Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS plugin regex backslash issue #13849

Closed
1 task done
jgutschon opened this issue Nov 7, 2024 · 1 comment
Closed
1 task done

CORS plugin regex backslash issue #13849

jgutschon opened this issue Nov 7, 2024 · 1 comment

Comments

@jgutschon
Copy link

jgutschon commented Nov 7, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Kong version ($ kong version)

Kong 3.7

Current Behavior

We have a couple of CORS KongPlugins deployed with a config.origins set to something like:

config:
  origins:
    - 'http://localhost:8000'
    - 'https:\/\/[\w-_]+\.subdomain\.subdomain2\.domain\.com'
    - 'https:\/\/[\w-_]+\.subdomain\.domain\.com'

When running Kong 3.6 and KIC 3.3 on Helm chart 2.42.0, this works fine, but when we upgrade to Kong 3.7 or 3.8, the following error appears in the logs:

2024-11-07T22:38:32Z	error	recording a Warning event for object	{"name": "service-name", "namespace": "service-ns", "kind": "KongPlugin", "apiVersion": "configuration.konghq.com/v1", "reason": "KongConfigurationApplyFailed", "message": "invalid config.origins.2: 'https:\\/\\/[\\w-_]+\\.subdomain\\.subdomain2\\.domain\\.com' is not a valid regex", "error": "object failed to apply"}

and similar for the other origin containing regex.

If all \ in the origins are removed, replacing with something like https://[[[:ascii:]]-_]+.subdomain.domain.com the errors stop. If the backslashes are added again after removing them, the kong validating webhook throws an error with the same message, blocking the apply. In either case, the manifest itself is unchanged and still shows the original regex string in config.origins.

This was tested on several versions, including Kong 3.2 through 3.8, and KIC 2.8, 3.0 through 3.3. Only Kong 3.7 and 3.8 seem to be affected.

Some other strange behaviour:
When testing Kong 3.7 with KIC 2.8, \ was replaced with \\\\\\\\

Expected Behavior

I'm not sure where the extra \ is coming from, and why the replacement is also happening at apply time before reaching the admission controller. I would also expect that even with the replacement in the string, it should technically be valid regex, however not correct for the application.

Steps To Reproduce

  1. Run Kong 3.7 or 3.8 with KIC 3.3 on chart 2.42
  2. Use the Kong CORS plugin with a config.origins using a regex string with backslashes
  3. Apply, observe kong validation webhook for errors

Anything else?

No response
@jgutschon
Copy link
Author

Solved the issue after re-reading this, I didn't escape the - so it's invalid, interpreting it as a range. Rewriting as below is now working on 3.7 and 3.8.

config:
  origins:
    - 'http://localhost:8000'
    - 'https:\/\/[\w\-_]+\.subdomain\.subdomain2\.domain\.com'
    - 'https:\/\/[\w\-_]+\.subdomain\.domain\.com'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jgutschon