add validation for name and description for model model group and connector resources

Signed-off-by: Dhrubo Saha <[email protected]>

Author: dhrubo-os

common/src/main/java/org/opensearch/ml/common/transport/connector/MLCreateConnectorRequest.java

@@ -6,6 +6,7 @@
 package org.opensearch.ml.common.transport.connector;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.isSafeText;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -39,8 +40,25 @@ public MLCreateConnectorRequest(StreamInput in) throws IOException {
     @Override
     public ActionRequestValidationException validate() {
         ActionRequestValidationException exception = null;
+
         if (mlCreateConnectorInput == null) {
-            exception = addValidationError("ML Connector input can't be null", exception);
+            return addValidationError("ML Connector input can't be null", exception);
+        }
+
+        String modelName = mlCreateConnectorInput.getName();
+        String description = mlCreateConnectorInput.getDescription();
+
+        if (modelName != null && !isSafeText(modelName)) {
+            exception = addValidationError(
+                "Model connector name can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
+        }
+        if (description != null && !isSafeText(description)) {
+            exception = addValidationError(
+                "Model connector description can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
         }
 
         return exception;

common/src/main/java/org/opensearch/ml/common/transport/connector/MLUpdateConnectorRequest.java

@@ -6,6 +6,7 @@
 package org.opensearch.ml.common.transport.connector;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.isSafeText;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -57,6 +58,22 @@ public ActionRequestValidationException validate() {
 
         if (updateContent == null) {
             exception = addValidationError("Update connector content can't be null", exception);
+        } else {
+            String modelName = updateContent.getName();
+            String description = updateContent.getDescription();
+
+            if (modelName != null && !isSafeText(modelName)) {
+                exception = addValidationError(
+                    "Model connector name can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.). Max length: 1000 characters.",
+                    exception
+                );
+            }
+            if (description != null && !isSafeText(description)) {
+                exception = addValidationError(
+                    "Model connector description can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.). Max length: 1000 characters.",
+                    exception
+                );
+            }
         }
 
         return exception;

common/src/main/java/org/opensearch/ml/common/transport/model/MLUpdateModelRequest.java

@@ -6,6 +6,7 @@
 package org.opensearch.ml.common.transport.model;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.isSafeText;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -45,8 +46,25 @@ public MLUpdateModelRequest(StreamInput in) throws IOException {
     @Override
     public ActionRequestValidationException validate() {
         ActionRequestValidationException exception = null;
+
         if (updateModelInput == null) {
-            exception = addValidationError("Update Model Input can't be null", exception);
+            return addValidationError("Update Model Input can't be null", exception);
+        }
+
+        String modelName = updateModelInput.getName();
+        String description = updateModelInput.getDescription();
+
+        if (modelName != null && !isSafeText(modelName)) {
+            exception = addValidationError(
+                "Model name can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
+        }
+        if (description != null && !isSafeText(description)) {
+            exception = addValidationError(
+                "Model description can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
         }
 
         return exception;

common/src/main/java/org/opensearch/ml/common/transport/model_group/MLRegisterModelGroupRequest.java

@@ -6,6 +6,7 @@
 package org.opensearch.ml.common.transport.model_group;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.isSafeText;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -45,8 +46,25 @@ public MLRegisterModelGroupRequest(StreamInput in) throws IOException {
     @Override
     public ActionRequestValidationException validate() {
         ActionRequestValidationException exception = null;
+
         if (registerModelGroupInput == null) {
-            exception = addValidationError("Model meta input can't be null", exception);
+            return addValidationError("Model group input can't be null", exception);
+        }
+
+        String modelName = registerModelGroupInput.getName();
+        String description = registerModelGroupInput.getDescription();
+
+        if (modelName != null && !isSafeText(modelName)) {
+            exception = addValidationError(
+                "Model group name can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
+        }
+        if (description != null && !isSafeText(description)) {
+            exception = addValidationError(
+                "Model group description can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
         }
 
         return exception;

common/src/main/java/org/opensearch/ml/common/transport/model_group/MLUpdateModelGroupRequest.java

@@ -6,6 +6,7 @@
 package org.opensearch.ml.common.transport.model_group;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.isSafeText;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -45,8 +46,25 @@ public MLUpdateModelGroupRequest(StreamInput in) throws IOException {
     @Override
     public ActionRequestValidationException validate() {
         ActionRequestValidationException exception = null;
+
         if (updateModelGroupInput == null) {
-            exception = addValidationError("Update Model group input can't be null", exception);
+            return addValidationError("Update Model group input can't be null", exception);
+        }
+
+        String modelName = updateModelGroupInput.getName();
+        String description = updateModelGroupInput.getDescription();
+
+        if (modelName != null && !isSafeText(modelName)) {
+            exception = addValidationError(
+                "Model group name can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
+        }
+        if (description != null && !isSafeText(description)) {
+            exception = addValidationError(
+                "Model group description can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
         }
 
         return exception;

common/src/main/java/org/opensearch/ml/common/transport/register/MLRegisterModelRequest.java

@@ -6,6 +6,7 @@
 package org.opensearch.ml.common.transport.register;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.ml.common.utils.StringUtils.isSafeText;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -45,8 +46,25 @@ public MLRegisterModelRequest(StreamInput in) throws IOException {
     @Override
     public ActionRequestValidationException validate() {
         ActionRequestValidationException exception = null;
+
         if (registerModelInput == null) {
-            exception = addValidationError("ML input can't be null", exception);
+            return addValidationError("ML input can't be null", exception);
+        }
+
+        String modelName = registerModelInput.getModelName();
+        String description = registerModelInput.getDescription();
+
+        if (modelName != null && !isSafeText(modelName)) {
+            exception = addValidationError(
+                "Model name can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
+        }
+        if (description != null && !isSafeText(description)) {
+            exception = addValidationError(
+                "Model description can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.)",
+                exception
+            );
         }
 
         return exception;

common/src/main/java/org/opensearch/ml/common/utils/StringUtils.java

@@ -60,6 +60,9 @@ public class StringUtils {
         + "      return input;"
         + "\n    }\n";
 
+    // Regex allows letters, digits, spaces, hyphens, underscores, and dots.
+    private static final String SAFE_INPUT_REGEX = "^[a-zA-Z0-9 _\\-\\.:]+$";
+
     public static final Gson gson;
 
     static {
@@ -497,4 +500,20 @@ public static String hashString(String input) {
         }
     }
 
+    /**
+     * Checks if the input is safe (non-null, non-blank, matches safe character set, max 1000 chars).
+     *
+     * @param value The input string to validate
+     * @return true if input is safe, false otherwise
+     */
+    public static boolean isSafeText(String value) {
+        if (value == null || value.isBlank()) {
+            return false;
+        }
+        if (value.length() > 1000) {
+            return false;
+        }
+        return value.matches(SAFE_INPUT_REGEX);
+    }
+
 }

common/src/test/java/org/opensearch/ml/common/transport/connector/MLCreateConnectorRequestTests.java

@@ -147,4 +147,53 @@ public void writeTo(StreamOutput out) throws IOException {
         };
         MLCreateConnectorRequest.fromActionRequest(actionRequest);
     }
+
+    @Test
+    public void validateWithUnsafeModelConnectorName() {
+        MLCreateConnectorInput unsafeInput = MLCreateConnectorInput
+            .builder()
+            .name("<script>bad</script>")  // Unsafe name
+            .description("safe description")
+            .version("1")
+            .protocol("http")
+            .parameters(Map.of("input", "test"))
+            .credential(Map.of("key", "value"))
+            .actions(List.of())
+            .access(AccessMode.PUBLIC)
+            .backendRoles(Arrays.asList("role1"))
+            .addAllBackendRoles(false)
+            .build();
+
+        MLCreateConnectorRequest request = MLCreateConnectorRequest.builder().mlCreateConnectorInput(unsafeInput).build();
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model connector name can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.);",
+            exception.getMessage()
+        );
+    }
+
+    @Test
+    public void validateWithUnsafeModelConnectorDescription() {
+        MLCreateConnectorInput unsafeInput = MLCreateConnectorInput
+            .builder()
+            .name("safeName")
+            .description("<script>bad</script>")  // Unsafe description
+            .version("1")
+            .protocol("http")
+            .parameters(Map.of("input", "test"))
+            .credential(Map.of("key", "value"))
+            .actions(List.of())
+            .access(AccessMode.PUBLIC)
+            .backendRoles(Arrays.asList("role1"))
+            .addAllBackendRoles(false)
+            .build();
+
+        MLCreateConnectorRequest request = MLCreateConnectorRequest.builder().mlCreateConnectorInput(unsafeInput).build();
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model connector description can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.);",
+            exception.getMessage()
+        );
+    }
+
 }

common/src/test/java/org/opensearch/ml/common/transport/connector/MLUpdateConnectorRequestTests.java

@@ -184,4 +184,40 @@ public void writeTo_withTenantId_Success() throws IOException {
         assertEquals(connectorId, parsedRequest.getConnectorId());
     }
 
+    @Test
+    public void validate_Exception_UnsafeConnectorName() {
+        MLCreateConnectorInput unsafeInput = MLCreateConnectorInput
+            .builder()
+            .name("<script>bad</script>")  // Unsafe name
+            .description("safe description")
+            .updateConnector(true)
+            .build();
+
+        MLUpdateConnectorRequest request = MLUpdateConnectorRequest.builder().connectorId("connectorId").updateContent(unsafeInput).build();
+
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model connector name can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.). Max length: 1000 characters.;",
+            exception.getMessage()
+        );
+    }
+
+    @Test
+    public void validate_Exception_UnsafeConnectorDescription() {
+        MLCreateConnectorInput unsafeInput = MLCreateConnectorInput
+            .builder()
+            .name("safeName")
+            .description("<script>bad</script>")  // Unsafe description
+            .updateConnector(true)
+            .build();
+
+        MLUpdateConnectorRequest request = MLUpdateConnectorRequest.builder().connectorId("connectorId").updateContent(unsafeInput).build();
+
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model connector description can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.). Max length: 1000 characters.;",
+            exception.getMessage()
+        );
+    }
+
 }

common/src/test/java/org/opensearch/ml/common/transport/model/MLUpdateModelRequestTest.java

@@ -113,4 +113,56 @@ public void writeTo(StreamOutput out) throws IOException {
         MLUpdateModelRequest.fromActionRequest(actionRequest);
     }
 
+    @Test
+    public void validate_Exception_InvalidName() {
+        MLModelConfig config = TextEmbeddingModelConfig
+            .builder()
+            .modelType("testModelType")
+            .allConfig("{\"field1\":\"value1\",\"field2\":\"value2\"}")
+            .frameworkType(TextEmbeddingModelConfig.FrameworkType.SENTENCE_TRANSFORMERS)
+            .embeddingDimension(100)
+            .build();
+
+        MLUpdateModelInput input = MLUpdateModelInput
+            .builder()
+            .modelId("test-model_id")
+            .name("<script>alert(1)</script>") // unsafe input
+            .description("safe description")
+            .modelConfig(config)
+            .build();
+
+        MLUpdateModelRequest request = MLUpdateModelRequest.builder().updateModelInput(input).build();
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model name can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.);",
+            exception.getMessage()
+        );
+    }
+
+    @Test
+    public void validate_Exception_InvalidDescription() {
+        MLModelConfig config = TextEmbeddingModelConfig
+            .builder()
+            .modelType("testModelType")
+            .allConfig("{\"field1\":\"value1\",\"field2\":\"value2\"}")
+            .frameworkType(TextEmbeddingModelConfig.FrameworkType.SENTENCE_TRANSFORMERS)
+            .embeddingDimension(100)
+            .build();
+
+        MLUpdateModelInput input = MLUpdateModelInput
+            .builder()
+            .modelId("test-model_id")
+            .name("safeName")
+            .description("<script>bad</script>") // unsafe input
+            .modelConfig(config)
+            .build();
+
+        MLUpdateModelRequest request = MLUpdateModelRequest.builder().updateModelInput(input).build();
+        ActionRequestValidationException exception = request.validate();
+        assertEquals(
+            "Validation Failed: 1: Model description can only contain letters, digits, spaces, underscores (_), hyphens (-), and dots (.);",
+            exception.getMessage()
+        );
+    }
+
 }