Implement pathType validation (#9511)

2023-01-16 23:51:23 -03:00 · 2023-01-16 23:51:23 -03:00 · da98c744b9
commit da98c744b9
parent e6dcd6845e
15 changed files with 373 additions and 207 deletions
--- a/pkg/util/ingress/ingress.go
+++ b/pkg/util/ingress/ingress.go
@ -23,7 +23,6 @@ import (

 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/k8s"
 	"k8s.io/ingress-nginx/internal/net/ssl"
 	"k8s.io/ingress-nginx/pkg/apis/ingress"
@ -31,15 +30,15 @@ import (
 )

 const (
-	alphaNumericChars = `\-\.\_\~a-zA-Z0-9/`
-	regexEnabledChars = `\^\$\[\]\(\)\{\}\*\+`
+	alphaNumericChars = `A-Za-z0-9\-\.\_\~\/` // This is the default allowed set on paths
 )

 var (
-	// pathAlphaNumeric is a regex validation of something like "^/[a-zA-Z]+$" on path
-	pathAlphaNumeric = regexp.MustCompile("^/[" + alphaNumericChars + "]*$").MatchString
-	// pathRegexEnabled is a regex validation of paths that may contain regex.
-	pathRegexEnabled = regexp.MustCompile("^/[" + alphaNumericChars + regexEnabledChars + "]*$").MatchString
+	// pathAlphaNumeric is a regex validation that allows only (0-9, a-z, A-Z, "-", ".", "_", "~", "/")
+	pathAlphaNumericRegex = regexp.MustCompile("^[" + alphaNumericChars + "]*$").MatchString
+
+	// default path type is Prefix to not break existing definitions
+	defaultPathType = networkingv1.PathTypePrefix
 )

 func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string {
@ -247,12 +246,45 @@ func BuildRedirects(servers []*ingress.Server) []*redirect {
 	return redirectServers
 }

-// IsSafePath verifies if the path used in ingress object contains only valid characters.
-// It will behave differently if regex is enabled or not
-func IsSafePath(copyIng *networkingv1.Ingress, path string) bool {
-	isRegex, _ := parser.GetBoolAnnotation("use-regex", copyIng)
-	if isRegex {
-		return pathRegexEnabled(path)
+func ValidateIngressPath(copyIng *networkingv1.Ingress, disablePathTypeValidation bool, additionalChars string) error {
+
+	if copyIng == nil {
+		return nil
 	}
-	return pathAlphaNumeric(path)
+
+	escapedAdditionalChars := regexp.QuoteMeta(additionalChars)
+	regexPath, err := regexp.Compile("^[" + alphaNumericChars + escapedAdditionalChars + "]*$")
+	if err != nil {
+		return fmt.Errorf("ingress has misconfigured validation regex on configmap: %s - %w", additionalChars, err)
+	}
+
+	for _, rule := range copyIng.Spec.Rules {
+		if rule.HTTP == nil {
+			continue
+		}
+		if err := checkPath(rule.HTTP.Paths, disablePathTypeValidation, regexPath); err != nil {
+			return fmt.Errorf("error validating ingressPath: %w", err)
+		}
+	}
+	return nil
+}
+
+func checkPath(paths []networkingv1.HTTPIngressPath, disablePathTypeValidation bool, regexSpecificChars *regexp.Regexp) error {
+	for _, path := range paths {
+		if path.PathType == nil {
+			path.PathType = &defaultPathType
+		}
+
+		if disablePathTypeValidation || *path.PathType == networkingv1.PathTypeImplementationSpecific {
+			if !regexSpecificChars.MatchString(path.Path) {
+				return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType)
+			}
+			continue
+		}
+
+		if !pathAlphaNumericRegex(path.Path) {
+			return fmt.Errorf("path %s of type %s contains invalid characters", path.Path, *path.PathType)
+		}
+	}
+	return nil
 }