Fetch the repository succeeded.
From ff132ef73f293a5627a4dae58417a2c571fb6674 Mon Sep 17 00:00:00 2001
From: chenjiayi <chenjiayi22@huawei.com>
Date: Mon, 10 Mar 2025 14:34:55 +0800
Subject: [PATCH 1/1] fix: permit dots in the resource policy id
The resource policy id ends with '.rego', thus dots should be allowed
when checking the legitimacy of resource policy id.
---
.../src/resource/policy/mod.rs | 16 ++++++++++++
.../src/resource/policy/opa/mod.rs | 25 +++++++++++++------
2 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/service/attestation/attestation-types/src/resource/policy/mod.rs b/service/attestation/attestation-types/src/resource/policy/mod.rs
index 6ad05dd..46f46ae 100644
--- a/service/attestation/attestation-types/src/resource/policy/mod.rs
+++ b/service/attestation/attestation-types/src/resource/policy/mod.rs
@@ -33,6 +33,22 @@ pub struct PolicyLocation {
pub id: String,
}
+impl PolicyLocation {
+ pub(crate) fn check_legal(&self) -> bool {
+ if let Some(v) = &self.vendor {
+ if v.contains(['.', '/']) {
+ return false;
+ }
+ }
+
+ if self.id.contains(['/']) || !self.id.ends_with(".rego") {
+ return false;
+ }
+
+ true
+ }
+}
+
impl std::convert::From<PolicyLocation> for String {
fn from(value: PolicyLocation) -> Self {
format!("{}", value)
diff --git a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs
index 8e2486a..d702061 100644
--- a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs
+++ b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs
@@ -16,7 +16,7 @@ use crate::resource::{
policy::PolicyEngine,
ResourceLocation, DEFAULT_VENDOR_BASE,
};
-use anyhow::{bail, Context};
+use anyhow::Context;
use async_trait::async_trait;
use std::path::PathBuf;
@@ -33,7 +33,16 @@ impl OpenPolicyAgent {
OpenPolicyAgent { base }
}
- pub(crate) fn regular(&self, vendor: &str) -> Result<PathBuf> {
+ pub(crate) fn regular_policy(&self, policy: &PolicyLocation) -> Result<PathBuf> {
+ let p = policy.to_string();
+ if !policy.check_legal() {
+ return Err(ResourceError::IllegalPolicyLocation(p));
+ }
+
+ Ok(self.base.join(p))
+ }
+
+ pub(crate) fn regular_vendor(&self, vendor: &str) -> Result<PathBuf> {
if !Self::check_vendor_legal(vendor) {
return Err(ResourceError::IllegalVendor(vendor.to_string()));
}
@@ -48,7 +57,7 @@ impl OpenPolicyAgent {
}
pub(crate) fn check_vendor_legal(vendor: &str) -> bool {
- if vendor.contains('.') {
+ if vendor.contains(['.', '/']) {
return false;
}
true
@@ -157,13 +166,13 @@ impl PolicyEngine for OpenPolicyAgent {
}
async fn get_policy(&self, path: PolicyLocation) -> Result<String> {
- let p = self.regular(&format!("{}", path))?;
+ let p = self.regular_policy(&path)?;
let raw = tokio::fs::read(p).await?;
Ok(String::from_utf8(raw)?)
}
async fn add_policy(&self, path: PolicyLocation, policy: &str) -> Result<()> {
- let p = self.regular(&format!("{}", path))?;
+ let p = self.regular_policy(&path)?;
if let Some(parent) = p.parent() {
if let Err(e) = tokio::fs::create_dir_all(parent).await {
log::warn!(
@@ -178,7 +187,7 @@ impl PolicyEngine for OpenPolicyAgent {
}
async fn delete_policy(&self, path: PolicyLocation) -> Result<()> {
- let p = self.regular(&format!("{}", path))?;
+ let p = self.regular_policy(&path)?;
tokio::fs::remove_file(p).await?;
Ok(())
}
@@ -221,7 +230,7 @@ impl PolicyEngine for OpenPolicyAgent {
}
async fn get_all_policy_in_vendor(&self, vendor: &str) -> Result<Vec<PolicyLocation>> {
- let vendor_dir = self.regular(vendor)?;
+ let vendor_dir = self.regular_vendor(vendor)?;
let mut dir = tokio::fs::read_dir(vendor_dir).await?;
let mut ret: Vec<PolicyLocation> = vec![];
while let Some(d) = dir.next_entry().await? {
@@ -285,7 +294,7 @@ impl PolicyEngine for OpenPolicyAgent {
}
async fn clear_all_policy_in_vendor(&self, vendor: &str) -> Result<()> {
- let vendor_dir = self.regular(vendor)?;
+ let vendor_dir = self.regular_vendor(vendor)?;
let md = tokio::fs::metadata(&vendor_dir)
.await
.context("fetching metadata failed")?;
--
2.46.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手