SpecterOps · irshadaj · Feb 27, 2024 · Feb 26, 2024 · Feb 26, 2024 · Feb 27, 2024
diff --git a/cmd/api/src/api/error.go b/cmd/api/src/api/error.go
@@ -57,6 +57,7 @@ const (
 	ErrorResponseMultipleCollectionScopesProvided   = "may only scope collection by exactly one of OU, Domain, or All Trusted Domains"
 	ErrorResponsePayloadUnmarshalError              = "error unmarshalling JSON payload"
 	ErrorResponseUserSelfDisable                    = "user attempted to disable themselves"
+	ErrorResponseAGTagWhiteSpace                    = "asset group tags must not contain whitespace"
 
 	FmtErrorResponseDetailsBadQueryParameters = "there are errors in the query parameters: %v"
 )

diff --git a/cmd/api/src/api/v2/agi.go b/cmd/api/src/api/v2/agi.go
@@ -200,6 +200,8 @@ func (s Resources) CreateAssetGroup(response http.ResponseWriter, request *http.
 
 	if err := api.ReadJSONRequestPayloadLimited(&createRequest, request); err != nil {
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, err.Error(), request), response)
+	} else if strings.Contains(createRequest.Tag, " ") {
+		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, api.ErrorResponseAGTagWhiteSpace, request), response)
 	} else if newAssetGroup, err := s.DB.CreateAssetGroup(request.Context(), createRequest.Name, createRequest.Tag, false); err != nil {
 		api.HandleDatabaseError(request, response, err)
 	} else {

diff --git a/cmd/api/src/api/v2/agi_test.go b/cmd/api/src/api/v2/agi_test.go
@@ -406,6 +406,19 @@ func TestResources_CreateAssetGroup(t *testing.T) {
 		Require().
 		ResponseStatusCode(http.StatusBadRequest)
 
+	// Whitespace in asset group tag must error
+	jsonBody, err := json.Marshal(v2.CreateAssetGroupRequest{Tag: "a b"})
+	require.Nil(t, err)
+
+	requestTemplate.
+		WithContext(&ctx.Context{
+			Host: &url.URL{},
+		}).
+		WithBody(jsonBody).
+		OnHandlerFunc(resources.CreateAssetGroup).
+		Require().
+		ResponseStatusCode(http.StatusBadRequest)
+
 	// Create DB Query fails
 	mockDB.EXPECT().CreateAssetGroup(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(model.AssetGroup{}, fmt.Errorf("exploded"))
 

diff --git a/cmd/api/src/database/migration/migrations/v5.7.1.sql b/cmd/api/src/database/migration/migrations/v5.7.1.sql
@@ -0,0 +1,18 @@
+-- Copyright 2024 Specter Ops, Inc.
+--
+-- Licensed under the Apache License, Version 2.0
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+-- SPDX-License-Identifier: Apache-2.0
+
+UPDATE asset_groups
+SET tag = REPLACE(tag, ' ', '');
diff --git a/cmd/api/src/docs/json/paths/v2/asset-isolation.json b/cmd/api/src/docs/json/paths/v2/asset-isolation.json
@@ -167,6 +167,12 @@
                         }
                     }
                 },
+                "400": {
+                    "description": "Bad Request",
+                    "schema": {
+                        "$ref": "#/definitions/api.ErrorWrapper"
+                    }
+                },
                 "Error": {
                     "$ref": "#/components/responses/defaultError"
                 }