Annotations: Quote CertificateAuth.MatchCN.

Reverts 698c3c0.
kubernetes · Jan 14, 2025 · 393bffb · 393bffb
1 parent 9a65007
commit 393bffb
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 12 deletions.
diff --git a/TAG b/TAG
@@ -1 +1 @@
-v1.12.0
+v1.12.0-dev
diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go
@@ -19,6 +19,7 @@ package authtls
 import (
 	"fmt"
 	"regexp"
+	"strings"
 
 	networking "k8s.io/api/networking/v1"
 
@@ -209,6 +210,9 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.MatchCN = ""
 	}
 
+	// Escape double quotes.
+	config.MatchCN = strings.ReplaceAll(config.MatchCN, "\"", "\\\"")
+
 	return config, nil
 }
 

diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go
@@ -79,8 +79,6 @@ var (
 	// URLWithNginxVariableRegex defines a url that can contain nginx variables.
 	// It is a risky operation
 	URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$")
-	// MaliciousRegex defines chars that are known to inject RCE
-	MaliciousRegex = regexp.MustCompile(`\r|\n`)
 )
 
 // ValidateArrayOfServerName validates if all fields on a Server name annotation are
@@ -115,9 +113,6 @@ func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator {
 		if !regex.MatchString(s) {
 			return fmt.Errorf("value %s is invalid", s)
 		}
-		if MaliciousRegex.MatchString(s) {
-			return fmt.Errorf("value %s contains malicious string", s)
-		}
 
 		return nil
 	}

diff --git a/internal/ingress/annotations/parser/validators_test.go b/internal/ingress/annotations/parser/validators_test.go
@@ -65,11 +65,6 @@ func TestValidateArrayOfServerName(t *testing.T) {
 			value:   "something.com,lolo;xpto.com,nothing.com",
 			wantErr: true,
 		},
-		{
-			name:    "should deny names with malicous chars",
-			value:   "http://something.com/#;\nournewinjection",
-			wantErr: true,
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -875,7 +875,7 @@ stream {
 
         {{ if not ( empty $server.CertificateAuth.MatchCN ) }}
         {{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
-        if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
+        if ( $ssl_client_s_dn !~ "{{ $server.CertificateAuth.MatchCN }}" ) {
             return 403 "client certificate unauthorized";
         }
         {{ end }}