add check for the forward slash (#2270)

* add check for the forward slash Signed-off-by: slayer321 <sachin.maurya7666@gmail.com> * fix errors Signed-off-by: slayer321 <sachin.maurya7666@gmail.com> * fix minor errors Signed-off-by: slayer321 <sachin.maurya7666@gmail.com> * fix regex Signed-off-by: slayer321 <sachin.maurya7666@gmail.com> * fix error message Signed-off-by: slayer321 <sachin.maurya7666@gmail.com>
2025-03-31 03:45:17 +00:00 · 2021-09-06 02:52:51 -07:00 · 2021-09-06 02:52:51 -07:00 · 0d1b662134
commit 0d1b662134
parent eca7d455f7
1 changed files with 42 additions and 0 deletions
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -5,8 +5,10 @@ import (
 	"errors"
 	"fmt"
 	"reflect"
+	"regexp"
 	"strings"

+	jsonpatch "github.com/evanphx/json-patch/v5"
 	"github.com/jmespath/go-jmespath"
 	c "github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/engine"
@ -21,9 +23,44 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/yaml"
 	log "sigs.k8s.io/controller-runtime/pkg/log"
 )

+// validateJSONPatchPathForForwardSlash checks for forward slash
+func validateJSONPatchPathForForwardSlash(patch string) error {
+
+	re, err := regexp.Compile("^/")
+	if err != nil {
+		return err
+	}
+
+	jsonPatch, err := yaml.ToJSON([]byte(patch))
+	if err != nil {
+		return err
+	}
+
+	decodedPatch, err := jsonpatch.DecodePatch(jsonPatch)
+	if err != nil {
+		return err
+	}
+
+	for _, operation := range decodedPatch {
+		path, err := operation.Path()
+		if err != nil {
+			return err
+		}
+
+		val := re.MatchString(path)
+
+		if !val {
+			return fmt.Errorf("%s", path)
+		}
+
+	}
+	return nil
+}
+
 // Validate does some initial check to verify some conditions
 // - One operation per rule
 // - ResourceDescription mandatory checks
@ -51,6 +88,11 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 	}

 	for i, rule := range p.Spec.Rules {
+		//check for forward slash
+		if err := validateJSONPatchPathForForwardSlash(rule.Mutation.PatchesJSON6902); err != nil {
+			return fmt.Errorf("path must begin with a forward slash: spec.rules[%d]: %s", i, err)
+		}
+
 		if jsonPatchOnPod(rule) {
 			log.Log.V(1).Info("pods managed by workload controllers cannot be mutated using policies. Use the auto-gen feature or write policies that match pod controllers.")
 		}