Skip to content

Commit

Permalink
Annotations: Deny newlines.
Browse files Browse the repository at this point in the history
  • Loading branch information
strongjz authored and k8s-infra-cherrypick-robot committed Jan 10, 2025
1 parent f2fdfd5 commit 426d26b
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
6 changes: 6 additions & 0 deletions internal/ingress/annotations/parser/validators.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,8 @@ var (
// URLWithNginxVariableRegex defines a url that can contain nginx variables.
// It is a risky operation
URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$")
// MaliciousRegex defines chars that are known to inject RCE
MaliciousRegex = regexp.MustCompile(`\r|\n`)
)

// ValidateArrayOfServerName validates if all fields on a Server name annotation are
Expand Down Expand Up @@ -113,6 +115,10 @@ func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator {
if !regex.MatchString(s) {
return fmt.Errorf("value %s is invalid", s)
}
if MaliciousRegex.MatchString(s) {
return fmt.Errorf("value %s contains malicious string", s)
}

return nil
}
}
Expand Down
5 changes: 5 additions & 0 deletions internal/ingress/annotations/parser/validators_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@ func TestValidateArrayOfServerName(t *testing.T) {
value: "something.com,lolo;xpto.com,nothing.com",
wantErr: true,
},
{
name: "should deny names with malicous chars",
value: "http://something.com/#;\nournewinjection",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down

0 comments on commit 426d26b

Please sign in to comment.