Update the reg-exp to match v2/catalog api (#13941)

A more strict check is applied such that all requests to
/v2/_catalog/...  will be verified.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
Daniel Jiang 2021-01-09 13:17:51 +08:00 committed by GitHub
parent d86b2be033
commit efa63d905a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 18 additions and 6 deletions

View File

@ -27,7 +27,7 @@ var (
// V2BlobUploadURLRe is the regular expression for matching the request to v2 handler to upload a blob, the upload uuid currently is not put into a group
V2BlobUploadURLRe = regexp.MustCompile(fmt.Sprintf(`^/v2/(?P<%s>%s)/blobs/uploads[/a-zA-Z0-9\-_\.=]*$`, RepositorySubexp, reference.NameRegexp.String()))
// V2CatalogURLRe is the regular expression for mathing the request to v2 handler to list catalog
V2CatalogURLRe = regexp.MustCompile(`^/v2/_catalog/?$`)
V2CatalogURLRe = regexp.MustCompile(`^/v2/_catalog(/.*)?$`)
)
// MatchManifestURLPattern checks whether the provided path matches the manifest URL pattern,

View File

@ -80,12 +80,25 @@ func TestMatchCatalogURLPattern(t *testing.T) {
url: "/v2/_catalog/",
match: true,
},
{
url: "/v2/_catalog////",
match: true,
},
{
url: "/v2/_catalog/xxx",
match: false,
match: true,
},
{
url: "/v2/_catalog////#",
match: true,
},
{
url: "/v2/_catalog//#//",
match: true,
},
}
for _, c := range cases {
assert.Equal(t, c.match, len(V2CatalogURLRe.FindStringSubmatch(c.url)) == 1)
assert.Equal(t, c.match, V2CatalogURLRe.MatchString(c.url), "failed for %s", c.url)
}
}

View File

@ -71,7 +71,7 @@ func accessList(req *http.Request) []access {
})
return l
}
if len(lib.V2CatalogURLRe.FindStringSubmatch(req.URL.Path)) == 1 {
if lib.V2CatalogURLRe.MatchString(req.URL.Path) {
l = append(l, access{
target: catalog,
})

View File

@ -88,8 +88,7 @@ func (rc *reqChecker) projectID(ctx context.Context, name string) (int64, error)
func getChallenge(req *http.Request, accessList []access) string {
logger := log.G(req.Context())
auth := req.Header.Get(authHeader)
if len(auth) > 0 ||
len(lib.V2CatalogURLRe.FindStringSubmatch(req.URL.Path)) == 1 {
if len(auth) > 0 || lib.V2CatalogURLRe.MatchString(req.URL.Path) {
// Return basic auth challenge by default, incl. request to '/v2/_catalog'
return `Basic realm="harbor"`
}