From 783979948d0868b632400ee2e1ff57a92d9ac32c Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 15 Mar 2022 23:16:04 -0500 Subject: [PATCH] Fix - Incomplete regular expression for hostnames (#1993) Fixed the codeql issue ``` Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts. If a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping regular-expression meta-characters such as .. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behavior when it accidentally succeeds. ``` --- pkg/constants/constants.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index a1df904b4..2fc63d392 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -20,7 +20,7 @@ const ( // RootDir is the path to the root directory RootDir = "/" - //KanikoDir is the path to the Kaniko directory + // KanikoDir is the path to the Kaniko directory KanikoDir = "/kaniko" IgnoreListPath = "/proc/self/mountinfo" @@ -76,8 +76,9 @@ const ( var ScratchEnvVars = []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"} // AzureBlobStorageHostRegEx is ReqEX for Valid azure blob storage host suffix in url for AzureCloud, AzureChinaCloud, AzureGermanCloud and AzureUSGovernment -var AzureBlobStorageHostRegEx = []string{"https://(.+?).blob.core.windows.net/(.+)", - "https://(.+?).blob.core.chinacloudapi.cn/(.+)", - "https://(.+?).blob.core.cloudapi.de/(.+)", - "https://(.+?).blob.core.usgovcloudapi.net/(.+)", +var AzureBlobStorageHostRegEx = []string{ + "https://(.+?)\\.blob\\.core\\.windows\\.net/(.+)", + "https://(.+?)\\.blob\\.core\\.chinacloudapi\\.cn/(.+)", + "https://(.+?)\\.blob\\.core\\.cloudapi\\.de/(.+)", + "https://(.+?)\\.blob\\.core\\.usgovcloudapi\\.net/(.+)", }