Fix vulnerability in Regex

.github/workflows/docker-build-publish.yaml

@@ -137,7 +137,7 @@ jobs:
           echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \
             jq -r .
           echo ${{ toJSON(steps.sysdig.outputs.violation_report) }} | \
-            jq -r .cis_docker_benchmark_violation_report[].violations[] | \
+            jq -r '.cis_docker_benchmark_violation_report[] | select(true) | .violations[]' | \
             wc -l | \
             xargs -I% test 0 -eq %
 
@@ -226,4 +226,4 @@ jobs:
         name: Test Docker image
         id: test_docker
         run: |
-          docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} --version
+          docker run --rm ${{ fromJSON(steps.meta.outputs.json).tags[0] }} -version

.gitignore

@@ -4,6 +4,10 @@
 *.so
 *.dylib
 
+# IDE
+.idea*
+.vscode*
+
 # Test binary, build with `go test -c`
 *.test
 

Dockerfile

@@ -1,8 +1,8 @@
-FROM golang:1.18-alpine AS base
+FROM golang:1.20-alpine AS base
 
 RUN set -eux \
     && apk --no-cache add ca-certificates \
-    && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl upx git
+    && apk --no-cache add --virtual build-dependencies cmake g++ make unzip curl git libcap
 
 WORKDIR ${GOPATH}/src/github.com/AthenZ/garm
 
@@ -30,7 +30,10 @@ RUN BUILD_TIME=$(date -u +%Y%m%d-%H%M%S) \
     GOARCH=$(go env GOARCH) \
     GO111MODULE=on \
     go build -ldflags "-s -w -linkmode 'external' -extldflags '-static -fPIC -m64 -pthread -std=c++11 -lstdc++' -X 'main.Version=${APP_VERSION} at ${BUILD_TIME} by ${GO_VERSION}'" -a -tags "cgo netgo" -installsuffix "cgo netgo" -o "${APP_NAME}" \
-    && upx --best -o "/usr/bin/${APP_NAME}" "${APP_NAME}"
+    && mv "${APP_NAME}" "/usr/bin/${APP_NAME}"
+
+# allow well-known port binding
+RUN setcap 'cap_net_bind_service=+ep' "/usr/bin/${APP_NAME}"
 
 RUN apk del build-dependencies --purge \
     && rm -rf "${GOPATH}"

MAINTAINERS

@@ -17,3 +17,7 @@
 # Seitaro Suno
 # Yahoo Japan Corporation
 # @ssunorz
+
+# Jeongwoo Kim
+# Yahoo Japan Corporation
+# @mlajkim

config/config.go

@@ -21,6 +21,8 @@ import (
 	"regexp"
 	"strings"
 	"sync"
+	"github.com/kpango/glg"
+	assertion "github.com/AthenZ/athenz-authorizer/v5/policy"
 
 	"github.com/pkg/errors"
 	webhook "github.com/yahoo/k8s-athenz-webhook"
@@ -29,7 +31,12 @@ import (
 
 const (
 	// currentVersion represents the configuration version.
-	currentVersion = "v2.0.0"
+	currentVersion string = "v2.0.0"
+	// Choose the delimiter that RequestInfo's verb, namespace, API Group, Resource and Name CANNOT use.
+	// i.e) If end user can set its resource name with hyphens, we cannot use hyphen as delimiter.
+	// This will wrongfully grant access to privileged actions like DELETE or POST
+	// for resources with hyphens in their names when minimum access rights such as GET is given.
+	delimiter string = ","
 )
 
 // Config represents an application configuration content (config.yaml).
@@ -256,11 +263,10 @@ type RequestInfo struct {
 	once *sync.Once
 }
 
-// Serialize returns RequestInfo in string format.
-// 1. replacedAPIGroup = replace `. => _` in r.APIGroup
-// 2. output format: `${r.Verb}-${r.Namespace}-${replacedAPIGroup}-${r.Resource}-${r.Name}`
+// Returns RequestInfo in string, separated by the delimiter.
+// API Group's periods will be replaced with underscores.
 func (r *RequestInfo) Serialize() string {
-	return strings.Join([]string{r.Verb, r.Namespace, strings.Replace(r.APIGroup, ".", "_", -1), r.Resource, r.Name}, "-")
+	return strings.Join([]string{r.Verb, r.Namespace, r.APIGroup, r.Resource, r.Name}, delimiter)
 }
 
 // Match checks if the given RequestInfo matches with the regular expression in this RequestInfo.
@@ -273,10 +279,16 @@ func (r *RequestInfo) Match(req RequestInfo) bool {
 		r.once = new(sync.Once)
 	}
 	r.once.Do(func() {
-		r.reg = regexp.MustCompile(strings.Replace(strings.Replace(r.Serialize(), "*", ".*", -1), "..*", ".*", -1))
+		ass, err := assertion.NewAssertion("", ":"+r.Serialize(), "")
+		if err != nil {
+			glg.Error(err)
+			r.reg = regexp.MustCompile("")
+		} else {
+			r.reg = ass.ResourceRegexp
+		}
 	})
 
-	return r.reg.Copy().MatchString(req.Serialize())
+	return r.reg.Copy().MatchString(strings.ToLower(req.Serialize()))
 }
 
 // New returns the decoded configuration YAML file as *Config struct. Returns non-nil error if any.

config/config_test.go

@@ -46,7 +46,7 @@ func Test_requestInfo_Serialize(t *testing.T) {
 					Name:      "dummyName",
 				},
 			},
-			want: "dummyVerb-dummyNamespace-dummyAPIGroup-dummyResource-dummyName",
+			want: "dummyVerb,dummyNamespace,dummyAPIGroup,dummyResource,dummyName",
 		},
 		{
 			name: "Check serialize with replace API group",
@@ -59,7 +59,7 @@ func Test_requestInfo_Serialize(t *testing.T) {
 					Name:      "dummyName",
 				},
 			},
-			want: "dummyVerb-dummyNamespace-dummy_APIGroup-dummyResource-dummyName",
+			want: "dummyVerb,dummyNamespace,dummy.APIGroup,dummyResource,dummyName",
 		},
 	}
 	for _, tt := range tests {
@@ -195,6 +195,33 @@ func Test_requestInfo_Match(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "Check if hyphen is not used for delimiter",
+			fields: fields{
+				req: RequestInfo{
+					Verb:      "get",
+					Namespace: "kube-system",
+					APIGroup:  "garm",
+					Resource:  "pods",
+					Name:      "*",
+
+					/*reg: func() *regexp.Regexp {
+						reg, _ := regexp.Compile("dummy")
+						return reg
+					}(),*/
+				},
+			},
+			args: args{
+				req: RequestInfo{
+					Verb:      "create",
+					Namespace: "kube-system",
+					APIGroup:  "garm",
+					Resource:  "pods",
+					Name:      "get-kube-system-garm-pods-test",
+				},
+			},
+			want: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

go.mod

@@ -1,6 +1,6 @@
 module github.com/AthenZ/garm/v2
 
-go 1.18
+go 1.20
 
 replace (
 	github.com/AthenZ/athenz => github.com/AthenZ/athenz v1.11.23
@@ -9,35 +9,49 @@ replace (
 )
 
 require (
-	github.com/AthenZ/athenz v1.11.23
-	github.com/kpango/glg v1.6.14
+	github.com/AthenZ/athenz v1.11.26
+	github.com/kpango/glg v1.6.15
 	github.com/pkg/errors v0.9.1
 	github.com/yahoo/k8s-athenz-webhook v0.1.5-0.20230310225932-073f1a05c41a
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.26.3
 )
 
 require (
+	github.com/AthenZ/athenz-authorizer/v5 v5.5.1 // indirect
 	github.com/ardielle/ardielle-go v1.5.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kpango/fastime v1.1.6 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
+	github.com/kpango/fastime v1.1.9 // indirect
+	github.com/kpango/gache v1.2.8 // indirect
+	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/jwx v1.2.25 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/yahoo/athenz v1.9.31 // indirect
 	github.com/yahoo/k8s-athenz-syncer v0.1.8 // indirect
-	golang.org/x/net v0.7.0 // indirect
+	github.com/zeebo/xxh3 v1.0.2 // indirect
+	golang.org/x/crypto v0.8.0 // indirect
+	golang.org/x/net v0.9.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/term v0.7.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect