * Validates a map of fields to ensure that their values only contain allowed characters.
+     * <p>
+     * Allowed characters are: letters, digits, spaces, underscores (_), hyphens (-), dots (.), and colons (:).
+     * If a value does not comply, a validation error is added.
+     *
+     * @param fields A map where the key is the field name (used for error messages) and the value is the text to validate.
+     * @return An {@link ActionRequestValidationException} containing all validation errors, or {@code null} if all fields are valid.
+     */
+    public static ActionRequestValidationException validateFields(Map<String, String> fields) {
+        ActionRequestValidationException exception = null;
+
+        for (Map.Entry<String, String> entry : fields.entrySet()) {
+            String key = entry.getKey();
+            String value = entry.getValue();
+
+            if (value != null && !isSafeText(value)) {
+                exception = addValidationError(
+                    key + " can only contain letters, digits, spaces, underscores (_), hyphens (-), dots (.), and colons (:)",
+                    exception
+                );
+            }
+        }
+
+        return exception;
+    }
+
 }
@@ -147,4 +147,53 @@ public void writeTo(StreamOutput out) throws IOException {
         };
         MLCreateConnectorRequest.fromActionRequest(actionRequest);
     }
+
+    @Test
+    public void validateWithUnsafeModelConnectorName() {
+        MLCreateConnectorInput unsafeInput = MLCreateConnectorInput
+            .builder()
+            .name("<script>bad</script>")  // Unsafe name
+            .description("safe description")
+            .version("1")
+            .protocol("http")
+            .parameters(Map.of("input", "test"))
+            .credential(Map.of("key", "value"))
+            .actions(List.of())
+            .access(AccessMode.PUBLIC)
+            .backendRoles(Arrays.asList("role1"))
+            .addAllBackendRoles(false)
+            .build();
+
+        MLCreateConnectorRequest request = MLCreateConnectorRequest.builder().mlCreateConnectorInput(unsafeInput).build();
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model connector name can only contain letters, digits, spaces, underscores (_), hyphens (-), dots (.), and colons (:);",
+            exception.getMessage()
+        );
+    }
+
+    @Test
+    public void validateWithUnsafeModelConnectorDescription() {
+        MLCreateConnectorInput unsafeInput = MLCreateConnectorInput
+            .builder()
+            .name("safeName")
+            .description("<script>bad</script>")  // Unsafe description
+            .version("1")
+            .protocol("http")
+            .parameters(Map.of("input", "test"))
+            .credential(Map.of("key", "value"))
+            .actions(List.of())
+            .access(AccessMode.PUBLIC)
+            .backendRoles(Arrays.asList("role1"))
+            .addAllBackendRoles(false)
+            .build();
+
+        MLCreateConnectorRequest request = MLCreateConnectorRequest.builder().mlCreateConnectorInput(unsafeInput).build();
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model connector description can only contain letters, digits, spaces, underscores (_), hyphens (-), dots (.), and colons (:);",
+            exception.getMessage()
+        );
+    }
+
 }
@@ -184,4 +184,40 @@ public void writeTo_withTenantId_Success() throws IOException {
         assertEquals(connectorId, parsedRequest.getConnectorId());
     }
 
+    @Test
+    public void validate_Exception_UnsafeConnectorName() {
+        MLCreateConnectorInput unsafeInput = MLCreateConnectorInput
+            .builder()
+            .name("<script>bad</script>")  // Unsafe name
+            .description("safe description")
+            .updateConnector(true)
+            .build();
+
+        MLUpdateConnectorRequest request = MLUpdateConnectorRequest.builder().connectorId("connectorId").updateContent(unsafeInput).build();
+
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model connector name can only contain letters, digits, spaces, underscores (_), hyphens (-), dots (.), and colons (:);",
+            exception.getMessage()
+        );
+    }
+
+    @Test
+    public void validate_Exception_UnsafeConnectorDescription() {
+        MLCreateConnectorInput unsafeInput = MLCreateConnectorInput
+            .builder()
+            .name("safeName")
+            .description("<script>bad</script>")  // Unsafe description
+            .updateConnector(true)
+            .build();
+
+        MLUpdateConnectorRequest request = MLUpdateConnectorRequest.builder().connectorId("connectorId").updateContent(unsafeInput).build();
+
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model connector description can only contain letters, digits, spaces, underscores (_), hyphens (-), dots (.), and colons (:);",
+            exception.getMessage()
+        );
+    }
+
 }