-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-27741: Properly handle route path while rewriting #607
base: master
Are you sure you want to change the base?
Conversation
@gcs278: This pull request references Jira Issue OCPBUGS-27741, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/jira refresh |
@gcs278: This pull request references Jira Issue OCPBUGS-27741, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/label qe-approved tested it with 4.16.0-0.ci.test-2024-05-31-012256-ci-ln-982w7yk-latest
|
@gcs278: This pull request references Jira Issue OCPBUGS-27741, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/assign @rfredette |
{ | ||
name: "single quotes should be always be escaped", | ||
input: `'foo'foo\'`, | ||
output: `'\''foo'\''foo\'\''`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\'
ends up generating an unpaired quote. Doesn't that still break the template?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So \'
generates \'\''
because our rule is simple & universal: '
gets translated to '\''
, and we don't do anything with the \
, so you mostly disregard it.
To explain the '\''
sequence:
- The first
'
terminates the outer quote provided by the template. - The
\'
specifies a literal escaped quote (it must be outside of the protection of''
) - The last
'
starts the outer quote again.
So the answer is no: it doesn't break the template, the \
in front of the quote doesn't matter. The result of \'
is that it gets interpreted as literal \'
, which is desirable in this specific situation.
I'll also mention that we did handle single quotes in a different way in the fix for https://issues.redhat.com/browse/OCPBUGS-22739, but the key different here is that, in OCPBUGS-22739, \'
was a valid rewrite annotation sequence (it matched '
), where for this fix, though it doesn't cause a syntax error, it causes an unreachable situation, because the HAProxy map files MUST match the same pattern as the replace-path regex. The GenerateRouteRegexp function is the reason why the HAPRoxy map path regexs are interpreted literally. I updated https://docs.google.com/document/d/1wA6ZdRYaiN70TY5UbTOn1wl5qAn_NPb2ty_G85XhnYM/edit with more info on this situation where the map files don't match the <match-regex>
argument for rewrite target.
I'm on a bit of a tangent in this comment. I also realized GenerateRouteRegexp
used regexp.QuoteMeta(path)
instead of \Q...\E
. They appear to do the same exact thing, but I think it's better to be consistent, especially if there is a subtle different between the two. We need to have the path interpreted in the same exact way for rewrites to work.
So I'll update the code to use QuoteMeta
, and I also found that you can add a newline character in spec.path and break this config. So I fixed that too.
27825bf
to
f43b373
Compare
Process the route's spec.path while using the `haproxy.router.openshift.io/rewrite-target` annotation to prevent HAProxy configuration issues. Previously, values in the route's path would be interpreted as regex meta characters. Now, this fix forces literal interpretation of the characters in spec.path when matching for rewriting. This change introduces some unavoidable incompatibilities if users were previously using regex meta characters in a spec.path.
f43b373
to
ffa97d7
Compare
@gcs278: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Per our discussion, I am planning to investigate what it would take to reject a route based on certain characters that are currently invalid. /hold |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Process the route's spec.path while using the
haproxy.router.openshift.io/rewrite-target
annotation to prevent HAProxy configuration issues.Previously, values in the route's path would be interpreted as regex meta characters. Now, this fix forces literal interpretation of the characters in spec.path when matching for rewriting. This change introduces some unavoidable incompatibilities if users were previously using regex meta characters in a spec.path.
Use cases have been documented here: https://docs.google.com/document/d/1wA6ZdRYaiN70TY5UbTOn1wl5qAn_NPb2ty_G85XhnYM/edit#heading=h.pca9p2i57r2u