Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth TLS: Improve redirect RegEx. #12249

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Auth TLS: Improve redirect RegEx. #12249

wants to merge 1 commit into from

Conversation

strongjz
Copy link
Member

What this PR does / why we need it:

fixes #12205

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • CVE Report (Scanner found CVE and adding report)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have added unit and/or e2e tests to cover my changes.
  • All new and existing tests passed.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 28, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: strongjz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@strongjz strongjz changed the title supdate the regex to fix matching issue update the regex to fix matching issue Oct 28, 2024
@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 28, 2024
@netlify Netlify
Copy link

netlify bot commented Oct 28, 2024
edited
Loading

Deploy Preview for kubernetes-ingress-nginx canceled.

Name Link
🔨 Latest commit 7bc06ce
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/672013b41525360008fc670c

Gacko
Gacko reviewed Oct 29, 2024
View reviewed changes
Copy link
Member

@Gacko Gacko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/retitle Auth TLS: Improve redirect RegEx.
/triage accepted
/kind bug
/priority backlog

@k8s-ci-robot k8s-ci-robot changed the title update the regex to fix matching issue Auth TLS: Improve redirect RegEx. Oct 29, 2024
@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority labels Oct 29, 2024
Gacko
Gacko requested changes Oct 29, 2024
View reviewed changes
internal/ingress/annotations/authtls/main.go
@@ -42,7 +42,7 @@ const (

var (
authVerifyClientRegex = regexp.MustCompile(`^(on|off|optional|optional_no_ca)$`)
redirectRegex = regexp.MustCompile(`^((https?://)?[A-Za-z0-9\-.]*(:\d+)?/[A-Za-z0-9\-.]*)?$`)
redirectRegex = regexp.MustCompile(`^(?:https?://)?(?:\b\w+\b)?(?:/\w+)*/?$`)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain the use of ?: here? As far as I can tell we are not capturing anything here, just checking if the value matches.

Also \w is not the same as [A-Za-z0-9\-.]. The former does not include dashes nor periods, it only matches [a-zA-Z0-9_]. Additionally the new RegEx does not cover ports in the host part.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gacko Gacko Gacko requested changes

@puerco puerco Awaiting requested review from puerco

@tao12345666333 tao12345666333 Awaiting requested review from tao12345666333

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feedback1 on annotation validation
3 participants
@strongjz @k8s-ci-robot @Gacko