DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Validate path types (#9967)

Browse source 
* Validate path types

* Fix the year of header

* Update internal/ingress/controller/config/config.go

Co-authored-by: Jintao Zhang <tao12345666333@163.com>

---------

Co-authored-by: Jintao Zhang <tao12345666333@163.com>
This commit is contained in:
Ricardo Katz 2023-05-20 08:58:18 -03:00 committed by GitHub
parent 0dd1cf7460
commit c540b58474
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 296 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
internal/ingress/controller/config/config.go
View file

@ -830,6 +830,12 @@ type Configuration struct {
// http://nginx.org/en/docs/ngx_core_module.html#debug_connection
// Default: ""
DebugConnections []string `json:"debug-connections"`
// StrictValidatePathType enable the strict validation of Ingress Paths
// It enforces that pathType of type Exact or Prefix should start with / and contain only
// alphanumeric chars, "-", "_", "/".In case of additional characters,
// like used on Rewrite configurations the user should use pathType as ImplementationSpecific
StrictValidatePathType bool `json:"strict-validate-path-type"`
}
// NewDefault returns the default nginx configuration
@ -1002,6 +1008,7 @@ func NewDefault() Configuration {
GlobalRateLimitMemcachedPoolSize: 50,
GlobalRateLimitStatucCode: 429,
DebugConnections: []string{},
StrictValidatePathType: false, // TODO: This will be true in future releases
}
if klog.V(5).Enabled() {

9
internal/ingress/controller/controller.go
View file

@ -270,11 +270,13 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
if !ing.DeletionTimestamp.IsZero() {
return nil
}
if n.cfg.DeepInspector {
if err := inspector.DeepInspect(ing); err != nil {
return fmt.Errorf("invalid object: %w", err)
}
}
// Do not attempt to validate an ingress that's not meant to be controlled by the current instance of the controller.
if ingressClass, err := n.store.GetIngressClass(ing, n.cfg.IngressClassConfiguration); ingressClass == "" {
klog.Warningf("ignoring ingress %v in %v based on annotation %v: %v", ing.Name, ing.ObjectMeta.Namespace, ingressClass, err)
@ -293,6 +295,13 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
cfg := n.store.GetBackendConfiguration()
cfg.Resolver = n.resolver
// Adds the pathType Validation
if cfg.StrictValidatePathType {
if err := inspector.ValidatePathType(ing); err != nil {
return fmt.Errorf("ingress contains invalid paths: %w", err)
}
}
var arrayBadWords []string
if cfg.AnnotationValueWordBlocklist != "" {

29
internal/ingress/inspector/inspector.go
View file

@ -17,6 +17,9 @@ limitations under the License.
package inspector
import (
"errors"
"fmt"
corev1 "k8s.io/api/core/v1"
networking "k8s.io/api/networking/v1"
"k8s.io/klog/v2"
@ -36,3 +39,29 @@ func DeepInspect(obj interface{}) error {
return nil
}
}
var (
implSpecific = networking.PathTypeImplementationSpecific
)
func ValidatePathType(ing *networking.Ingress) error {
if ing == nil {
return fmt.Errorf("received null ingress")
}
var err error
for _, rule := range ing.Spec.Rules {
if rule.HTTP != nil {
for _, path := range rule.HTTP.Paths {
if path.Path == "" {
continue
}
if path.PathType == nil || *path.PathType != implSpecific {
if isValid := validPathType.MatchString(path.Path); !isValid {
err = errors.Join(err, fmt.Errorf("path %s cannot be used with pathType %s", path.Path, string(*path.PathType)))
}
}
}
}
}
return err
}

191
internal/ingress/inspector/inspector_test.go Normal file
View file

@ -0,0 +1,191 @@
/*
Copyright 2023 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package inspector
import (
"errors"
"fmt"
"testing"
networking "k8s.io/api/networking/v1"
)
var (
exact = networking.PathTypeExact
prefix = networking.PathTypePrefix
)
var (
validIngress = &networking.Ingress{
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
Path: "/test",
},
{
PathType: &prefix,
Path: "/xpto/ab0/x_ss-9",
},
{
PathType: &exact,
Path: "/bla/",
},
},
},
},
},
},
},
}
emptyIngress = &networking.Ingress{
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
PathType: &exact,
},
},
},
},
},
},
},
}
invalidIngress = &networking.Ingress{
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
PathType: &exact,
Path: "/foo.+",
},
{
PathType: &exact,
Path: "xpto/lala",
},
{
PathType: &exact,
Path: "/xpto/lala",
},
{
PathType: &prefix,
Path: "/foo/bar/[a-z]{3}",
},
{
PathType: &prefix,
Path: "/lala/xp\ntest",
},
},
},
},
},
},
},
}
validImplSpecific = &networking.Ingress{
Spec: networking.IngressSpec{
Rules: []networking.IngressRule{
{
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
PathType: &implSpecific,
Path: "/foo.+",
},
{
PathType: &implSpecific,
Path: "xpto/lala",
},
},
},
},
},
},
},
}
)
var aErr = func(s, pathType string) error {
return fmt.Errorf("path %s cannot be used with pathType %s", s, pathType)
}
func TestValidatePathType(t *testing.T) {
tests := []struct {
name string
ing *networking.Ingress
wantErr bool
err error
}{
{
name: "nil should return an error",
ing: nil,
wantErr: true,
err: fmt.Errorf("received null ingress"),
},
{
name: "valid should not return an error",
ing: validIngress,
wantErr: false,
},
{
name: "empty should not return an error",
ing: emptyIngress,
wantErr: false,
},
{
name: "empty should not return an error",
ing: validImplSpecific,
wantErr: false,
},
{
name: "invalid should return multiple errors",
ing: invalidIngress,
wantErr: true,
err: errors.Join(
aErr("/foo.+", "Exact"),
aErr("xpto/lala", "Exact"),
aErr("/foo/bar/[a-z]{3}", "Prefix"),
aErr("/lala/xp\ntest", "Prefix"),
),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidatePathType(tt.ing)
if (err != nil) != tt.wantErr {
t.Errorf("ValidatePathType() error = %v, wantErr %v", err, tt.wantErr)
}
if (err != nil && tt.err != nil) && tt.err.Error() != err.Error() {
t.Errorf("received invalid error: want = %v, expected %v", tt.err, err)
}
})
}
}

8
internal/ingress/inspector/rules.go
View file

@ -28,6 +28,14 @@ var (
invalidSecretsDir = regexp.MustCompile(`/var/run/secrets`)
invalidByLuaDirective = regexp.MustCompile(`.*_by_lua.*`)
// validPathType enforces alphanumeric, -, _ and / characters.
// The field (?i) turns this regex case insensitive
// The remaining regex says that the string must start with a "/" (^/)
// the group [[:alnum:]\_\-\/]* says that any amount of characters (A-Za-z0-9), _, - and /
// are accepted until the end of the line
// Nothing else is accepted.
validPathType = regexp.MustCompile(`(?i)^/[[:alnum:]\_\-\/]*$`)
invalidRegex = []regexp.Regexp{}
)