TheCloud/anubis
1
0
Fork 0
mirror of https://github.com/TecharoHQ/anubis.git synced 2025-09-08 04:05:23 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(expression): add validation for empty expression list in CEL (#545)

Browse Source 
* fix(expression): add validation for empty ExpressionOrList

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

* fix(imports): block empty file imports with improved error checking logic

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

* docs(expression): improve validation to error on empty CEL expressions

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

---------

Signed-off-by: Jason Cameron <git@jasoncameron.dev>
This commit is contained in:
Jason Cameron 2025-05-23 18:14:31 -04:00 committed by GitHub
parent 51f875ff6f
commit 93e2447ba2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/docs/CHANGELOG.md
View File

@ -29,6 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Added Qualys SSL Labs whitelist policy - Added Qualys SSL Labs whitelist policy
- Fixed cookie deletion logic ([#520](https://github.com/TecharoHQ/anubis/issues/520), [#522](https://github.com/TecharoHQ/anubis/pull/522)) - Fixed cookie deletion logic ([#520](https://github.com/TecharoHQ/anubis/issues/520), [#522](https://github.com/TecharoHQ/anubis/pull/522))
- Add `--target-sni` flag/envvar to allow changing the value of the TLS handshake hostname in requests forwarded to the target service. - Add `--target-sni` flag/envvar to allow changing the value of the TLS handshake hostname in requests forwarded to the target service.
- Fixed CEL expression matching validator to now properly error out when it receives empty expressions
## v1.18.0: Varis zos Galvus ## v1.18.0: Varis zos Galvus

2
lib/policy/config/config.go
View File

@ -224,7 +224,7 @@ func (is *ImportStatement) open() (fs.File, error) {
func (is *ImportStatement) load() error { func (is *ImportStatement) load() error {
fin, err := is.open() fin, err := is.open()
if err != nil { if err != nil {
return fmt.Errorf("can't open %s: %w", is.Import, err) return fmt.Errorf("%w: %s: %w", ErrInvalidImportStatement, is.Import, err)
} }
defer fin.Close() defer fin.Close()

3
lib/policy/config/expressionorlist.go
View File

@ -54,6 +54,9 @@ func (eol *ExpressionOrList) UnmarshalJSON(data []byte) error {
} }
func (eol *ExpressionOrList) Valid() error { func (eol *ExpressionOrList) Valid() error {
if eol.Expression == "" && len(eol.All) == 0 && len(eol.Any) == 0 {
return ErrExpressionEmpty
}
if len(eol.All) != 0 && len(eol.Any) != 0 { if len(eol.All) != 0 && len(eol.Any) != 0 {
return ErrExpressionCantHaveBoth return ErrExpressionCantHaveBoth
} }

7
lib/policy/config/expressionorlist_test.go
View File

@ -51,6 +51,13 @@ func TestExpressionOrListUnmarshal(t *testing.T) {
}`, }`,
validErr: ErrExpressionCantHaveBoth, validErr: ErrExpressionCantHaveBoth,
}, },
{
name: "expression-empty",
inp: `{
"any": []
}`,
validErr: ErrExpressionEmpty,
},
} { } {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
var eol ExpressionOrList var eol ExpressionOrList