Skip to content

Commit 5199954

Browse files
committed
Do not allow use of internal redirects in response overrides.
1 parent 131fab1 commit 5199954

2 files changed

Lines changed: 32 additions & 0 deletions

File tree

internal/validation/backendtrafficpolicy_validation.go

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,24 @@ func ValidateBackendTrafficPolicy(backendTrafficPolicy *envoygatewayv1alpha1.Bac
2626
allErrs = append(allErrs, validateGatewayClusterSettings(backendTrafficPolicy.Spec.ClusterSettings, specPath, opts.ClusterSettings)...)
2727
allErrs = append(allErrs, validateBackendTrafficPolicyRateLimit(backendTrafficPolicy.Spec.RateLimit, specPath.Child("rateLimit"))...)
2828
allErrs = append(allErrs, validateBackendTrafficPolicyFaultInjection(backendTrafficPolicy.Spec.FaultInjection, specPath.Child("faultInjection"))...)
29+
allErrs = append(allErrs, validateBackendTrafficPolicyResponseOverride(backendTrafficPolicy.Spec.ResponseOverride, specPath.Child("responseOverride"))...)
30+
31+
return allErrs
32+
}
33+
34+
func validateBackendTrafficPolicyResponseOverride(responseOverrides []*envoygatewayv1alpha1.ResponseOverride, fldPath *field.Path) field.ErrorList {
35+
if len(responseOverrides) == 0 {
36+
return nil
37+
}
38+
39+
allErrs := field.ErrorList{}
40+
41+
for i, responseOverride := range responseOverrides {
42+
responseOverridePath := fldPath.Index(i)
43+
if responseOverride.Redirect != nil {
44+
allErrs = append(allErrs, field.Forbidden(responseOverridePath.Child("redirect"), "response redirects are not permitted"))
45+
}
46+
}
2947

3048
return allErrs
3149
}

internal/validation/backendtrafficpolicy_validation_test.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -319,6 +319,20 @@ func TestValidateBackendTrafficPolicy(t *testing.T) {
319319
field.Forbidden(field.NewPath("spec", "faultInjection"), "fault injection is not permitted"),
320320
},
321321
},
322+
"response override redirect not permitted": {
323+
backendTrafficPolicy: &envoygatewayv1alpha1.BackendTrafficPolicy{
324+
Spec: envoygatewayv1alpha1.BackendTrafficPolicySpec{
325+
ResponseOverride: []*envoygatewayv1alpha1.ResponseOverride{
326+
{
327+
Redirect: &envoygatewayv1alpha1.CustomRedirect{},
328+
},
329+
},
330+
},
331+
},
332+
expectedErrors: field.ErrorList{
333+
field.Forbidden(field.NewPath("spec", "responseOverride").Index(0).Child("redirect"), "fault injection is not permitted"),
334+
},
335+
},
322336
}
323337

324338
for name, scenario := range scenarios {

0 commit comments

Comments
 (0)