From 9cdd51d5dcbf01fe6f06a8129027b07bf63fcb9b Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Wed, 1 Nov 2023 22:08:51 +0000 Subject: [PATCH] fix: Validate x-forwarded-prefix annotation with RegexPathWithCapture (#10598) --- internal/ingress/annotations/parser/validators.go | 2 +- internal/ingress/annotations/xforwardedprefix/main.go | 9 +++++---- .../ingress/annotations/xforwardedprefix/main_test.go | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go index ab9b4799f..09f483006 100644 --- a/internal/ingress/annotations/parser/validators.go +++ b/internal/ingress/annotations/parser/validators.go @@ -71,7 +71,7 @@ var ( NGINXVariable = regexp.MustCompile(`^[A-Za-z0-9\-\_\$\{\}]*$`) // RegexPathWithCapture allows entries that SHOULD start with "/" and may contain alphanumeric + capture // character for regex based paths, like /something/$1/anything/$2 - RegexPathWithCapture = regexp.MustCompile(`^/[` + alphaNumericChars + `\/\$]*$`) + RegexPathWithCapture = regexp.MustCompile(`^/?[` + alphaNumericChars + `\/\$]*$`) // HeadersVariable defines a regex that allows headers separated by comma HeadersVariable = regexp.MustCompile(`^[A-Za-z0-9-_, ]*$`) // URLWithNginxVariableRegex defines a url that can contain nginx variables. diff --git a/internal/ingress/annotations/xforwardedprefix/main.go b/internal/ingress/annotations/xforwardedprefix/main.go index 530afbb01..54bb7199a 100644 --- a/internal/ingress/annotations/xforwardedprefix/main.go +++ b/internal/ingress/annotations/xforwardedprefix/main.go @@ -31,10 +31,11 @@ var xForwardedForAnnotations = parser.Annotation{ Group: "backend", Annotations: parser.AnnotationFields{ xForwardedForPrefixAnnotation: { - Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), - Scope: parser.AnnotationScopeLocation, - Risk: parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set - Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value`, + Validator: parser.ValidateRegex(parser.RegexPathWithCapture, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value. It can + contain regular characters and captured groups specified as '$1', '$2', etc.`, }, }, } diff --git a/internal/ingress/annotations/xforwardedprefix/main_test.go b/internal/ingress/annotations/xforwardedprefix/main_test.go index f28b6b10e..977e7d372 100644 --- a/internal/ingress/annotations/xforwardedprefix/main_test.go +++ b/internal/ingress/annotations/xforwardedprefix/main_test.go @@ -40,6 +40,7 @@ func TestParse(t *testing.T) { {map[string]string{annotation: "true"}, "true"}, {map[string]string{annotation: "1"}, "1"}, {map[string]string{annotation: ""}, ""}, + {map[string]string{annotation: "/$1"}, "/$1"}, {map[string]string{}, ""}, {nil, ""}, }