Skip to content

Commit a167db1

Browse files
kevin85421salonichf5
kevin85421
authored and
salonichf5
committed
update
1 parent 31e6a0d commit a167db1

File tree

2 files changed

+236
-1
lines changed

2 files changed

+236
-1
lines changed

internal/mode/static/state/graph/httproute.go

Lines changed: 58 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -249,7 +249,9 @@ func validateFilter(
249249
case v1.HTTPRouteFilterRequestHeaderModifier:
250250
return validateFilterHeaderModifier(validator, filter.RequestHeaderModifier, filterPath.Child(string(filter.Type)))
251251
case v1.HTTPRouteFilterResponseHeaderModifier:
252-
return validateFilterHeaderModifier(validator, filter.ResponseHeaderModifier, filterPath.Child(string(filter.Type)))
252+
return validateFilterResponseHeaderModifier(
253+
validator, filter.ResponseHeaderModifier, filterPath.Child(string(filter.Type)),
254+
)
253255
default:
254256
valErr := field.NotSupported(
255257
filterPath.Child("type"),
@@ -422,6 +424,61 @@ func validateFilterHeaderModifierFields(
422424
return allErrs
423425
}
424426

427+
func validateFilterResponseHeaderModifier(
428+
validator validation.HTTPFieldsValidator,
429+
responseHeaderModifier *v1.HTTPHeaderFilter,
430+
filterPath *field.Path,
431+
) field.ErrorList {
432+
if errList := validateFilterHeaderModifier(validator, responseHeaderModifier, filterPath); errList != nil {
433+
return errList
434+
}
435+
var allErrs field.ErrorList
436+
disallowedResponseHeaderSet := map[string]struct{}{
437+
"server": {},
438+
"date": {},
439+
"x-pad": {},
440+
"content-type": {},
441+
"content-length": {},
442+
"connection": {},
443+
}
444+
invalidPrefix := "x-accel"
445+
for _, h := range responseHeaderModifier.Add {
446+
valErr := field.Invalid(filterPath.Child("add"), h, "header name is not allowed")
447+
name := strings.ToLower(string(h.Name))
448+
if _, exists := disallowedResponseHeaderSet[name]; exists {
449+
allErrs = append(allErrs, valErr)
450+
} else {
451+
if strings.HasPrefix(name, strings.ToLower(invalidPrefix)) {
452+
allErrs = append(allErrs, valErr)
453+
}
454+
}
455+
}
456+
for _, h := range responseHeaderModifier.Set {
457+
valErr := field.Invalid(filterPath.Child("set"), h, "header name is not allowed")
458+
name := strings.ToLower(string(h.Name))
459+
if _, exists := disallowedResponseHeaderSet[name]; exists {
460+
allErrs = append(allErrs, valErr)
461+
} else {
462+
if strings.HasPrefix(name, strings.ToLower(invalidPrefix)) {
463+
allErrs = append(allErrs, valErr)
464+
}
465+
}
466+
}
467+
for _, h := range responseHeaderModifier.Remove {
468+
valErr := field.Invalid(filterPath.Child("remove"), h, "header name is not allowed")
469+
name := strings.ToLower(h)
470+
if _, exists := disallowedResponseHeaderSet[name]; exists {
471+
allErrs = append(allErrs, valErr)
472+
} else {
473+
if strings.HasPrefix(name, strings.ToLower(invalidPrefix)) {
474+
allErrs = append(allErrs, valErr)
475+
}
476+
}
477+
}
478+
479+
return allErrs
480+
}
481+
425482
func validateRequestHeadersCaseInsensitiveUnique(
426483
headers []v1.HTTPHeader,
427484
path *field.Path,

internal/mode/static/state/graph/httproute_test.go

Lines changed: 178 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1325,3 +1325,181 @@ func TestValidateFilterRequestHeaderModifier(t *testing.T) {
13251325
})
13261326
}
13271327
}
1328+
1329+
func TestValidateFilterResponseHeaderModifier(t *testing.T) {
1330+
createAllValidValidator := func() *validationfakes.FakeHTTPFieldsValidator {
1331+
v := &validationfakes.FakeHTTPFieldsValidator{}
1332+
return v
1333+
}
1334+
1335+
tests := []struct {
1336+
filter gatewayv1.HTTPRouteFilter
1337+
validator *validationfakes.FakeHTTPFieldsValidator
1338+
name string
1339+
expectErrCount int
1340+
}{
1341+
{
1342+
validator: createAllValidValidator(),
1343+
filter: gatewayv1.HTTPRouteFilter{
1344+
Type: gatewayv1.HTTPRouteFilterResponseHeaderModifier,
1345+
ResponseHeaderModifier: &gatewayv1.HTTPHeaderFilter{
1346+
Set: []gatewayv1.HTTPHeader{
1347+
{Name: "MyBespokeHeader", Value: "my-value"},
1348+
},
1349+
Add: []gatewayv1.HTTPHeader{
1350+
{Name: "Accept-Encoding", Value: "gzip"},
1351+
},
1352+
Remove: []string{"Cache-Control"},
1353+
},
1354+
},
1355+
expectErrCount: 0,
1356+
name: "valid response header modifier filter",
1357+
},
1358+
{
1359+
validator: createAllValidValidator(),
1360+
filter: gatewayv1.HTTPRouteFilter{
1361+
Type: gatewayv1.HTTPRouteFilterResponseHeaderModifier,
1362+
ResponseHeaderModifier: nil,
1363+
},
1364+
expectErrCount: 1,
1365+
name: "nil response header modifier filter",
1366+
},
1367+
{
1368+
validator: func() *validationfakes.FakeHTTPFieldsValidator {
1369+
v := createAllValidValidator()
1370+
v.ValidateFilterHeaderNameReturns(errors.New("Invalid header"))
1371+
return v
1372+
}(),
1373+
filter: gatewayv1.HTTPRouteFilter{
1374+
Type: gatewayv1.HTTPRouteFilterResponseHeaderModifier,
1375+
ResponseHeaderModifier: &gatewayv1.HTTPHeaderFilter{
1376+
Add: []gatewayv1.HTTPHeader{
1377+
{Name: "$var_name", Value: "gzip"},
1378+
},
1379+
},
1380+
},
1381+
expectErrCount: 1,
1382+
name: "response header modifier filter with invalid add",
1383+
},
1384+
{
1385+
validator: func() *validationfakes.FakeHTTPFieldsValidator {
1386+
v := createAllValidValidator()
1387+
v.ValidateFilterHeaderNameReturns(errors.New("Invalid header"))
1388+
return v
1389+
}(),
1390+
filter: gatewayv1.HTTPRouteFilter{
1391+
Type: gatewayv1.HTTPRouteFilterResponseHeaderModifier,
1392+
ResponseHeaderModifier: &gatewayv1.HTTPHeaderFilter{
1393+
Remove: []string{"$var-name"},
1394+
},
1395+
},
1396+
expectErrCount: 1,
1397+
name: "response header modifier filter with invalid remove",
1398+
},
1399+
{
1400+
validator: func() *validationfakes.FakeHTTPFieldsValidator {
1401+
v := createAllValidValidator()
1402+
v.ValidateFilterHeaderValueReturns(errors.New("Invalid header value"))
1403+
return v
1404+
}(),
1405+
filter: gatewayv1.HTTPRouteFilter{
1406+
Type: gatewayv1.HTTPRouteFilterResponseHeaderModifier,
1407+
ResponseHeaderModifier: &gatewayv1.HTTPHeaderFilter{
1408+
Add: []gatewayv1.HTTPHeader{
1409+
{Name: "Accept-Encoding", Value: "yhu$"},
1410+
},
1411+
},
1412+
},
1413+
expectErrCount: 1,
1414+
name: "response header modifier filter with invalid header value",
1415+
},
1416+
{
1417+
validator: func() *validationfakes.FakeHTTPFieldsValidator {
1418+
v := createAllValidValidator()
1419+
v.ValidateFilterHeaderValueReturns(errors.New("Invalid header value"))
1420+
v.ValidateFilterHeaderNameReturns(errors.New("Invalid header"))
1421+
return v
1422+
}(),
1423+
filter: gatewayv1.HTTPRouteFilter{
1424+
Type: gatewayv1.HTTPRouteFilterResponseHeaderModifier,
1425+
ResponseHeaderModifier: &gatewayv1.HTTPHeaderFilter{
1426+
Set: []gatewayv1.HTTPHeader{
1427+
{Name: "Host", Value: "my_host"},
1428+
},
1429+
Add: []gatewayv1.HTTPHeader{
1430+
{Name: "}90yh&$", Value: "gzip$"},
1431+
{Name: "}67yh&$", Value: "compress$"},
1432+
},
1433+
Remove: []string{"Cache-Control$}"},
1434+
},
1435+
},
1436+
expectErrCount: 7,
1437+
name: "response header modifier filter all fields invalid",
1438+
},
1439+
{
1440+
validator: createAllValidValidator(),
1441+
filter: gatewayv1.HTTPRouteFilter{
1442+
Type: gatewayv1.HTTPRouteFilterResponseHeaderModifier,
1443+
ResponseHeaderModifier: &gatewayv1.HTTPHeaderFilter{
1444+
Set: []gatewayv1.HTTPHeader{
1445+
{Name: "MyBespokeHeader", Value: "my-value"},
1446+
{Name: "mYbespokeHEader", Value: "duplicate"},
1447+
},
1448+
Add: []gatewayv1.HTTPHeader{
1449+
{Name: "Accept-Encoding", Value: "gzip"},
1450+
{Name: "accept-encodING", Value: "gzip"},
1451+
},
1452+
Remove: []string{"Cache-Control", "cache-control"},
1453+
},
1454+
},
1455+
expectErrCount: 3,
1456+
name: "response header modifier filter not unique names",
1457+
},
1458+
{
1459+
validator: createAllValidValidator(),
1460+
filter: gatewayv1.HTTPRouteFilter{
1461+
Type: gatewayv1.HTTPRouteFilterResponseHeaderModifier,
1462+
ResponseHeaderModifier: &gatewayv1.HTTPHeaderFilter{
1463+
Set: []gatewayv1.HTTPHeader{
1464+
{Name: "Content-Length", Value: "163"},
1465+
},
1466+
Add: []gatewayv1.HTTPHeader{
1467+
{Name: "Content-Type", Value: "text/plain"},
1468+
},
1469+
Remove: []string{"X-Pad"},
1470+
},
1471+
},
1472+
expectErrCount: 3,
1473+
name: "invalid response header modifier filter",
1474+
},
1475+
{
1476+
validator: createAllValidValidator(),
1477+
filter: gatewayv1.HTTPRouteFilter{
1478+
Type: gatewayv1.HTTPRouteFilterResponseHeaderModifier,
1479+
ResponseHeaderModifier: &gatewayv1.HTTPHeaderFilter{
1480+
Set: []gatewayv1.HTTPHeader{
1481+
{Name: "X-Accel-Redirect", Value: "/protected/iso.img"},
1482+
},
1483+
Add: []gatewayv1.HTTPHeader{
1484+
{Name: "X-Accel-Limit-Rate", Value: "1024"},
1485+
},
1486+
Remove: []string{"X-Accel-Charset"},
1487+
},
1488+
},
1489+
expectErrCount: 3,
1490+
name: "invalid response header modifier filter",
1491+
},
1492+
}
1493+
1494+
filterPath := field.NewPath("test")
1495+
1496+
for _, test := range tests {
1497+
t.Run(test.name, func(t *testing.T) {
1498+
g := NewWithT(t)
1499+
allErrs := validateFilterResponseHeaderModifier(
1500+
test.validator, test.filter.ResponseHeaderModifier, filterPath,
1501+
)
1502+
g.Expect(allErrs).To(HaveLen(test.expectErrCount))
1503+
})
1504+
}
1505+
}

0 commit comments

Comments
 (0)