Skip to content

Commit

Permalink
Annotations: Quote CertificateAuth.MatchCN.
Browse files Browse the repository at this point in the history
Reverts 698c3c0.
  • Loading branch information
Gacko committed Jan 17, 2025
1 parent 65e2534 commit 71ac263
Show file tree
Hide file tree
Showing 4 changed files with 2 additions and 12 deletions.
2 changes: 1 addition & 1 deletion TAG
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v1.12.0
v1.12.0-dev
5 changes: 0 additions & 5 deletions internal/ingress/annotations/parser/validators.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,6 @@ var (
// URLWithNginxVariableRegex defines a url that can contain nginx variables.
// It is a risky operation
URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$")
// MaliciousRegex defines chars that are known to inject RCE
MaliciousRegex = regexp.MustCompile(`\r|\n`)
)

// ValidateArrayOfServerName validates if all fields on a Server name annotation are
Expand Down Expand Up @@ -115,9 +113,6 @@ func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator {
if !regex.MatchString(s) {
return fmt.Errorf("value %s is invalid", s)
}
if MaliciousRegex.MatchString(s) {
return fmt.Errorf("value %s contains malicious string", s)
}

return nil
}
Expand Down
5 changes: 0 additions & 5 deletions internal/ingress/annotations/parser/validators_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,6 @@ func TestValidateArrayOfServerName(t *testing.T) {
value: "something.com,lolo;xpto.com,nothing.com",
wantErr: true,
},
{
name: "should deny names with malicous chars",
value: "http://something.com/#;\nournewinjection",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion rootfs/etc/nginx/template/nginx.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -875,7 +875,7 @@ stream {

{{ if not ( empty $server.CertificateAuth.MatchCN ) }}
{{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN | quote }} ) {
return 403 "client certificate unauthorized";
}
{{ end }}
Expand Down

0 comments on commit 71ac263

Please sign in to comment.