fix(policy-engine): Preserve escaped patterns on policy args (#2688)

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Author: javirln

pkg/policies/policies.go

@@ -529,39 +529,45 @@ func getValue(values []string) any {
 	return lines[0]
 }
 
+// splitArgs splits a comma-separated string into a slice of trimmed values.
+//
+// It treats \, (backslash-comma) as an escaped comma, preserving it as a literal comma
+// in the output rather than using it as a delimiter. All other backslashes are preserved
+// as-is, which allows regex patterns and other escape sequences to pass through unchanged.
+//
+// Empty values (including those with only whitespace) are filtered out from the result.
+//
+// The function uses a temporary placeholder strategy to handle escaped commas:
+//  1. Replace all \, with a unique placeholder
+//  2. Split on unescaped commas
+//  3. Restore placeholders back to commas
+//  4. Trim whitespace and filter empty strings
+//
+// Examples:
+//   - "a,b,c" -> ["a", "b", "c"]
+//   - "a\\,b,c" -> ["a,b", "c"]  (escaped comma becomes literal comma)
+//   - "\\d+,\\s+" -> ["\\d+", "\\s+"]  (regex patterns preserved)
+//   - ",a,,b," -> ["a", "b"]  (empty values filtered out)
+//   - "a\\,b\\,c" -> ["a,b,c"]  (multiple escaped commas)
 func splitArgs(s string) []string {
-	var result []string
-	var current strings.Builder
-	escaped := false
-
-	for i := 0; i < len(s); i++ {
-		c := s[i]
+	// Use a placeholder that's unlikely to appear in normal input
+	const placeholder = "$=$$ESCAPED_COMMA$$=$"
 
-		if escaped {
-			current.WriteByte(c)
-			escaped = false
-			continue
-		}
+	// Replace escaped commas with placeholder
+	s = strings.ReplaceAll(s, `\,`, placeholder)
 
-		if c == '\\' {
-			escaped = true
-			continue
-		}
+	// Split by unescaped commas
+	parts := strings.Split(s, ",")
 
-		if c == ',' {
-			// Unescaped comma: split here
-			result = append(result, strings.TrimSpace(current.String()))
-			current.Reset()
-		} else {
-			current.WriteByte(c)
+	// Restore escaped commas and trim spaces
+	result := make([]string, 0, len(parts))
+	for _, part := range parts {
+		trimmed := strings.TrimSpace(strings.ReplaceAll(part, placeholder, ","))
+		if trimmed != "" {
+			result = append(result, trimmed)
 		}
 	}
 
-	// Add the final part
-	if current.Len() > 0 {
-		result = append(result, strings.TrimSpace(current.String()))
-	}
-
 	return result
 }
 

pkg/policies/policies_test.go

@@ -807,6 +807,31 @@ func (s *testSuite) TestGetInputArguments() {
 			inputs:   map[string]string{"foo": "bar1,bar2,bar3", "bar": "baz", "foos": "bar1\nbar2\nbar3\n"},
 			expected: map[string]any{"foo": []string{"bar1", "bar2", "bar3"}, "bar": "baz", "foos": []string{"bar1", "bar2", "bar3"}},
 		},
+		{
+			name:     "regex with escaped parameters",
+			inputs:   map[string]string{"pattern": "[A-Z][A-Z0-9_]+-\\d+"},
+			expected: map[string]any{"pattern": `[A-Z][A-Z0-9_]+-\d+`},
+		},
+		{
+			name:     "regex with multiple backslashes",
+			inputs:   map[string]string{"pattern": "\\d+\\s+\\w+"},
+			expected: map[string]any{"pattern": `\d+\s+\w+`},
+		},
+		{
+			name:     "mixed escaped comma and regex",
+			inputs:   map[string]string{"patterns": "\\d+\\,test,\\w+"},
+			expected: map[string]any{"patterns": []string{`\d+,test`, `\w+`}},
+		},
+		{
+			name:     "backslash at end",
+			inputs:   map[string]string{"foo": "bar\\"},
+			expected: map[string]any{"foo": `bar\`},
+		},
+		{
+			name:     "double backslash",
+			inputs:   map[string]string{"foo": "bar\\\\baz"},
+			expected: map[string]any{"foo": `bar\\baz`},
+		},
 	}
 
 	for _, tc := range cases {