Disable user snippets per default (#10393)

* Disable user snippets per default * Enable snippet on tests
2023-09-11 00:02:10 -03:00 · 2023-09-11 00:02:10 -03:00 · cf889c6c47
commit cf889c6c47
parent 2d03da6334
35 changed files with 494 additions and 288 deletions
--- a/internal/ingress/annotations/fastcgi/main.go
+++ b/internal/ingress/annotations/fastcgi/main.go
@ -32,7 +32,7 @@ import (

 const (
 	fastCGIIndexAnnotation  = "fastcgi-index"
-	fastCGIParamsAnnotation = "fastcgi-params-configmap"
+	fastCGIParamsAnnotation = "fastcgi-params-configmap" //#nosec G101
 )

 // fast-cgi valid parameters is just a single file name (like index.php)
--- a/internal/ingress/annotations/modsecurity/main_test.go
+++ b/internal/ingress/annotations/modsecurity/main_test.go
@ -67,7 +67,7 @@ func TestParse(t *testing.T) {
 		Spec: networking.IngressSpec{},
 	}

-	for _, testCase := range testCases {
+	for i, testCase := range testCases {
 		ing.SetAnnotations(testCase.annotations)
 		result, err := ap.Parse(ing)
 		if err != nil {
@ -77,7 +77,7 @@ func TestParse(t *testing.T) {
 		if !ok {
 			t.Errorf("unexpected type: %T", result)
 		}
-		if !config.Equal(&testCase.expected) {
+		if !config.Equal(&testCases[i].expected) {
 			t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations)
 		}
 	}
--- a/internal/ingress/annotations/proxy/main.go
+++ b/internal/ingress/annotations/proxy/main.go
@ -42,7 +42,7 @@ const (
 	proxyRedirectToAnnotation          = "proxy-redirect-to"
 	proxyBufferingAnnotation           = "proxy-buffering"
 	proxyHTTPVersionAnnotation         = "proxy-http-version"
-	proxyMaxTempFileSizeAnnotation     = "proxy-max-temp-file-size"
+	proxyMaxTempFileSizeAnnotation     = "proxy-max-temp-file-size" //#nosec G101
 )

 var validUpstreamAnnotation = regexp.MustCompile(`^((error|timeout|invalid_header|http_500|http_502|http_503|http_504|http_403|http_404|http_429|non_idempotent|off)\s?)+$`)
--- a/internal/ingress/annotations/sslcipher/main_test.go
+++ b/internal/ingress/annotations/sslcipher/main_test.go
@ -64,13 +64,13 @@ func TestParse(t *testing.T) {
 		Spec: networking.IngressSpec{},
 	}

-	for _, testCase := range testCases {
+	for i, testCase := range testCases {
 		ing.SetAnnotations(testCase.annotations)
 		result, err := ap.Parse(ing)
 		if (err != nil) != testCase.expectErr {
 			t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations)
 		}
-		if !reflect.DeepEqual(result, &testCase.expected) {
+		if !reflect.DeepEqual(result, &testCases[i].expected) {
 			t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations)
 		}
 	}
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@ -865,7 +865,7 @@ func NewDefault() Configuration {
 	defGlobalExternalAuth := GlobalExternalAuth{"", "", "", "", "", append(defResponseHeaders, ""), "", "", "", []string{}, map[string]string{}, false}

 	cfg := Configuration{
-		AllowSnippetAnnotations:          true,
+		AllowSnippetAnnotations:          false,
 		AllowCrossNamespaceResources:     true,
 		AllowBackendServerHeader:         false,
 		AnnotationValueWordBlocklist:     "",
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -1057,7 +1057,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
 				continue
 			}

-			for _, path := range rule.HTTP.Paths {
+			for i, path := range rule.HTTP.Paths {
 				if path.Backend.Service == nil {
 					// skip non-service backends
 					klog.V(3).Infof("Ingress %q and path %q does not contain a service backend, using default backend", ingKey, path.Path)
@ -1087,7 +1087,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B

 				// add the service ClusterIP as a single Endpoint instead of individual Endpoints
 				if anns.ServiceUpstream {
-					endpoint, err := n.getServiceClusterEndpoint(svcKey, &path.Backend)
+					endpoint, err := n.getServiceClusterEndpoint(svcKey, &rule.HTTP.Paths[i].Backend)
 					if err != nil {
 						klog.Errorf("Failed to determine a suitable ClusterIP Endpoint for Service %q: %v", svcKey, err)
 					} else {
@ -1844,7 +1844,7 @@ func ingressForHostPath(hostname, path string, servers []*ingress.Server) []*net
 			continue
 		}

-		for _, location := range server.Locations {
+		for i, location := range server.Locations {
 			if location.Path != path {
 				continue
 			}
@ -1853,7 +1853,7 @@ func ingressForHostPath(hostname, path string, servers []*ingress.Server) []*net
 				continue
 			}

-			ingresses = append(ingresses, &location.Ingress.Ingress)
+			ingresses = append(ingresses, &server.Locations[i].Ingress.Ingress)
 		}
 	}

--- a/internal/ingress/metric/collectors/main.go
+++ b/internal/ingress/metric/collectors/main.go
@ -17,4 +17,4 @@ limitations under the License.
 package collectors

 // PrometheusNamespace default metric namespace
-var PrometheusNamespace = "nginx_ingress_controller"
+var PrometheusNamespace = "nginx_ingress_controller" //#nosec G101
--- a/internal/net/ssl/ssl.go
+++ b/internal/net/ssl/ssl.go
@ -55,7 +55,7 @@ var FakeSSLCertificateUID = "00000000-0000-0000-0000-000000000000"
 var oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17}

 const (
-	fakeCertificateName = "default-fake-certificate"
+	fakeCertificateName = "default-fake-certificate" //#nosec G101
 )

 // getPemFileName returns absolute file path and file name of pem cert related to given fullSecretName