DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Annotations: Deny newlines. (#12640)

Browse source
This commit is contained in:
James Strong 2025-01-10 18:24:31 -05:00 committed by GitHub
parent 63d4d64fe4
commit 698c3c0df1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
internal/ingress/annotations/parser/validators.go
View file

@ -79,6 +79,8 @@ var (
// URLWithNginxVariableRegex defines a url that can contain nginx variables.
// It is a risky operation
URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$")
// MaliciousRegex defines chars that are known to inject RCE
MaliciousRegex = regexp.MustCompile(`\r|\n`)
)
// ValidateArrayOfServerName validates if all fields on a Server name annotation are
@ -113,6 +115,10 @@ func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator {
if !regex.MatchString(s) {
return fmt.Errorf("value %s is invalid", s)
}
if MaliciousRegex.MatchString(s) {
return fmt.Errorf("value %s contains malicious string", s)
}
return nil
}
}

5
internal/ingress/annotations/parser/validators_test.go
View file

@ -65,6 +65,11 @@ func TestValidateArrayOfServerName(t *testing.T) {
value: "something.com,lolo;xpto.com,nothing.com",
wantErr: true,
},
{
name: "should deny names with malicous chars",
value: "http://something.com/#;\nournewinjection",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {