Merge pull request #13282 from jim-minter/secret-injector-improvements

Automatic merge from submit-queue (batch tested with PRs 16269, 13282, 16386) Improvements to secret injector Disallow @ character in host component of URL patterns, so that people don't mistakenly try to add URL patterns of the form user@host. Extend admission controller to reject invalid URL patterns on secrets to provide early feedback to end users when their patterns are wrong.
openshift · Sep 16, 2017 · a4e5e53 · a4e5e53
2 parents 0a33b4c + ae22665
commit a4e5e53
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/pkg/util/urlpattern/urlpattern.go b/pkg/util/urlpattern/urlpattern.go
@@ -12,7 +12,7 @@ var InvalidPatternError = errors.New("invalid pattern")
 
 var urlPatternRegex = regexp.MustCompile(`^` +
 	`(?:(\*|git|http|https|ssh)://)` +
-	`(\*|(?:\*\.)?[^/*]+)` +
+	`(\*|(?:\*\.)?[^@/*]+)` +
 	`(/.*)` +
 	`$`)
 

diff --git a/pkg/util/urlpattern/urlpattern_test.go b/pkg/util/urlpattern/urlpattern_test.go
@@ -44,7 +44,7 @@ func TestMatchPattern(t *testing.T) {
 			expectedScheme:   `^(git|http|https|ssh)$`,
 			expectedHost:     `^.*$`,
 			expectedPath:     `^/.*$`,
-			expectedMatch:    []string{`https://github.com/`},
+			expectedMatch:    []string{`https://github.com/`, `https://user:password@github.com/`, `ssh://git@github.com/`},
 			expectedNotMatch: []string{`ftp://github.com/`},
 		},
 		{
@@ -80,15 +80,15 @@ func TestMatchPattern(t *testing.T) {
 			expectedScheme:   `^https$`,
 			expectedHost:     `^github\.com$`,
 			expectedPath:     `^/.*$`,
-			expectedMatch:    []string{`https://github.com/`},
+			expectedMatch:    []string{`https://github.com/`, `https://user:password@github.com/`},
 			expectedNotMatch: []string{`https://test.github.com/`},
 		},
 		{
 			pattern:        `https://*.git.luolix.top/*`,
 			expectedScheme: `^https$`,
 			expectedHost:   `^(?:.*\.)?github\.com$`,
 			expectedPath:   `^/.*$`,
-			expectedMatch:  []string{`https://github.com/`, `https://test.github.com/`},
+			expectedMatch:  []string{`https://github.com/`, `https://user:password@github.com/`, `https://test.github.com/`},
 		},
 		{
 			pattern:        `https://\.+?()|[]{}^$/*`,
@@ -108,6 +108,10 @@ func TestMatchPattern(t *testing.T) {
 			pattern:     `https://git*hub.com/*`,
 			expectedErr: true,
 		},
+		{
+			pattern:     `*://git@github.com/*`,
+			expectedErr: true,
+		},
 		{
 			pattern:        `https://github.com/`,
 			expectedScheme: `^https$`,