fix(api): compile header *value* regexp for scope rules#155
Open
MrEchoFi wants to merge 1 commit into
Open
Conversation
SetScope compiled rule.Header.Key twice, so a scope rule's header **value** pattern was silently ignored and replaced by the key pattern. Scope drives which traffic is shown/logged/intercepted, so this caused incorrect matching: rules meant to match on a header value matched on the header key instead, both missing intended in-scope traffic and including unintended traffic.
MrEchoFi
force-pushed
the
fix/scope-header-value-regex
branch
from
71bf589 to
18f9d2b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
While reading through the scope handling, I noticed a small copy-paste slip in
SetScope(pkg/api/resolvers.go): the header value regexp is compiled fromrule.Header.Keyinstead ofrule.Header.Value. So the key pattern gets compiled twice and the value pattern a user sets is silently thrown away.Since scope decides what traffic Hetty logs, shows, and intercepts, this quietly breaks any rule that's meant to match on a header's value — it ends up matching on the header key instead. That means some in-scope traffic gets missed, and some out-of-scope traffic sneaks in, with no error to hint at why.
It's a one-line fix:
Before:
After:
No API or behavior change beyond making the header-value matcher actually use the value pattern like it's supposed to.