DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: Validate x-forwarded-prefix annotation with RegexPathWithCapture (#10598)

Browse source
This commit is contained in:
Matt Dainty 2023-11-01 22:08:51 +00:00 committed by GitHub
parent 9cb3919e84
commit 9cdd51d5dc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
internal/ingress/annotations/parser/validators.go
View file

@ -71,7 +71,7 @@ var (
NGINXVariable = regexp.MustCompile(`^[A-Za-z0-9\-\_\$\{\}]*$`)
// RegexPathWithCapture allows entries that SHOULD start with "/" and may contain alphanumeric + capture
// character for regex based paths, like /something/$1/anything/$2
RegexPathWithCapture = regexp.MustCompile(`^/[` + alphaNumericChars + `\/\$]*$`)
RegexPathWithCapture = regexp.MustCompile(`^/?[` + alphaNumericChars + `\/\$]*$`)
// HeadersVariable defines a regex that allows headers separated by comma
HeadersVariable = regexp.MustCompile(`^[A-Za-z0-9-_, ]*$`)
// URLWithNginxVariableRegex defines a url that can contain nginx variables.

9
internal/ingress/annotations/xforwardedprefix/main.go
View file

@ -31,10 +31,11 @@ var xForwardedForAnnotations = parser.Annotation{
Group: "backend",
Annotations: parser.AnnotationFields{
xForwardedForPrefixAnnotation: {
Validator: parser.ValidateRegex(parser.BasicCharsRegex, true),
Scope: parser.AnnotationScopeLocation,
Risk: parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set
Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value`,
Validator: parser.ValidateRegex(parser.RegexPathWithCapture, true),
Scope: parser.AnnotationScopeLocation,
Risk: parser.AnnotationRiskMedium,
Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value. It can
contain regular characters and captured groups specified as '$1', '$2', etc.`,
},
},
}

1
internal/ingress/annotations/xforwardedprefix/main_test.go
View file

@ -40,6 +40,7 @@ func TestParse(t *testing.T) {
{map[string]string{annotation: "true"}, "true"},
{map[string]string{annotation: "1"}, "1"},
{map[string]string{annotation: ""}, ""},
{map[string]string{annotation: "/$1"}, "/$1"},
{map[string]string{}, ""},
{nil, ""},
}