From: Willy Tarreau Date: Sat, 3 Feb 2024 10:55:26 +0000 (+0100) Subject: MINOR: acl: add extra diagnostics about suspicious string patterns X-Git-Tag: v3.0-dev3~89 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=52cc45dfa5bb9db69697a2dc98d6fcc3216addb9;p=thirdparty%2Fhaproxy.git MINOR: acl: add extra diagnostics about suspicious string patterns As noticed in this thread, some bogus configurations are not always easy to spot: https://www.mail-archive.com/haproxy@formilux.org/msg44558.html Here it was about config keywords being used in ACL patterns where strings were expected, hence they're always valid. Since we have the diag mode (-dD) we can perform some extra checks when it's used, and emit them to suggest the user there might be an issue. Here we detect a few common words (logic such as "and"/"or"/"||" etc), C++/JS comments mistakenly used to try to isolate final args, and words that have the exact name of a sample fetch or an ACL keyword. These checks are only done in diag mode of course. --- diff --git a/src/acl.c b/src/acl.c index 8ef2b7d7bb..52a71f38e6 100644 --- a/src/acl.c +++ b/src/acl.c @@ -546,6 +546,25 @@ struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list * */ if (!pat_ref_add(ref, arg, NULL, err)) goto out_free_expr; + + if (global.mode & MODE_DIAG) { + if (strcmp(arg, "&&") == 0 || strcmp(arg, "and") == 0 || + strcmp(arg, "||") == 0 || strcmp(arg, "or") == 0) + ha_diag_warning("parsing [%s:%d] : pattern '%s' looks like a failed attempt at using an operator inside a pattern list\n", file, line, arg); + else if (strcmp(arg, "#") == 0 || strcmp(arg, "//") == 0) + ha_diag_warning("parsing [%s:%d] : pattern '%s' looks like a failed attempt at commenting an end of line\n", file, line, arg); + else if (find_acl_kw(arg)) + ha_diag_warning("parsing [%s:%d] : pattern '%s' suspiciously looks like a known acl keyword\n", file, line, arg); + else { + const char *begw = arg, *endw; + + for (endw = begw; is_idchar(*endw); endw++) + ; + + if (endw != begw && find_sample_fetch(begw, endw - begw)) + ha_diag_warning("parsing [%s:%d] : pattern '%s' suspiciously looks like a known sample fetch keyword\n", file, line, arg); + } + } args++; }