From dbfd170e7c2de221bf99c4905f72c6578035f93a Mon Sep 17 00:00:00 2001
From: Max Schettler <max@simplyblock.io>
Date: Fri, 29 May 2026 15:15:27 +0200
Subject: [PATCH] Validate NQN argument in SNodeAPI

This avoids a potential injection issue since the value is used to
construct a command that's executed on the machine.
---
 simplyblock_web/api/internal/node_api_basic.py | 2 +-
 simplyblock_web/utils.py                       | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/simplyblock_web/api/internal/node_api_basic.py b/simplyblock_web/api/internal/node_api_basic.py
index 181f61f8d..fe9593a7b 100644
--- a/simplyblock_web/api/internal/node_api_basic.py
+++ b/simplyblock_web/api/internal/node_api_basic.py
@@ -86,7 +86,7 @@ def get_info():
 class _NVMeParams(BaseModel):
     ip: str = Field(pattern=utils.IP_PATTERN)
     port: int = Field(ge=0, le=65536)
-    nqn: str
+    nqn: str = Field(pattern=utils.NQN_PATTERN)
 
 
 @api.post('/nvme_connect',
diff --git a/simplyblock_web/utils.py b/simplyblock_web/utils.py
index 24921a8e8..187e71df5 100644
--- a/simplyblock_web/utils.py
+++ b/simplyblock_web/utils.py
@@ -15,6 +15,14 @@
 
 IP_PATTERN = re.compile(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$')
 IFNAME_PATTERN = re.compile(r'^[a-zA-Z0-9_\-\\.]{1,15}$')
+NQN_PATTERN = re.compile(
+    r'nqn\.'
+    r'\d{4}-\d{2}'
+    r'\.'
+    r'(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)*'
+    r'[a-zA-Z]{2,}'
+    r'(?::[a-zA-Z0-9.\-:_]+)?'  # optional unique name
+)
 
 
 def response_schema(result_schema: dict) -> dict: