From 8ad57f86fe221424a7001852b5deccf8ebc4eb4d Mon Sep 17 00:00:00 2001
From: Marco Ebert <marco_ebert@icloud.com>
Date: Tue, 14 Jan 2025 15:38:27 +0100
Subject: [PATCH] Annotations: Quote `CertificateAuth.MatchCN`.

Reverts 698c3c0df104e5358fa7ff6871ef246fdd6ff44e.
---
 internal/ingress/annotations/authtls/main.go           | 4 ++++
 internal/ingress/annotations/parser/validators.go      | 5 -----
 internal/ingress/annotations/parser/validators_test.go | 5 -----
 rootfs/etc/nginx/template/nginx.tmpl                   | 2 +-
 4 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go
index de4d1cc1d8..3058e609cc 100644
--- a/internal/ingress/annotations/authtls/main.go
+++ b/internal/ingress/annotations/authtls/main.go
@@ -19,6 +19,7 @@ package authtls
 import (
 	"fmt"
 	"regexp"
+	"strings"
 
 	networking "k8s.io/api/networking/v1"
 
@@ -209,6 +210,9 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.MatchCN = ""
 	}
 
+	// Escape double quotes.
+	config.MatchCN = strings.ReplaceAll(config.MatchCN, "\"", "\\\"")
+
 	return config, nil
 }
 
diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go
index 3c724a3110..6709e1d74d 100644
--- a/internal/ingress/annotations/parser/validators.go
+++ b/internal/ingress/annotations/parser/validators.go
@@ -79,8 +79,6 @@ var (
 	// URLWithNginxVariableRegex defines a url that can contain nginx variables.
 	// It is a risky operation
 	URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$")
-	// MaliciousRegex defines chars that are known to inject RCE
-	MaliciousRegex = regexp.MustCompile(`\r|\n`)
 )
 
 // ValidateArrayOfServerName validates if all fields on a Server name annotation are
@@ -115,9 +113,6 @@ func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator {
 		if !regex.MatchString(s) {
 			return fmt.Errorf("value %s is invalid", s)
 		}
-		if MaliciousRegex.MatchString(s) {
-			return fmt.Errorf("value %s contains malicious string", s)
-		}
 
 		return nil
 	}
diff --git a/internal/ingress/annotations/parser/validators_test.go b/internal/ingress/annotations/parser/validators_test.go
index 49923ba766..6c88342e43 100644
--- a/internal/ingress/annotations/parser/validators_test.go
+++ b/internal/ingress/annotations/parser/validators_test.go
@@ -65,11 +65,6 @@ func TestValidateArrayOfServerName(t *testing.T) {
 			value:   "something.com,lolo;xpto.com,nothing.com",
 			wantErr: true,
 		},
-		{
-			name:    "should deny names with malicous chars",
-			value:   "http://something.com/#;\nournewinjection",
-			wantErr: true,
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index f32860dc29..b441428095 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -875,7 +875,7 @@ stream {
 
         {{ if not ( empty $server.CertificateAuth.MatchCN ) }}
         {{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
-        if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
+        if ( $ssl_client_s_dn !~ "{{ $server.CertificateAuth.MatchCN }}" ) {
             return 403 "client certificate unauthorized";
         }
         {{ end }}