feat: validate the operator in vars (#2911)

Fix #2878
2024-12-03 12:37:36 +08:00 · 2020-12-02 15:37:07 +08:00 · 2020-12-02 15:37:07 +08:00 · bbbd10e1b3
commit bbbd10e1b3
parent a019b4e4d0
7 changed files with 118 additions and 4 deletions
--- a/apisix/admin/routes.lua
+++ b/apisix/admin/routes.lua
@ -14,6 +14,7 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
+local expr = require("resty.expr.v1")
 local core = require("apisix.core")
 local schema_plugin = require("apisix.admin.plugins").check_schema
 local upstreams = require("apisix.admin.upstreams")
@ -113,6 +114,13 @@ local function check_conf(id, conf, need_id)
        end
    end

+    if conf.vars then
+        ok, err = expr.new(conf.vars)
+        if not ok then
+            return nil, {error_msg = "failed to validate the 'vars' expression: " .. err}
+        end
+    end
+
    if conf.filter_func then
        local func, err = loadstring("return " .. conf.filter_func)
        if not func then
--- a/apisix/http/route.lua
+++ b/apisix/http/route.lua
@ -0,0 +1,42 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local expr = require("resty.expr.v1")
+local plugin_checker = require("apisix.plugin").plugin_checker
+
+
+local _M = {}
+
+
+-- additional check for synced route configuration, run after schema check
+function _M.check_route(route)
+    local ok, err = plugin_checker(route)
+    if not ok then
+        return nil, err
+    end
+
+    if route.vars then
+        ok, err = expr.new(route.vars)
+        if not ok then
+            return nil, "failed to validate the 'vars' expression: " .. err
+        end
+    end
+
+    return true
+end
+
+
+return _M
--- a/apisix/http/router/radixtree_host_uri.lua
+++ b/apisix/http/router/radixtree_host_uri.lua
@ -17,7 +17,7 @@
 local require = require
 local router = require("resty.radixtree")
 local core = require("apisix.core")
-local plugin_checker = require("apisix.plugin").plugin_checker
+local http_route = require("apisix.http.route")
 local ipairs = ipairs
 local type = type
 local error = error
@ -161,7 +161,7 @@ function _M.init_worker(filter)
    user_routes, err = core.config.new("/routes", {
            automatic = true,
            item_schema = core.schema.route,
-            checker = plugin_checker,
+            checker = http_route.check_route,
            filter = filter,
        })
    if not user_routes then
--- a/apisix/http/router/radixtree_uri.lua
+++ b/apisix/http/router/radixtree_uri.lua
@ -17,7 +17,7 @@
 local require = require
 local router = require("resty.radixtree")
 local core = require("apisix.core")
-local plugin_checker = require("apisix.plugin").plugin_checker
+local http_route = require("apisix.http.route")
 local ipairs = ipairs
 local type = type
 local error = error
@ -117,7 +117,7 @@ function _M.init_worker(filter)
    user_routes, err = core.config.new("/routes", {
            automatic = true,
            item_schema = core.schema.route,
-            checker = plugin_checker,
+            checker = http_route.check_route,
            filter = filter,
        })
    if not user_routes then
--- a/rockspec/apisix-master-0.rockspec
+++ b/rockspec/apisix-master-0.rockspec
@ -55,6 +55,7 @@ dependencies = {
    "base64 = 1.5-2",
    "dkjson = 2.5-2",
    "resty-redis-cluster = 1.02-4",
+    "lua-resty-expr = 1.0.0",
 }

 build = {
--- a/t/admin/routes.t
+++ b/t/admin/routes.t
@ -2534,3 +2534,38 @@ GET /t
 passed
 --- no_error_log
 [error]
+
+
+
+=== TEST 68: invalid route: bad vars operator
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [=[{
+                    "methods": ["GET"],
+                    "vars": [["remote_addr", "=", "127.0.0.1"]],
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:8080": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "desc": "new route",
+                    "uri": "/index.html"
+                }]=]
+                )
+
+            ngx.status = code
+            ngx.print(body)
+        }
+    }
+--- request
+GET /t
+--- error_code: 400
+--- response_body
+{"error_msg":"failed to validate the 'vars' expression: invalid operator '='"}
+--- no_error_log
+[error]
--- a/t/config-center-yaml/route.t
+++ b/t/config-center-yaml/route.t
@ -203,3 +203,31 @@ routes:
 --- request
 GET /hello
 --- error_code: 403
+
+
+
+=== TEST 8: invalid route, bad vars operator
+--- yaml_config
+apisix:
+    node_listen: 1984
+    config_center: yaml
+    enable_admin: false
+    router:
+        http: "radixtree_host_uri"
+--- apisix_yaml
+routes:
+  -
+    id: 1
+    uri: /hello
+    vars:
+        - remote_addr
+        - =
+        - 1
+    upstream:
+        nodes:
+            "127.0.0.1:1980": 1
+        type: roundrobin
+#END
+--- request
+GET /hello
+--- error_code: 404