credential: address the four remaining findings from the PR #127 review#138
Open
congwang-mk wants to merge 1 commit into
Open
credential: address the four remaining findings from the PR #127 review#138congwang-mk wants to merge 1 commit into
congwang-mk wants to merge 1 commit into
Conversation
…ny, match decoded query params Signed-off-by: Cong Wang <cwang@multikernel.io>
a50eaf0 to
6ede13b
Compare
Contributor
Author
|
@dzerik Please take a look. Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #127, addressing the four findings that remained after the re-review:
Seekable stdin rejected for
fd:0. Stdin survives into the child (unlike fds above 2, which are closed post-fork), and a dup shares the file offset, so a< secret.txtredirect would let the child lseek back and re-read the secret even after the supervisor drained it.load_secretnow refuses a rewindable fd 0 and points at the pipe pattern; pipes/sockets/ttys (ESPIPE) stay allowed, and seekable sources on fds above 2 are unaffected.Header names validated at rule-parse time. A malformed
header:<name>/apikey:<name>previously surfaced only as a per-request 502 the first time the rule fired;parse_authnow runsHeaderName::from_bytesso a typo fails the build like every other spec error.File-overlap warning honors
fs-deny. The warning suggested "add an fs-deny for it" but did not consultfs_denied, so following the advice still warned on every run. The overlap check (extracted into a testableexposing_granthelper) now suppresses the warning when a deny covers the secret file.Query param names compared percent-decoded. A child spelling the target param with stray percent-encoding (
%6Bey=forkey=) evaded the Replace de-dup filter, leaving its pair alongside the injected one. Param names are now decoded before comparison, for both the Replace filter and the AddOnly presence check.Each fix comes with unit tests, including a stdin-swap test that exercises both the file-redirect rejection and the pipe acceptance on the real fd 0.
🤖 Generated with Claude Code