fix: abort validation if value could be processed (#7307)

* fix: abort validation if value could be processed Signed-off-by: bakito <github@bakito.ch> * add test to verify compareString is not executed for quantities Signed-off-by: bakito <github@bakito.ch> --------- Signed-off-by: bakito <github@bakito.ch>
2025-03-13 19:28:55 +00:00 · 2023-06-06 16:41:20 +02:00 · 2023-06-06 16:41:20 +02:00 · c92605b7a6
commit c92605b7a6
parent 9078acb92a
2 changed files with 42 additions and 25 deletions
--- a/pkg/engine/pattern/pattern.go
+++ b/pkg/engine/pattern/pattern.go
@ -205,61 +205,65 @@ func split(pattern string, r *regexp.Regexp) (string, string, bool) {
 }

 func validateString(log logr.Logger, value interface{}, pattern string, op operator.Operator) bool {
-	return compareDuration(log, value, pattern, op) ||
-		compareQuantity(log, value, pattern, op) ||
-		compareString(log, value, pattern, op)
+	if res, proc := compareDuration(log, value, pattern, op); proc {
+		return res
+	}
+	if res, proc := compareQuantity(log, value, pattern, op); proc {
+		return res
+	}
+	return compareString(log, value, pattern, op)
 }

-func compareDuration(log logr.Logger, value interface{}, pattern string, op operator.Operator) bool {
+func compareDuration(_ logr.Logger, value interface{}, pattern string, op operator.Operator) (res bool, processed bool) {
 	if pattern, err := time.ParseDuration(pattern); err != nil {
-		return false
+		return false, false
 	} else if value, err := convertNumberToString(value); err != nil {
-		return false
+		return false, false
 	} else if value, err := time.ParseDuration(value); err != nil {
-		return false
+		return false, false
 	} else {
 		switch op {
 		case operator.Equal:
-			return value == pattern
+			return value == pattern, true
 		case operator.NotEqual:
-			return value != pattern
+			return value != pattern, true
 		case operator.More:
-			return value > pattern
+			return value > pattern, true
 		case operator.Less:
-			return value < pattern
+			return value < pattern, true
 		case operator.MoreEqual:
-			return value >= pattern
+			return value >= pattern, true
 		case operator.LessEqual:
-			return value <= pattern
+			return value <= pattern, true
 		}
-		return false
+		return false, false
 	}
 }

-func compareQuantity(log logr.Logger, value interface{}, pattern string, op operator.Operator) bool {
+func compareQuantity(_ logr.Logger, value interface{}, pattern string, op operator.Operator) (res bool, processed bool) {
 	if pattern, err := apiresource.ParseQuantity(pattern); err != nil {
-		return false
+		return false, false
 	} else if value, err := convertNumberToString(value); err != nil {
-		return false
+		return false, false
 	} else if value, err := apiresource.ParseQuantity(value); err != nil {
-		return false
+		return false, false
 	} else {
 		result := value.Cmp(pattern)
 		switch op {
 		case operator.Equal:
-			return result == int(equal)
+			return result == int(equal), true
 		case operator.NotEqual:
-			return result != int(equal)
+			return result != int(equal), true
 		case operator.More:
-			return result == int(greaterThan)
+			return result == int(greaterThan), true
 		case operator.Less:
-			return result == int(lessThan)
+			return result == int(lessThan), true
 		case operator.MoreEqual:
-			return (result == int(equal)) || (result == int(greaterThan))
+			return (result == int(equal)) || (result == int(greaterThan)), true
 		case operator.LessEqual:
-			return (result == int(equal)) || (result == int(lessThan))
+			return (result == int(equal)) || (result == int(lessThan)), true
 		}
-		return false
+		return false, false
 	}
 }

--- a/pkg/engine/pattern/pattern_test.go
+++ b/pkg/engine/pattern/pattern_test.go
@ -2,9 +2,11 @@ package pattern

 import (
 	"regexp"
+	"strings"
 	"testing"

 	"github.com/go-logr/logr"
+	"github.com/go-logr/logr/funcr"
 	"github.com/kyverno/kyverno/pkg/engine/operator"
 	"gotest.tools/assert"
 )
@ -148,6 +150,17 @@ func TestValidateQuantity_Operation(t *testing.T) {
 	assert.Assert(t, validateString(logr.Discard(), "0.2", ".5", operator.NotEqual))
 }

+func TestValidateQuantity_Operation_No_String_Check(t *testing.T) {
+	log := funcr.New(
+		func(prefix, args string) {
+			assert.Assert(t, !strings.Contains(args, "Operators >, >=, <, <= are not applicable to strings"),
+				"the compareString function should not be executed")
+		},
+		funcr.Options{Verbosity: 2},
+	)
+	assert.Assert(t, !validateString(log, "500m", "0.6", operator.MoreEqual))
+}
+
 func TestGetOperatorFromStringPattern_OneChar(t *testing.T) {
 	assert.Equal(t, operator.GetOperatorFromStringPattern("f"), operator.Equal)
 }