Annotations: Deny newlines.

kubernetes · Jan 9, 2025 · 6ff8954 · 6ff8954
1 parent 1ece0dd
commit 6ff8954
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go
@@ -79,6 +79,8 @@ var (
 	// URLWithNginxVariableRegex defines a url that can contain nginx variables.
 	// It is a risky operation
 	URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$")
+	// MaliciousRegex defines chars that are known to inject RCE
+	MaliciousRegex = regexp.MustCompile(`\r|\n`)
 )
 
 // ValidateArrayOfServerName validates if all fields on a Server name annotation are
@@ -113,6 +115,10 @@ func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator {
 		if !regex.MatchString(s) {
 			return fmt.Errorf("value %s is invalid", s)
 		}
+		if MaliciousRegex.MatchString(s) {
+			return fmt.Errorf("value %s contains malicious string", s)
+		}
+
 		return nil
 	}
 }

diff --git a/internal/ingress/annotations/parser/validators_test.go b/internal/ingress/annotations/parser/validators_test.go
@@ -65,6 +65,11 @@ func TestValidateArrayOfServerName(t *testing.T) {
 			value:   "something.com,lolo;xpto.com,nothing.com",
 			wantErr: true,
 		},
+		{
+			name:    "should deny names with malicous chars",
+			value:   "http://something.com/#;\nournewinjection",
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {