Validate path types (#9967)

* Validate path types * Fix the year of header * Update internal/ingress/controller/config/config.go Co-authored-by: Jintao Zhang <tao12345666333@163.com> --------- Co-authored-by: Jintao Zhang <tao12345666333@163.com>
2023-05-20 08:58:18 -03:00 · 2023-05-20 08:58:18 -03:00 · c540b58474
commit c540b58474
parent 0dd1cf7460
7 changed files with 296 additions and 0 deletions
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@ -830,6 +830,12 @@ type Configuration struct {
 	// http://nginx.org/en/docs/ngx_core_module.html#debug_connection
 	// Default: ""
 	DebugConnections []string `json:"debug-connections"`
+
+	// StrictValidatePathType enable the strict validation of Ingress Paths
+	// It enforces that pathType of type Exact or Prefix should start with / and contain only
+	// alphanumeric chars, "-", "_", "/".In case of additional characters,
+	// like used on Rewrite configurations the user should use pathType as ImplementationSpecific
+	StrictValidatePathType bool `json:"strict-validate-path-type"`
 }

 // NewDefault returns the default nginx configuration
@ -1002,6 +1008,7 @@ func NewDefault() Configuration {
 		GlobalRateLimitMemcachedPoolSize:       50,
 		GlobalRateLimitStatucCode:              429,
 		DebugConnections:                       []string{},
+		StrictValidatePathType:                 false, // TODO: This will be true in future releases
 	}

 	if klog.V(5).Enabled() {
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -270,11 +270,13 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 	if !ing.DeletionTimestamp.IsZero() {
 		return nil
 	}
+
 	if n.cfg.DeepInspector {
 		if err := inspector.DeepInspect(ing); err != nil {
 			return fmt.Errorf("invalid object: %w", err)
 		}
 	}
+
 	// Do not attempt to validate an ingress that's not meant to be controlled by the current instance of the controller.
 	if ingressClass, err := n.store.GetIngressClass(ing, n.cfg.IngressClassConfiguration); ingressClass == "" {
 		klog.Warningf("ignoring ingress %v in %v based on annotation %v: %v", ing.Name, ing.ObjectMeta.Namespace, ingressClass, err)
@ -293,6 +295,13 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 	cfg := n.store.GetBackendConfiguration()
 	cfg.Resolver = n.resolver

+	// Adds the pathType Validation
+	if cfg.StrictValidatePathType {
+		if err := inspector.ValidatePathType(ing); err != nil {
+			return fmt.Errorf("ingress contains invalid paths: %w", err)
+		}
+	}
+
 	var arrayBadWords []string

 	if cfg.AnnotationValueWordBlocklist != "" {