fix: Validate x-forwarded-prefix annotation with RegexPathWithCapture (#10598)

2023-11-01 22:08:51 +00:00 · 2023-11-01 22:08:51 +00:00 · 9cdd51d5dc
commit 9cdd51d5dc
parent 9cb3919e84
3 changed files with 7 additions and 5 deletions
--- a/internal/ingress/annotations/xforwardedprefix/main.go
+++ b/internal/ingress/annotations/xforwardedprefix/main.go
@ -31,10 +31,11 @@ var xForwardedForAnnotations = parser.Annotation{
 	Group: "backend",
 	Annotations: parser.AnnotationFields{
 		xForwardedForPrefixAnnotation: {
-			Validator:     parser.ValidateRegex(parser.BasicCharsRegex, true),
-			Scope:         parser.AnnotationScopeLocation,
-			Risk:          parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set
-			Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value`,
+			Validator: parser.ValidateRegex(parser.RegexPathWithCapture, true),
+			Scope:     parser.AnnotationScopeLocation,
+			Risk:      parser.AnnotationRiskMedium,
+			Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value. It can 
+			contain regular characters and captured groups specified as '$1', '$2', etc.`,
 		},
 	},
 }
--- a/internal/ingress/annotations/xforwardedprefix/main_test.go
+++ b/internal/ingress/annotations/xforwardedprefix/main_test.go
@ -40,6 +40,7 @@ func TestParse(t *testing.T) {
 		{map[string]string{annotation: "true"}, "true"},
 		{map[string]string{annotation: "1"}, "1"},
 		{map[string]string{annotation: ""}, ""},
+		{map[string]string{annotation: "/$1"}, "/$1"},
 		{map[string]string{}, ""},
 		{nil, ""},
 	}