Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kbs: allow resource uri to have . in safe ways #596

Merged
merged 1 commit into from
Nov 26, 2024
Merged

kbs: allow resource uri to have . in safe ways #596

merged 1 commit into from
Nov 26, 2024

Conversation

Xynnn007
Copy link
Member

We deprecated . in resource uri to avoid security issues like accessing the upper directory with .. path. However, in some cases . is safe like example.txt. This patch allows a string not starting with . to appear in a resource URI.

Fixes #593

cc @bpradipt

@Xynnn007 Xynnn007 requested a review from a team as a code owner November 25, 2024 02:22
bpradipt
bpradipt reviewed Nov 25, 2024
View reviewed changes
kbs/src/plugins/implementations/resource/backend.rs Outdated
@@ -38,7 +38,7 @@ impl TryFrom<&str> for ResourceDesc {
fn try_from(value: &str) -> Result<Self> {
let regex = CELL.get_or_init(|| {
Regex::new(
r"^((?<repo>[a-zA-Z0-9_\-]+)/)?(?<type>[a-zA-Z0-9_\-]+)/(?<tag>[a-zA-Z0-9_\-]+)$",
r"^((?<repo>[a-zA-Z0-9_\-]+[a-zA-Z0-9_\-\.]*)/)?(?<type>[a-zA-Z0-9_\-]+[a-zA-Z0-9_\-\.]*)/(?<tag>[a-zA-Z0-9_\-]+[a-zA-Z0-9_\-\.]*)$",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Putting the regex in online validator (https://regex101.com/) complains about unescaped /.
Following pattern with escaping the / worked

"^((?<repo>[a-zA-Z0-9_\-]+[a-zA-Z0-9_\-\.]*)\/)?(?<type>[a-zA-Z0-9_\-]+[a-zA-Z0-9_\-\.]*)\/(?<tag>[a-zA-Z0-9_\-]+[a-zA-Z0-9_\-\.]*)$"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Let me fix this

@Xynnn007
kbs: allow resource uri to have . in safe ways
f6a4538 
We deprecated `.` in resource uri to avoid security issues like
accessing the upper directory with `..` path. However, in some cases `.`
is safe like `example.txt`. This patch allows a string not starting with
`.` to appear in a resource URI.

Fixes confidential-containers#593

Signed-off-by: Xynnn007 <[email protected]>
bpradipt
bpradipt approved these changes Nov 25, 2024
View reviewed changes
Copy link
Member

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

fitzthum
fitzthum approved these changes Nov 25, 2024
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Xynnn007 Xynnn007 merged commit 4515101 into confidential-containers:main Nov 26, 2024
19 checks passed
@Xynnn007 Xynnn007 deleted the fix-regex branch November 26, 2024 06:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bpradipt bpradipt bpradipt approved these changes

@fitzthum fitzthum fitzthum approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Retrieving a resource with name with extension throws error
3 participants
@Xynnn007 @fitzthum @bpradipt