fix: bug in overlap detection of cert SANs #7234
Merged
+40
−25
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
rudrakhp
force-pushed
the
san_overlap_detection
branch
from
359db88 to
a84a2d4
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7234 +/- ##
==========================================
+ Coverage 71.12% 71.13% +0.01%
==========================================
Files 228 228
Lines 40703 40709 +6
==========================================
+ Hits 28949 28959 +10
+ Misses 10061 10057 -4
Partials 1693 1693 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
jukie
approved these changes
Oct 14, 2025
kkk777-7
approved these changes
Oct 15, 2025
Member
Author
|
/retest |
zhaohuabing
reviewed
Oct 15, 2025
| t.Run(tt.name, func(t *testing.T) { | ||
| if got := isOverlappingHostname(tt.hostname1, tt.hostname2); got != tt.want { | ||
| if got := areOverlappingHostnames(tt.hostname1, tt.hostname2); got != tt.want { | ||
| t.Errorf("isOverlappingHostname(%q, %q) = %v, want %v", ptr.Deref(tt.hostname1, ""), ptr.Deref(tt.hostname2, ""), got, tt.want) |
Member
There was a problem hiding this comment.
Nit:
Suggested change
| t.Errorf("isOverlappingHostname(%q, %q) = %v, want %v", ptr.Deref(tt.hostname1, ""), ptr.Deref(tt.hostname2, ""), got, tt.want) | |
| t.Errorf("areOverlappingHostnames(%q, %q) = %v, want %v", ptr.Deref(tt.hostname1, ""), ptr.Deref(tt.hostname2, ""), got, tt.want) |
zhaohuabing
reviewed
Oct 15, 2025
| // Test should be symmetric | ||
| if got := isOverlappingHostname(tt.hostname2, tt.hostname1); got != tt.want { | ||
| if got := areOverlappingHostnames(tt.hostname2, tt.hostname1); got != tt.want { | ||
| t.Errorf("isOverlappingHostname(%q, %q) = %v, want %v", ptr.Deref(tt.hostname2, ""), ptr.Deref(tt.hostname1, ""), got, tt.want) |
Member
There was a problem hiding this comment.
Nit:
Suggested change
| t.Errorf("isOverlappingHostname(%q, %q) = %v, want %v", ptr.Deref(tt.hostname2, ""), ptr.Deref(tt.hostname1, ""), got, tt.want) | |
| t.Errorf("areOverlappingHostnames(%q, %q) = %v, want %v", ptr.Deref(tt.hostname2, ""), ptr.Deref(tt.hostname1, ""), got, tt.want) |
zhaohuabing
approved these changes
Oct 15, 2025
Member
zhaohuabing
left a comment
zhaohuabing
left a comment
There was a problem hiding this comment.
LGTM. Thanks for fixing this!
shawnh2
pushed a commit
to shawnh2/gateway
that referenced
this pull request
Oct 15, 2025
Signed-off-by: shawnh2 <shawnhxh@outlook.com>
shawnh2
pushed a commit
to shawnh2/gateway
that referenced
this pull request
Oct 15, 2025
Signed-off-by: shawnh2 <shawnhxh@outlook.com>
arkodg
added a commit
that referenced
this pull request
Oct 15, 2025
* fix(xds-server): clear snapshot on stream close (#6618) * fix(xds-server): clear snapshot on stream close Signed-off-by: Zachary Vacura <zvacura@digitalocean.com> * check if there are other active connections before clearning the snapshot Signed-off-by: Zachary Vacura <zvacura@digitalocean.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * bug: disable x-envoy-ratelimited by default (#7110) * bug: disable x-envoy-ratelimited by default * can be enabled with `enableEnvoyHeaders` in CTP Relates to #7034 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix tests and release note Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix testdata Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix(translator): Fix panic with request mirror + grpcroute (#6875) Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix: bug in overlap detection of cert SANs (#7234) Signed-off-by: shawnh2 <shawnhxh@outlook.com> * bump golang for crypto/x509 reggression (#7236) Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix gen-check Signed-off-by: shawnh2 <shawnhxh@outlook.com> --------- Signed-off-by: Zachary Vacura <zvacura@digitalocean.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: zirain <zirain2009@gmail.com> Co-authored-by: Zach Vacura <zach@hackzzila.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Andrew Moreland <andy@andymo.org> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com>
aburan28
pushed a commit
to aburan28/gateway
that referenced
this pull request
Oct 18, 2025
Signed-off-by: Adam Buran <aburan28@gmail.com>
zirain
pushed a commit
to zirain/gateway
that referenced
this pull request
Nov 14, 2025
zirain
pushed a commit
to zirain/gateway
that referenced
this pull request
Nov 14, 2025
Signed-off-by: zirain <zirain2009@gmail.com>
zirain
added a commit
that referenced
this pull request
Nov 14, 2025
* fix: bug in overlap detection of cert SANs (#7234) Signed-off-by: zirain <zirain2009@gmail.com> * fix(translator): Fix panic with request mirror + grpcroute (#6875) Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix: watch change for the ca cert in the Backend (#7294) * watch change for the ca cert in the Backend Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix ipFamily not set in UDPListener (#7313) fix: set ipfamily in udpistener (#7312) Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * coalesce updates to reduce intermediate updates (#7328) * coalesce updates to reduce redundant processing in subscription handler Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * retain order Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * keep intermediate delete updates Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * minor wording Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * treat delete as normal operations Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * retain the original order of the last updates for each key Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix: port typo (#7397) Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix: validate EnvoyGateway configuration before reload (#7412) Signed-off-by: zirain <zirain2009@gmail.com> * fix: missing jwt provider when jwt is configured on multiple listeners sharing the same port (#7337) * fix jwt provider missing when jwt is configured at multiple ir listeners Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix: memory leak (#7429) Fix memory leak. Two watchable.Maps were never closed when shutting down the provider: - GatewayClassStatuses.Close() - missing in GatewayAPIStatuses.Close() - BackendTrafficPolicyStatuses.Close() - missing in PolicyStatuses.Close() Each unclosed map leaked 3 goroutines: 1. Internal watchable.Map.coalesce goroutine 2. HandleSubscription goroutine blocked on channel read 3. Error handler goroutine blocked on channel read Signed-off-by: Gonzalo Serrano <boikot@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix gen after cherry-pick Signed-off-by: zirain <zirain2009@gmail.com> * fix watchutil test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: Gonzalo Serrano <boikot@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: Andrew Moreland <andy@andymo.org> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: 聪 <q1875486458@gmail.com> Co-authored-by: Gonzalo Serrano <boikot@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
fix: bug in overlap detection of cert SANs
What this PR does / why we need it:
Fix SAN overlap detection
Which issue(s) this PR fixes:
Fixes #7230
Release Notes: Yes