feat: BN014 detect duplicate policies #468
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DinoChiesa
force-pushed
the
BN014-try2
branch
from
dacd73f to
3e768a2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I don't know why, but previously the EP001 plugin, which is intended to check for CORS policy placement, also made a lame attempt to check for duplicate CORS policies. That always failed, because the check was naive: any policy that had a different name was considered to be different. Therefore it never detected a duplicate.
So that code needed to go. But it seems like it's possible that someone might have multiple differently named policies (CORS or otherwise), with identical configuration, in the same proxy bundle. And if that might occur, it would be good to check for that and issue a warning. So I implemented that check in a new plugin, BN014. It has "pretty good" XML policy comparison logic: two different policies will not be judged to be different if the only differences are in whitespace or indenting. They will be judged to be different if the element order is different.
Not sure how useful this will be. But rather than remove the duplicate policy check, I thought it would be better to keep it, as a new plugin.
This also increases code coverage for the EP001 plugin.