From d430e3a05df255e7d10a54a80709facdcdee74d9 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 18 Apr 2024 15:27:03 +0100 Subject: [PATCH 1/2] Fix invalid character in value & remove unused code --- internal/configs/configmaps.go | 16 ---------------- .../configs/version1/template_helper_test.go | 6 ++++++ internal/k8s/validation.go | 13 +++++++++++++ 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go index 7b07b19532e..fbcd63b68d2 100644 --- a/internal/configs/configmaps.go +++ b/internal/configs/configmaps.go @@ -3,8 +3,6 @@ package configs import ( "strings" - "github.com/nginxinc/kubernetes-ingress/internal/configs/version2" - "github.com/golang/glog" v1 "k8s.io/api/core/v1" @@ -68,20 +66,6 @@ func ParseConfigMap(cfgm *v1.ConfigMap, nginxPlus bool, hasAppProtect bool, hasA cfgParams.ProxyPassHeaders = proxyPassHeaders } - if proxySetHeaders, exists := GetMapKeyAsStringSlice(cfgm.Data, "proxy-set-headers", cfgm, ","); exists { - var headers []version2.Header - for _, headerAndValue := range proxySetHeaders { - parts := strings.SplitN(headerAndValue, " ", 2) - name := strings.TrimSpace(parts[0]) - var value string - if len(parts) > 1 { - value = strings.TrimSpace(parts[1]) - } - headers = append(headers, version2.Header{Name: name, Value: value}) - } - cfgParams.ProxySetHeaders = headers - } - if clientMaxBodySize, exists := cfgm.Data["client-max-body-size"]; exists { cfgParams.ClientMaxBodySize = clientMaxBodySize } diff --git a/internal/configs/version1/template_helper_test.go b/internal/configs/version1/template_helper_test.go index c93d0fc6d2b..ff1572d569a 100644 --- a/internal/configs/version1/template_helper_test.go +++ b/internal/configs/version1/template_helper_test.go @@ -588,6 +588,12 @@ func TestGenerateProxySetHeadersForInvalidHeadersForErrorsInMaster(t *testing.T) "nginx.org/proxy-set-headers": "X-Forwarded-ABC!,BVC§", }, }, + { + name: "Header Value With invalid Characters", + annotations: map[string]string{ + "nginx.org/proxy-set-headers": "X-Forwarded ABC$", + }, + }, { name: "Headers with invalid Format", annotations: map[string]string{ diff --git a/internal/k8s/validation.go b/internal/k8s/validation.go index 99ca873ccbd..595944db0fd 100644 --- a/internal/k8s/validation.go +++ b/internal/k8s/validation.go @@ -437,6 +437,19 @@ func validateProxySetHeaderAnnotation(context *annotationValidationContext) fiel value := strings.TrimSpace(parts[1]) + var invalidCharsList []string + invalidChars := []string{"{", "}", "$"} + for _, c := range invalidChars { + if strings.Contains(value, c) { + invalidCharsList = append(invalidCharsList, c) + } + } + + if len(invalidCharsList) > 0 { + msg := fmt.Sprintf("invalid character(s) in value: %s", strings.Join(invalidCharsList, ", ")) + allErrs = append(allErrs, field.Invalid(context.fieldPath, header, msg)) + } + if name == "" { allErrs = append(allErrs, field.Invalid(context.fieldPath, header, "empty header name: "+header)) continue From ac2133c0e7a8f1ffb87a1b6219bb17fa7eb9d459 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 18 Apr 2024 16:56:50 +0100 Subject: [PATCH 2/2] Simplify to allow for 1 restriction --- internal/k8s/validation.go | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/internal/k8s/validation.go b/internal/k8s/validation.go index 595944db0fd..153677c983c 100644 --- a/internal/k8s/validation.go +++ b/internal/k8s/validation.go @@ -437,17 +437,8 @@ func validateProxySetHeaderAnnotation(context *annotationValidationContext) fiel value := strings.TrimSpace(parts[1]) - var invalidCharsList []string - invalidChars := []string{"{", "}", "$"} - for _, c := range invalidChars { - if strings.Contains(value, c) { - invalidCharsList = append(invalidCharsList, c) - } - } - - if len(invalidCharsList) > 0 { - msg := fmt.Sprintf("invalid character(s) in value: %s", strings.Join(invalidCharsList, ", ")) - allErrs = append(allErrs, field.Invalid(context.fieldPath, header, msg)) + if strings.Contains(value, "$") { + allErrs = append(allErrs, field.Invalid(context.fieldPath, header, "invalid character in value: $")) } if name == "" {