From b22ae630bcf62115fe16895c8928aa5dbd6f0339 Mon Sep 17 00:00:00 2001 From: Leonardo Ramos dos Santos Date: Wed, 23 Apr 2025 13:23:02 +0100 Subject: [PATCH] Use PCRE on proxy redirect property --- .../ingress/annotations/parser/validators.go | 2 ++ internal/ingress/annotations/proxy/main.go | 4 ++-- test/e2e/annotations/proxy.go | 17 +++++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go index 3c724a3110..7da86bee84 100644 --- a/internal/ingress/annotations/parser/validators.go +++ b/internal/ingress/annotations/parser/validators.go @@ -79,6 +79,8 @@ var ( // URLWithNginxVariableRegex defines a url that can contain nginx variables. // It is a risky operation URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$") + // Used for NGINX properties that accepts URLs with PCRE regex + URLWithPCRERegex = regexp.MustCompile("^[" + regexEnabledChars + alphaNumericChars + urlEnabledChars + "]*$") // MaliciousRegex defines chars that are known to inject RCE MaliciousRegex = regexp.MustCompile(`\r|\n`) ) diff --git a/internal/ingress/annotations/proxy/main.go b/internal/ingress/annotations/proxy/main.go index aaa093eafd..855ee23bec 100644 --- a/internal/ingress/annotations/proxy/main.go +++ b/internal/ingress/annotations/proxy/main.go @@ -134,13 +134,13 @@ var proxyAnnotations = parser.Annotation{ Documentation: `This annotation enables or disables buffering of a client request body.`, }, proxyRedirectFromAnnotation: { - Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), + Validator: parser.ValidateRegex(parser.URLWithPCRERegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `The annotations proxy-redirect-from and proxy-redirect-to will set the first and second parameters of NGINX's proxy_redirect directive respectively`, }, proxyRedirectToAnnotation: { - Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), + Validator: parser.ValidateRegex(parser.URLWithPCRERegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `The annotations proxy-redirect-from and proxy-redirect-to will set the first and second parameters of NGINX's proxy_redirect directive respectively`, diff --git a/test/e2e/annotations/proxy.go b/test/e2e/annotations/proxy.go index 8e98660217..dc2c20667d 100644 --- a/test/e2e/annotations/proxy.go +++ b/test/e2e/annotations/proxy.go @@ -84,6 +84,23 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { }) }) + ginkgo.It("should set proxy_redirect with PCRE", func() { + proxyRedirectFrom := "~^(http|https)://hello.com/v1/(.*)$" + proxyRedirectTo := "$1://$host/$2" + + annotations := make(map[string]string) + annotations["nginx.ingress.kubernetes.io/proxy-redirect-from"] = proxyRedirectFrom + annotations["nginx.ingress.kubernetes.io/proxy-redirect-to"] = proxyRedirectTo + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("proxy_redirect %s %s;", proxyRedirectFrom, proxyRedirectTo)) + }) + }) + ginkgo.It("should set proxy client-max-body-size to 8m", func() { proxyBodySize := "8m"