MINOR: Refine route-acl rules to prevent unintended prefix matches

Since `route-acl` annotated rules take precedence over others, this commit updates its behavior to ensure they do not unintentionally overwrite other rules that share the same prefix. For example, a rule matching the path /api should not inadvertently handle requests to /apiary.
haproxytech · Jan 9, 2025 · d40fa9d · d40fa9d
1 parent 1fba224
commit d40fa9d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/.aspell.yml b/.aspell.yml
@@ -1,6 +1,7 @@
 mode: commit
 min_length: 3
 allowed:
+  - acl
   - aspell
   - repo
   - yaml

diff --git a/pkg/route/route.go b/pkg/route/route.go
@@ -110,7 +110,12 @@ func AddCustomRoute(route Route, routeACLAnn string, api api.HAProxyClient) (err
 		if route.Path.PathTypeMatch == store.PATH_TYPE_EXACT {
 			routeCond = fmt.Sprintf("%s{ path %s }", routeCond, route.Path.Path)
 		} else {
-			routeCond = fmt.Sprintf("%s{ path -m beg %s }", routeCond, route.Path.Path)
+			if route.Path.Path == "/" {
+				routeCond = fmt.Sprintf("%s{ path -m beg %s }", routeCond, route.Path.Path)
+			} else {
+				path := strings.TrimSuffix(route.Path.Path, "/")
+				routeCond = fmt.Sprintf("%s{ path -m reg ^%s($|/) }", routeCond, path)
+			}
 		}
 	}
 	routeCond = fmt.Sprintf("%s { %s } ", routeCond, routeACLAnn)