fix: blocklist fails open when a regex fails to compile #87

Merged
benvin merged 1 commits from benvin/validate-remote-patterns into master 2026-07-02 20:19:29 +10:00
Owner

Fixes #72

Why

compilePatterns silently discards any pattern that fails to compile. A typo in a blocklist entry therefore turns a deny rule into a no-op — a fail-open with security impact.

Changes

  • Add Remote.ValidatePatterns, which compiles every pattern list (patterns, blocklist, mutable/immutable patterns, ban_tags) and returns an error on the first invalid regex.
  • Reject invalid patterns with 400 at remote create and update time.
  • Unit test for valid and invalid patterns.

Validation

  • go test ./pkg/models/ and make e2e pass.
Fixes #72 ## Why `compilePatterns` silently discards any pattern that fails to compile. A typo in a blocklist entry therefore turns a deny rule into a no-op — a fail-open with security impact. ## Changes - Add `Remote.ValidatePatterns`, which compiles every pattern list (patterns, blocklist, mutable/immutable patterns, ban_tags) and returns an error on the first invalid regex. - Reject invalid patterns with 400 at remote create and update time. - Unit test for valid and invalid patterns. ## Validation - `go test ./pkg/models/` and `make e2e` pass.
unkinben added 1 commit 2026-07-02 00:32:18 +10:00
fix: validate remote regex patterns at write time
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
65c8281348
compilePatterns silently drops any pattern that fails to compile, so a
mistyped blocklist entry became a no-op (fail-open). Reject invalid
patterns when a remote is created or updated via Remote.ValidatePatterns,
returning 400 instead of storing a rule that never matches.

Refs #72
benvin merged commit f0e44d6810 into master 2026-07-02 20:19:29 +10:00
benvin deleted branch benvin/validate-remote-patterns 2026-07-02 20:19:30 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/artifactapi#87