fix: don't allow "new" or "create" as url-friendly names (#13596)

2025-07-06 15:41:45 +00:00 · 2024-06-18 15:36:13 -06:00
parent 3a1fa04590
commit e987ad1d89
12 changed files with 117 additions and 108 deletions
--- a/coderd/httpapi/name.go
+++ b/coderd/httpapi/name.go
@ -46,6 +46,10 @@ func NameValid(str string) error {
 	if len(str) < 1 {
 		return xerrors.New("must be >= 1 character")
 	}
+	// Avoid conflicts with routes like /templates/new and /groups/create.
+	if str == "new" || str == "create" {
+		return xerrors.Errorf("cannot use %q as a name", str)
+	}
 	matched := UsernameValidRegex.MatchString(str)
 	if !matched {
 		return xerrors.New("must be alphanumeric with hyphens")