Skip to content

Commit

Permalink
Annotations: Quote CertificateAuth.MatchCN.
Browse files Browse the repository at this point in the history
Reverts 698c3c0.
  • Loading branch information
Gacko committed Jan 14, 2025
1 parent 9a65007 commit 8ad57f8
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 11 deletions.
4 changes: 4 additions & 0 deletions internal/ingress/annotations/authtls/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package authtls
import (
"fmt"
"regexp"
"strings"

networking "k8s.io/api/networking/v1"

Expand Down Expand Up @@ -209,6 +210,9 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
config.MatchCN = ""
}

// Escape double quotes.
config.MatchCN = strings.ReplaceAll(config.MatchCN, "\"", "\\\"")

return config, nil
}

Expand Down
5 changes: 0 additions & 5 deletions internal/ingress/annotations/parser/validators.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,6 @@ var (
// URLWithNginxVariableRegex defines a url that can contain nginx variables.
// It is a risky operation
URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$")
// MaliciousRegex defines chars that are known to inject RCE
MaliciousRegex = regexp.MustCompile(`\r|\n`)
)

// ValidateArrayOfServerName validates if all fields on a Server name annotation are
Expand Down Expand Up @@ -115,9 +113,6 @@ func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator {
if !regex.MatchString(s) {
return fmt.Errorf("value %s is invalid", s)
}
if MaliciousRegex.MatchString(s) {
return fmt.Errorf("value %s contains malicious string", s)
}

return nil
}
Expand Down
5 changes: 0 additions & 5 deletions internal/ingress/annotations/parser/validators_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,6 @@ func TestValidateArrayOfServerName(t *testing.T) {
value: "something.com,lolo;xpto.com,nothing.com",
wantErr: true,
},
{
name: "should deny names with malicous chars",
value: "http://something.com/#;\nournewinjection",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion rootfs/etc/nginx/template/nginx.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -875,7 +875,7 @@ stream {

{{ if not ( empty $server.CertificateAuth.MatchCN ) }}
{{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
if ( $ssl_client_s_dn !~ "{{ $server.CertificateAuth.MatchCN }}" ) {
return 403 "client certificate unauthorized";
}
{{ end }}
Expand Down

0 comments on commit 8ad57f8

Please sign in to comment.