-
Notifications
You must be signed in to change notification settings - Fork 205
MINOR: Refine route-acl rules to prevent unintended prefix matches #692
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
MINOR: Refine route-acl rules to prevent unintended prefix matches #692
Conversation
7f273cc
to
d40fa9d
Compare
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I'd like to know if there's anything I can do to facilitate the merge of this PR. I understand that using regex might have some performance impact (though I'm not sure about this). If that's a concern, we could implement two separate rules instead: # matches all paths that begin with `/api/`
use_backend app_api_http if { var(txn.host) -m str api.demo } { path -m beg /api/ } { ... }
# matches all requests with the exact path `/api`
use_backend app_api_http if { var(txn.host) -m str api.demo } { path -m str /api } { ... } This approach would achieve the same goal of preventing unintended matches (like /apiary) while potentially avoiding any regex performance overhead, if that's the case. Please let me know if there are any other concerns I can address to help move this PR forward. Regarding the failed check |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi, @oktalz. Could you please keep this pull request open until it can be reviewed? It was closed automatically. If there's anything I can do to help move it forward, let me know. Thank you! |
@fabianonunes yes, we will take care of it soon |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi @fabianonunes , we need to discuss if this is something we want to integrate because the documentation says:
Your PR could be an enhancement but we need to check if we want to go this direction. There's also a failing e2e test, can you check what happened ? |
d40fa9d
to
05b98e8
Compare
Refactors the `AddCustomRoute` function to eliminate redundancy introduced in commit c28d620. The updated code removes repetition without add extra spaces.
Since `route-acl` annotated rules take precedence over others, this commit updates its behavior to ensure they do not unintentionally overwrite other rules that share the same prefix. For example, a rule matching the path /api should not inadvertently handle requests to /apiary.
05b98e8
to
54bbfdf
Compare
Since
route-acl
annotated rules take precedence over others, this PR updates its behavior to ensure they do not unintentionally overwrite other rules that share the same word prefix.For example, a rule matching the path prefix
/api
should not inadvertently handle requests to/apiary
.To address this, the rule
{ path -m beg /api }
has been replaced with a alternative that validates the URL's termination, ensuring it matches only/api$
or/api/.*
:For better maintainability, this PR also refactors the
AddCustomRoute
function to eliminate redundancy introduced in commit c28d620. The updated code removes repetition without add extra spaces.