Revert Implement pathType validation (#9511) (#9607)

Signed-off-by: James Strong <strong.james.e@gmail.com>
2023-02-13 07:57:29 +01:00 · 2023-02-13 07:57:29 +01:00 · 01c9a2bf25
commit 01c9a2bf25
parent 59d247dd74
16 changed files with 211 additions and 426 deletions
--- a/pkg/util/ingress/ingress.go
+++ b/pkg/util/ingress/ingress.go
@ -23,6 +23,7 @@ import (

 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/k8s"
 	"k8s.io/ingress-nginx/internal/net/ssl"
 	"k8s.io/ingress-nginx/pkg/apis/ingress"
@ -30,15 +31,15 @@ import (
 )

 const (
-	alphaNumericChars = `A-Za-z0-9\-\.\_\~\/` // This is the default allowed set on paths
+	alphaNumericChars = `\-\.\_\~a-zA-Z0-9/`
+	regexEnabledChars = `\^\$\[\]\(\)\{\}\*\+`
 )

 var (
-	// pathAlphaNumeric is a regex validation that allows only (0-9, a-z, A-Z, "-", ".", "_", "~", "/")
-	pathAlphaNumericRegex = regexp.MustCompile("^[" + alphaNumericChars + "]*$").MatchString
-
-	// default path type is Prefix to not break existing definitions
-	defaultPathType = networkingv1.PathTypePrefix
+	// pathAlphaNumeric is a regex validation of something like "^/[a-zA-Z]+$" on path
+	pathAlphaNumeric = regexp.MustCompile("^/[" + alphaNumericChars + "]*$").MatchString
+	// pathRegexEnabled is a regex validation of paths that may contain regex.
+	pathRegexEnabled = regexp.MustCompile("^/[" + alphaNumericChars + regexEnabledChars + "]*$").MatchString
 )

 func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string {
@ -246,68 +247,12 @@ func BuildRedirects(servers []*ingress.Server) []*redirect {
 	return redirectServers
 }

-func ValidateIngressPath(copyIng *networkingv1.Ingress, enablePathTypeValidation bool, pathAdditionalAllowedChars string) error {
-
-	if copyIng == nil {
-		return nil
+// IsSafePath verifies if the path used in ingress object contains only valid characters.
+// It will behave differently if regex is enabled or not
+func IsSafePath(copyIng *networkingv1.Ingress, path string) bool {
+	isRegex, _ := parser.GetBoolAnnotation("use-regex", copyIng)
+	if isRegex {
+		return pathRegexEnabled(path)
 	}
-
-	escapedPathAdditionalAllowedChars := regexp.QuoteMeta(pathAdditionalAllowedChars)
-	regexPath, err := regexp.Compile("^[" + alphaNumericChars + escapedPathAdditionalAllowedChars + "]*$")
-	if err != nil {
-		return fmt.Errorf("ingress has misconfigured validation regex on configmap: %s - %w", pathAdditionalAllowedChars, err)
-	}
-
-	for _, rule := range copyIng.Spec.Rules {
-
-		if rule.HTTP == nil {
-			continue
-		}
-
-		if err := checkPath(rule.HTTP.Paths, enablePathTypeValidation, regexPath); err != nil {
-			return fmt.Errorf("error validating ingressPath: %w", err)
-		}
-	}
-	return nil
-}
-
-func checkPath(paths []networkingv1.HTTPIngressPath, enablePathTypeValidation bool, regexSpecificChars *regexp.Regexp) error {
-
-	for _, path := range paths {
-		if path.PathType == nil {
-			path.PathType = &defaultPathType
-		}
-
-		klog.V(9).InfoS("PathType Validation", "enablePathTypeValidation", enablePathTypeValidation, "regexSpecificChars", regexSpecificChars.String(), "Path", path.Path)
-
-		switch pathType := *path.PathType; pathType {
-		case networkingv1.PathTypeImplementationSpecific:
-			if enablePathTypeValidation {
-				//only match on regex chars per Ingress spec when path is implementation specific
-				if !regexSpecificChars.MatchString(path.Path) {
-					return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType)
-				}
-			}
-
-		case networkingv1.PathTypeExact, networkingv1.PathTypePrefix:
-			//enforce path type validation
-			if enablePathTypeValidation {
-				//only allow alphanumeric chars, no regex chars
-				if !pathAlphaNumericRegex(path.Path) {
-					return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType)
-				}
-				continue
-			} else {
-				//path validation is disabled, so we check what regex chars are allowed by user
-				if !regexSpecificChars.MatchString(path.Path) {
-					return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType)
-				}
-				continue
-			}
-
-		default:
-			return fmt.Errorf("unknown path type %v on path %v", *path.PathType, path.Path)
-		}
-	}
-	return nil
+	return pathAlphaNumeric(path)
 }
--- a/pkg/util/ingress/ingress_test.go
+++ b/pkg/util/ingress/ingress_test.go
@ -17,10 +17,13 @@ limitations under the License.
 package ingress

 import (
+	"fmt"
 	"testing"

-	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	networkingv1 "k8s.io/api/networking/v1"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/pkg/apis/ingress"
 )

@ -133,172 +136,81 @@ func TestIsDynamicConfigurationEnough(t *testing.T) {
 	}
 }

-func generateDumbIngressforPathTest(pathType *networkingv1.PathType, path string) *networkingv1.Ingress {
+func generateDumbIngressforPathTest(regexEnabled bool) *networkingv1.Ingress {
+	var annotations = make(map[string]string)
+	regexAnnotation := fmt.Sprintf("%s/use-regex", parser.AnnotationsPrefix)
+	if regexEnabled {
+		annotations[regexAnnotation] = "true"
+	}
 	return &networkingv1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "dumb",
-			Namespace: "default",
-		},
-		Spec: networkingv1.IngressSpec{
-			Rules: []networkingv1.IngressRule{
-				{
-					Host: "test.com",
-					IngressRuleValue: networkingv1.IngressRuleValue{
-						HTTP: &networkingv1.HTTPIngressRuleValue{
-							Paths: []networkingv1.HTTPIngressPath{
-								{
-									PathType: pathType,
-									Path:     path,
-								},
-							},
-						},
-					},
-				},
-			},
+			Name:        "dumb",
+			Namespace:   "default",
+			Annotations: annotations,
 		},
 	}
 }

-func generateComplexIngress(ing *networkingv1.Ingress) *networkingv1.Ingress {
-
-	oldRules := ing.Spec.DeepCopy().Rules
-	ing.Spec.Rules = []networkingv1.IngressRule{
-		{
-			Host: "test1.com",
-			IngressRuleValue: networkingv1.IngressRuleValue{
-				HTTP: &networkingv1.HTTPIngressRuleValue{
-					Paths: []networkingv1.HTTPIngressPath{
-						{
-							PathType: &pathTypeExact,
-							Path:     "/xpto",
-						},
-					},
-				},
-			},
-		},
-		{
-			Host: "test2.com",
-			IngressRuleValue: networkingv1.IngressRuleValue{
-				HTTP: &networkingv1.HTTPIngressRuleValue{
-					Paths: []networkingv1.HTTPIngressPath{
-						{
-							PathType: &pathTypeExact,
-							Path:     "/someotherpath",
-						},
-						{
-							PathType: &pathTypePrefix,
-							Path:     "/someprefix/~xpto/lala123",
-						},
-					},
-				},
-			},
-		},
-	}
-	// we want to invert the order to test better :)
-	ing.Spec.Rules = append(ing.Spec.Rules, oldRules...)
-
-	return ing
-}
-
-var (
-	pathTypeExact        = networkingv1.PathTypeExact
-	pathTypePrefix       = networkingv1.PathTypePrefix
-	pathTypeImplSpecific = networkingv1.PathTypeImplementationSpecific
-)
-
-const (
-	defaultAdditionalChars = "^%$[](){}*+?"
-)
-
-func TestValidateIngressPath(t *testing.T) {
+func TestIsSafePath(t *testing.T) {
 	tests := []struct {
-		name                     string
-		copyIng                  *networkingv1.Ingress
-		EnablePathTypeValidation bool
-		additionalChars          string
-		wantErr                  bool
+		name    string
+		copyIng *networkingv1.Ingress
+		path    string
+		want    bool
 	}{
 		{
-			name:    "should return nil when ingress = nil",
-			wantErr: false,
-			copyIng: nil,
+			name:    "should accept valid path with regex disabled",
+			want:    true,
+			copyIng: generateDumbIngressforPathTest(false),
+			path:    "/xpto/~user/t-e_st.exe",
 		},
 		{
-			name:    "should accept valid path on pathType Exact",
-			wantErr: false,
-			copyIng: generateDumbIngressforPathTest(&pathTypeExact, "/xpto/~user9/t-e_st.exe"),
+			name:    "should accept valid path / with regex disabled",
+			want:    true,
+			copyIng: generateDumbIngressforPathTest(false),
+			path:    "/",
 		},
 		{
-			name:    "should accept valid path on pathType Prefix",
-			wantErr: false,
-			copyIng: generateDumbIngressforPathTest(&pathTypePrefix, "/xpto/~user9/t-e_st.exe"),
+			name:    "should reject invalid path with invalid chars",
+			want:    false,
+			copyIng: generateDumbIngressforPathTest(false),
+			path:    "/foo/bar/;xpto",
 		},
 		{
-			name:    "should accept valid simple path on pathType Impl Specific",
-			wantErr: false,
-			copyIng: generateDumbIngressforPathTest(&pathTypeImplSpecific, "/xpto/~user9/t-e_st.exe"),
+			name:    "should reject regex path when regex is disabled",
+			want:    false,
+			copyIng: generateDumbIngressforPathTest(false),
+			path:    "/foo/bar/(.+)",
 		},
 		{
-			name:    "should accept valid path on pathType nil",
-			wantErr: false,
-			copyIng: generateDumbIngressforPathTest(nil, "/xpto/~user/t-e_st.exe"),
+			name:    "should accept valid path / with regex enabled",
+			want:    true,
+			copyIng: generateDumbIngressforPathTest(true),
+			path:    "/",
 		},
 		{
-			name:    "should accept empty path",
-			wantErr: false,
-			copyIng: generateDumbIngressforPathTest(&pathTypePrefix, ""),
+			name:    "should accept regex path when regex is enabled",
+			want:    true,
+			copyIng: generateDumbIngressforPathTest(true),
+			path:    "/foo/bar/(.+)",
 		},
 		{
-			name:            "should deny path with bad characters and pathType not implementationSpecific",
-			wantErr:         true,
-			additionalChars: "()",
-			copyIng:         generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.+)"),
+			name:    "should reject regex path when regex is enabled but the path is invalid",
+			want:    false,
+			copyIng: generateDumbIngressforPathTest(true),
+			path:    "/foo/bar/;xpto",
 		},
 		{
-			name:                     "should accept path with regex characters and pathType implementationSpecific",
-			wantErr:                  false,
-			additionalChars:          defaultAdditionalChars,
-			EnablePathTypeValidation: false,
-			copyIng:                  generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"),
-		},
-		{
-			name:                     "should accept path with regex characters and pathType exact, but pathType validation disabled",
-			wantErr:                  false,
-			additionalChars:          defaultAdditionalChars,
-			EnablePathTypeValidation: false,
-			copyIng:                  generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.+)"),
-		},
-		{
-			name:                     "should reject path when the allowed additional set does not match",
-			wantErr:                  true,
-			additionalChars:          "().?",
-			EnablePathTypeValidation: true,
-			copyIng:                  generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.+)"),
-		},
-		{
-			name:                     "should accept path when the allowed additional set does match",
-			wantErr:                  false,
-			additionalChars:          "().?",
-			EnablePathTypeValidation: false,
-			copyIng:                  generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)"),
-		},
-		{
-			name:                     "should block if at least one path is bad",
-			wantErr:                  true,
-			EnablePathTypeValidation: false,
-			copyIng:                  generateComplexIngress(generateDumbIngressforPathTest(&pathTypeExact, "/foo/bar/(.?)")),
-		},
-		{
-			name:                     "should block if at least one path is bad",
-			wantErr:                  true,
-			EnablePathTypeValidation: true,
-			copyIng:                  generateComplexIngress(generateDumbIngressforPathTest(&pathTypeImplSpecific, "/foo/bar/(.?)")),
+			name:    "should reject regex path when regex is enabled but the path is invalid",
+			want:    false,
+			copyIng: generateDumbIngressforPathTest(true),
+			path:    ";xpto",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := ValidateIngressPath(tt.copyIng, tt.EnablePathTypeValidation, tt.additionalChars); (err != nil) != tt.wantErr {
-				t.Errorf("ValidateIngressPath() error = %v, wantErr %v", err, tt.wantErr)
+			if got := IsSafePath(tt.copyIng, tt.path); got != tt.want {
+				t.Errorf("IsSafePath() = %v, want %v", got, tt.want)
 			}
 		})
 	}