nfs: use ValidateVolumeID for input validation

black-dragon74 · mergify[bot] · commit a08c2bb1252a · 2026-02-04T19:16:03.000Z
This patch modifies nfs controllerserver and nodeserver methods to use `util.ValidateVolumeID`. It is done to ensure the provided VolumeId in the gRPC matches the expected format. Signed-off-by: Niraj Yadav <niryadav@redhat.com> Reported-by: Shaul Ben Hai <shaul.benhai@sentinelone.com> (cherry picked from commit 9619c7c)
diff --git a/internal/nfs/controller/controllerserver.go b/internal/nfs/controller/controllerserver.go
@@ -127,6 +127,11 @@ func (cs *Server) DeleteVolume(
 	ctx context.Context,
 	req *csi.DeleteVolumeRequest,
 ) (*csi.DeleteVolumeResponse, error) {
+	volumeID := req.GetVolumeId()
+	if err := util.ValidateVolumeID(volumeID, true); err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+
 	secret := req.GetSecrets()
 	cr, err := util.NewAdminCredentials(secret)
 	if err != nil {
@@ -136,7 +141,7 @@ func (cs *Server) DeleteVolume(
 	}
 	defer cr.DeleteCredentials()
 
-	nfsVolume, err := NewNFSVolume(ctx, req.GetVolumeId())
+	nfsVolume, err := NewNFSVolume(ctx, volumeID)
 	if err != nil {
 		return nil, status.Error(codes.InvalidArgument, err.Error())
 	}
diff --git a/internal/nfs/nodeserver/nodeserver.go b/internal/nfs/nodeserver/nodeserver.go
@@ -250,9 +250,11 @@ func (ns *NodeServer) mountNFS(
 
 // validateNodePublishVolumeRequest validates node publish volume request.
 func validateNodePublishVolumeRequest(req *csi.NodePublishVolumeRequest) error {
+	if err := util.ValidateVolumeID(req.GetVolumeId(), util.IsStaticVol(req.GetVolumeContext())); err != nil {
+		return err
+	}
+
 	switch {
-	case req.GetVolumeId() == "":
-		return errors.New("volume ID missing in request")
 	case req.GetVolumeCapability() == nil:
 		return errors.New("volume capability missing in request")
 	case req.GetTargetPath() == "":
diff --git a/internal/nfs/nodeserver/nodeserver_test.go b/internal/nfs/nodeserver/nodeserver_test.go
@@ -39,6 +39,10 @@ func Test_validateNodePublishVolumeRequest(t *testing.T) {
 					VolumeId:         "123",
 					TargetPath:       "/target",
 					VolumeCapability: &csi.VolumeCapability{},
+					// staticVolume ensures format validation for volumeID is skipped.
+					VolumeContext: map[string]string{
+						"staticVolume": "true",
+					},
 				},
 			},
 			wantErr: false,
