Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server: PUT v1/data handler performing string prefix check on bundle roots #2868

Closed
tsandall opened this issue Nov 5, 2020 · 0 comments · Fixed by #3033
Closed

server: PUT v1/data handler performing string prefix check on bundle roots #2868

tsandall opened this issue Nov 5, 2020 · 0 comments · Fixed by #3033
Assignees
@anderseknert
Labels
bug
Projects
Open Policy Agent

Comments

@tsandall
Copy link
Member

tsandall commented Nov 5, 2020

The PUT v1/data handler calls checkPathScope which in turn uses strings.HasPrefix to check for conflicts with bundle roots: https://github.com/open-policy-agent/opa/blob/master/server/server.go#L1943. This leads to false-positive errors. For example, if the bundle roots are ["foo"] and the caller sends PUT v1/data/fo the request will be rejected because fo is a prefix of foo.
@tsandall tsandall added the bug label Nov 5, 2020
@tsandall tsandall added this to TODO (Things That Should Be Done) in Open Policy Agent via automation Nov 5, 2020
@anderseknert anderseknert self-assigned this Dec 23, 2020
@anderseknert anderseknert mentioned this issue Dec 23, 2020
Merged
anderseknert added a commit to anderseknert/opa that referenced this issue Jan 4, 2021
@anderseknert
Fix false positives in bundle root check
4a958ec 
Allow writing to /data/foo when /data/foobar is a bundle root.

Fixes open-policy-agent#2868

Signed-off-by: Anders Eknert <anders@eknert.com>
Open Policy Agent automation moved this from TODO (Things That Should Be Done) to Done Jan 5, 2021
srenatus pushed a commit that referenced this issue Jan 5, 2021
@anderseknert
Fix false positives in bundle root check (#3033)
05a0697 
Allow writing to /data/foo when /data/foobar is a bundle root.

Fixes #2868

Signed-off-by: Anders Eknert <anders@eknert.com>
aavarghese pushed a commit to aavarghese/opa that referenced this issue Jan 8, 2021
@anderseknert @aavarghese
Fix false positives in bundle root check (open-policy-agent#3033)
3ad12e7 
Allow writing to /data/foo when /data/foobar is a bundle root.

Fixes open-policy-agent#2868

Signed-off-by: Anders Eknert <anders@eknert.com>
Signed-off-by: Ansu Varghese <avarghese@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anderseknert anderseknert

Labels
bug
Projects
Open Policy Agent
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix false positives in bundle root check anderseknert/opa
2 participants
@tsandall @anderseknert