Add path validation rules for `pathType=ImplementationSpecific` about ingress-nginx HOT 5 OPEN

@jkroepke thanks for this issue (and all of the other reports ;) )

Anything we can use to improve security on this case is acceptable. That said, can we work on something with https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ so we don't need to rely on any external webhook?

from ingress-nginx.

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

from ingress-nginx.

• AFAIK, normal regex lib is PCRE but K8S uses RE2 https://kubernetes.github.io/ingress-nginx/user-guide/ingress-path-matching/#regular-expression-support
• An admin has to explicitly allow characters https://kubernetes.github.io/ingress-nginx/faq/#validation-of-path as per spec

from ingress-nginx.

AFAIK, normal regex lib is PCRE but K8S uses RE2 kubernetes.github.io/ingress-nginx/user-guide/ingress-path-matching/#regular-expression-support

Okay, if Kubernetes already does a regex validation, the idea could be drop.

• An admin has to explicitly allow characters kubernetes.github.io/ingress-nginx/faq/#validation-of-path as per spec

I'm I have a built-in solution in mind. Not everyone has the power or capability to setup Open Policy Agent or Kyverno. Before someone is going deeper with REGO, I would more recommend to take an alternative ingress controller.

I'm coming from https://kubernetes.github.io/ingress-nginx/faq/#validation-of-path, so I'm aware of the bullet points.

from ingress-nginx.

While I was writing the issue, I had more in my mind to improve the validate inside ingress-nginx:

• ingress-nginx/internal/ingress/inspector/rules.go

  Lines 25 to 29 in e78af97

  	invalidAliasDirective = regexp.MustCompile(`(?s)\s*alias\s*.*;`)
  	invalidRootDirective = regexp.MustCompile(`(?s)\s*root\s*.*;`)
  	invalidEtcDir = regexp.MustCompile(`/etc/(passwd|shadow|group|nginx|ingress-controller)`)
  	invalidSecretsDir = regexp.MustCompile(`/var/run/secrets`)
  	invalidByLuaDirective = regexp.MustCompile(`.*_by_lua.*`)

• ingress-nginx/internal/ingress/inspector/inspector.go

  Lines 45 to 65 in e78af97

  	func ValidatePathType(ing *networking.Ingress) error {
  	if ing == nil {
  	return fmt.Errorf("received null ingress")
  	}
  	var err error
  	for _, rule := range ing.Spec.Rules {
  	if rule.HTTP != nil {
  	for _, path := range rule.HTTP.Paths {
  	if path.Path == "" {
  	continue
  	}
  	if path.PathType == nil || *path.PathType != implSpecific {
  	if isValid := validPathType.MatchString(path.Path); !isValid {
  	err = errors.Join(err, fmt.Errorf("path %s cannot be used with pathType %s", path.Path, string(*path.PathType)))
  	}
  	}
  	}
  	}
  	}
  	return err
  	}

and toggle them behind validate-strict-path, to have an opt-in unless we are on 2.0.0.

https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ may fits, too. But its would be a strategy design, we future validation should done by Kubernetes it-self or nginx.

While ValidatingAdmissionPolicy sound great first, it my not work, if ingress-nginx runs on a namespace scope. ValidatingAdmissionWebhook, doesn't work on namespace scope, too. But ingress-nginx will reject invalid ingress objects without ValidatingAdmissionWebhook, too.

from ingress-nginx.