Added anchors to cluster asset regex for security (#190)

mikouaj · web-flow · commit 05fdf4db5c25 · 2023-08-03T09:16:36.000+02:00
diff --git a/internal/gke/discovery.go b/internal/gke/discovery.go
@@ -162,7 +162,7 @@ func filterMapSeachResults(results []*assetpb.ResourceSearchResult) []string {
 
 // getIDFromName returns cluster identifier from full cluster asset name.
 func getIDFromName(name string) (string, error) {
-	r := regexp.MustCompile(`//container\.googleapis\.com/(projects/.+/(locations|zones)/.+/clusters/.+)`)
+	r := regexp.MustCompile(`^//container\.googleapis\.com/(projects/.+/(locations|zones)/.+/clusters/.+$)`)
 	if !r.MatchString(name) {
 		return "", fmt.Errorf("given name %q does not match GKE cluster name pattern", name)
 	}
diff --git a/internal/gke/discovery_test.go b/internal/gke/discovery_test.go
@@ -199,6 +199,7 @@ func TestGetIDFromName_negative(t *testing.T) {
 	inputs := []string{
 		"projects/my-project/locations/europe-west2/clusters/my-cluster",
 		"//container.googleapis.com/project/test/locations/europe/my-cluster",
+		"malicious//container.googleapis.com/projects/my-project/locations/europe-west2/clusters/other-cluster/code",
 	}
 	for _, input := range inputs {
 		if _, err := getIDFromName(input); err == nil {

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ func filterMapSeachResults(results []*assetpb.ResourceSearchResult) []string {`
`162`	`162`
`163`	`163`	`// getIDFromName returns cluster identifier from full cluster asset name.`
`164`	`164`	`func getIDFromName(name string) (string, error) {`
`165`		- r := regexp.MustCompile(`//container\.googleapis\.com/(projects/.+/(locations\|zones)/.+/clusters/.+)`)
	`165`	+ r := regexp.MustCompile(`^//container\.googleapis\.com/(projects/.+/(locations\|zones)/.+/clusters/.+$)`)
`166`	`166`	`if !r.MatchString(name) {`
`167`	`167`	`return "", fmt.Errorf("given name %q does not match GKE cluster name pattern", name)`
`168`	`168`	`}`
Original file line number	Diff line number	Diff line change
`@@ -199,6 +199,7 @@ func TestGetIDFromName_negative(t *testing.T) {`
`199`	`199`	`inputs := []string{`
`200`	`200`	`"projects/my-project/locations/europe-west2/clusters/my-cluster",`
`201`	`201`	`"//container.googleapis.com/project/test/locations/europe/my-cluster",`
	`202`	`+ "malicious//container.googleapis.com/projects/my-project/locations/europe-west2/clusters/other-cluster/code",`
`202`	`203`	`}`
`203`	`204`	`for _, input := range inputs {`
`204`	`205`	`if _, err := getIDFromName(input); err == nil {`