mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-15 14:14:39 +00:00
Fix prefixing bug in import verifier
In order to check if an import is of an allowed tree, we need to check that the import is either literally to the base of the tree or that the import is below the tree (the import, suffixed with `/`, should be a prefix) instead of checking simply that the import is a prefix of the allowed tree, as that causes issues with packages that are prefixes of each other, like `k8s.io/api` and `k8s.io/apimachinery`. Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
This commit is contained in:
Steve Kuznetsov
8
cmd/importverifier/OWNERS
Normal file
8
cmd/importverifier/OWNERS
Normal file
@@ -0,0 +1,8 @@
|
||||
reviewers:
|
||||
- stevekuznetsov
|
||||
- deads2k
|
||||
- sttts
|
||||
approvers:
|
||||
- stevekuznetsov
|
||||
- deads2k
|
||||
- sttts
|
||||
@@ -152,7 +152,9 @@ func (i *ImportRestriction) isForbidden(imp string) bool {
|
||||
importsBelowBase := strings.HasPrefix(imp, i.BaseDir)
|
||||
importsAllowed := false
|
||||
for _, allowed := range i.AllowedImports {
|
||||
importsAllowed = importsAllowed || strings.HasPrefix(imp, allowed)
|
||||
exactlyImportsAllowed := imp == allowed
|
||||
importsBelowAllowed := strings.HasPrefix(imp, fmt.Sprintf("%s/", allowed))
|
||||
importsAllowed = importsAllowed || (importsBelowAllowed || exactlyImportsAllowed)
|
||||
}
|
||||
|
||||
return importsBelowRoot && !importsBelowBase && !importsAllowed
|
||||
|
||||
Reference in New Issue
Block a user