policy: match bundle id from begining to end

Match ^ and $ to ensure the bundle id is the only thing in the string. Signed-off-by: Saul Paredes <[email protected]>
microsoft · Jan 7, 2025 · 58bfb1a · 58bfb1a
1 parent 5daba07
commit 58bfb1a
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
@@ -54,7 +54,7 @@ default AllowRequestsFailingPolicy := false
 # Constants
 S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
 S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
-EXPECTED_BUNDLE_ID_FORMAT = "[a-z0-9]{64}"
+BUNDLE_ID = "[a-z0-9]{64}$"
 
 CreateContainerRequest {
     # Check if the input request should be rejected even before checking the
@@ -467,7 +467,8 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
     print("allow_by_bundle_or_sandbox_id: start")
 
     bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]
-    regex.match(EXPECTED_BUNDLE_ID_FORMAT, bundle_path)
+    bundle_id_format := concat("", ["^", BUNDLE_ID])
+    regex.match(bundle_id_format, bundle_path)
 
     bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "")
 
@@ -1229,10 +1230,12 @@ CopyFileRequest {
     some regex1 in policy_data.request_defaults.CopyFileRequest
     regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
     regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
-    regex4 := replace(regex3, "$(bundle-id)", EXPECTED_BUNDLE_ID_FORMAT)
+    regex4 := replace(regex3, "$(bundle-id)", BUNDLE_ID)
     print("CopyFileRequest: regex4 =", regex4)
 
-    regex.match(regex4, input.path)
+    regex5 := concat("", ["^", regex4])
+
+    regex.match(regex5, input.path)
 
     print("CopyFileRequest: true")
 }