Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pathpol UnmarshalJSON and UnmarshalYAML should check for default action #4504

Closed
fbuetler opened this issue Apr 12, 2024 · 0 comments · Fixed by #4505
Closed

pathpol UnmarshalJSON and UnmarshalYAML should check for default action #4504

fbuetler opened this issue Apr 12, 2024 · 0 comments · Fixed by #4505
Labels
bug Something isn't working

Comments

@fbuetler
Copy link
Contributor

If one does unmarshal a json or yaml path policy like ["+ 42", "-"] it is not guaranteed that the last entry is going to be a default action.

It should have a similar check like the in NewACL:

// NewACL creates a new entry and checks for the presence of a default action
func NewACL(entries ...*ACLEntry) (*ACL, error) {
	if len(entries) == 0 || !entries[len(entries)-1].Rule.matchesAll() {
		return nil, ErrNoDefault
	}
	return &ACL{Entries: entries}, nil
}

Otherwise, using Eval on the malformed ACL is hitting this panic.
@fbuetler fbuetler added the bug Something isn't working label Apr 12, 2024
fbuetler added a commit to fbuetler/scion that referenced this issue Apr 12, 2024
@fbuetler
fix scionproto#4504: ensure acl default rule matches all for unmarsha…
fd01f12 
…lled json and yaml acls
@fbuetler fbuetler mentioned this issue Apr 12, 2024
Merged
fbuetler added a commit to fbuetler/scion that referenced this issue Apr 17, 2024
@fbuetler
fix scionproto#4504: ensure acl default rule matches all for unmarsha…
e5b1f72 
…lled json and yaml acls
matzf pushed a commit that referenced this issue Apr 19, 2024
@fbuetler
pathpol: ensure deserialized ACL has default rule (#4505)
5b133c0 
An ACL without default rule may panic during evaluation of the filter,
which is why the constructor NewACL checks that such a default rule
exists.

Add the same check also to the deserialization from JSON/YAML.

Fixes #4504
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

pathpol: ensure deserialized ACL has default rule fbuetler/scion
1 participant
@fbuetler