Skip to content

fix: Validate string format of SDK key #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Sep 29, 2025
Merged

fix: Validate string format of SDK key #162

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e1ccf92
fix: Validate string format of SDK key
jsonbailey Sep 26, 2025
0f63f7d
add sdk-key to test
jsonbailey Sep 26, 2025
7f04fc9
Address feedback to make validation more specific. Removed forcing of…
jsonbailey Sep 26, 2025
61de241
dont log an error if they are offline.
jsonbailey Sep 26, 2025
450b852
fix casing
jsonbailey Sep 26, 2025
427dfaa
adjust validation function
jsonbailey Sep 26, 2025
dfa801e
undo common changes to prevent merge conflict
jsonbailey Sep 27, 2025
70a646a
Update the client to validate the key
jsonbailey Sep 29, 2025
fb77862
Use the proper validation method
jsonbailey Sep 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions pkgs/sdk/server/src/ConfigurationBuilder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
using System;
using System.Collections.Generic;
using LaunchDarkly.Logging;
using LaunchDarkly.Sdk.Helpers;
using LaunchDarkly.Sdk.Server.Hooks;
using LaunchDarkly.Sdk.Server.Integrations;
using LaunchDarkly.Sdk.Server.Interfaces;
Expand Down Expand Up @@ -53,9 +54,20 @@

#region Internal constructors

/// <summary>
/// Sets the SDK key only if it passes validation rules.
/// </summary>
private void SetSdkKeyIfValid(string sdkKey)
{
if (ValidationUtils.ValidateSdkKeyFormat(sdkKey) == null)

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'

Check failure on line 62 in pkgs/sdk/server/src/ConfigurationBuilder.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'ValidationUtils' does not contain a definition for 'ValidateSdkKeyFormat'
{
_sdkKey = sdkKey;
}
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Key Validation Silently Fails Without Alerts

The new key validation in both SDKs silently discards invalid SDK/mobile keys, leaving the internal key field null. This can lead to runtime issues, such as connection failures, without user notification. Copy constructors are particularly problematic, as an already valid key might be unexpectedly nullified.

Additional Locations (1)

Fix in Cursor Fix in Web


internal ConfigurationBuilder(string sdkKey)
{
_sdkKey = sdkKey;
SetSdkKeyIfValid(sdkKey);
}

internal ConfigurationBuilder(Configuration copyFrom)
Expand All @@ -70,7 +82,8 @@
_http = copyFrom.Http;
_logging = copyFrom.Logging;
_offline = copyFrom.Offline;
_sdkKey = copyFrom.SdkKey;
// The SDK key from Configuration should already be valid, but we validate just in case
SetSdkKeyIfValid(copyFrom.SdkKey);
_serviceEndpointsBuilder = new ServiceEndpointsBuilder(copyFrom.ServiceEndpoints);
_startWaitTime = copyFrom.StartWaitTime;
_applicationInfo = copyFrom.ApplicationInfo;
Expand Down Expand Up @@ -317,15 +330,15 @@

/// <summary>
/// Sets the SDK key for your LaunchDarkly environment.
/// They key will not be updated if the provided key contains invalid characters.
/// </summary>
/// <param name="sdkKey">the SDK key</param>
/// <returns>the same builder</returns>
public ConfigurationBuilder SdkKey(string sdkKey)
{
_sdkKey = sdkKey;
SetSdkKeyIfValid(sdkKey);
return this;
}

/// <summary>
/// Sets the SDK's service URIs, using a configuration builder obtained from
/// <see cref="Components.ServiceEndpoints"/>.
Expand Down
6 changes: 6 additions & 0 deletions pkgs/sdk/server/src/LdClient.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,12 @@
_log = logConfig.LogAdapter.Logger(logConfig.BaseLoggerName ?? LogNames.DefaultBase);
_log.Info("Starting LaunchDarkly client {0}",
AssemblyVersions.GetAssemblyVersionStringForType(typeof(LdClient)));

if (_configuration.SdkKey == null && !_configuration.offline)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (ubuntu-22.04) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (windows-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)

Check failure on line 140 in pkgs/sdk/server/src/LdClient.cs

View workflow job for this annotation

GitHub Actions / build-and-test (macos-latest) 

'Configuration' does not contain a definition for 'offline' and no accessible extension method 'offline' accepting a first argument of type 'Configuration' could be found (are you missing a using directive or an assembly reference?)
{
_log.Error("The SDK key provided is invalid.");
}

_evalLog = _log.SubLogger(LogNames.EvaluationSubLog);

var taskExecutor = new TaskExecutor(this, _log);
Expand Down
4 changes: 2 additions & 2 deletions pkgs/sdk/server/test/LdClientListenersTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ public void ClientSendsFlagValueChangeEvents()
var testData = TestData.DataSource();
testData.Update(testData.Flag(flagKey).On(false));

var config = Configuration.Builder("").DataSource(testData)
var config = Configuration.Builder("sdk-key").DataSource(testData)
.Events(Components.NoEvents).Build();

using (var client = new LdClient(config))
Expand Down Expand Up @@ -136,7 +136,7 @@ public void DataSourceStatusProviderSendsStatusUpdates()
var config = BasicConfig()
.DataSource(testData)
.Build();

using (var client = new LdClient(config))
{
var statuses = new EventSink<DataSourceStatus>();
Expand Down
27 changes: 27 additions & 0 deletions pkgs/shared/common/src/Helpers/ValidationUtils.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,33 @@ public static class ValidationUtils
{
private static readonly Regex ValidCharsRegex = new Regex("^[-a-zA-Z0-9._]+\\z");

/// <summary>
/// Validates that a string does not contain invalid characters or exceed the max length of 8192 characters.
/// </summary>
/// <param name="sdkKey">the SDK key to validate.</param>
/// <returns>Null if the input is valid, otherwise an error string describing the issue.</returns>
public static string ValidateSdkKeyFormat(string sdkKey)
{

// For offline mode, we allow a null or empty SDK key and it is not invalid.
if (string.IsNullOrEmpty(sdkKey))
{
return null;
}

if (sdkKey.Length > 8192)
{
return "SDK key cannot be longer than 1024 characters.";
}

if (!ValidCharsRegex.IsMatch(sdkKey))
{
return "SDK key contains invalid characters.";
}

return null;
}

/// <summary>
/// Validates that a string is non-empty, not too longer for our systems, and only contains
/// alphanumeric characters, hyphens, periods, and underscores.
Expand Down
Loading