Skip to content

Domain is passed as a REGEX pattern, not a literal string.#12937

Open
daviftorres wants to merge 8 commits intoapache:mainfrom
daviftorres:domain-name-regex-characters-not-scaped
Open

Domain is passed as a REGEX pattern, not a literal string.#12937
daviftorres wants to merge 8 commits intoapache:mainfrom
daviftorres:domain-name-regex-characters-not-scaped

Conversation

@daviftorres
Copy link
Copy Markdown
Contributor

@daviftorres daviftorres commented Mar 31, 2026

Description

This change ensures consistency with how paths are parsed when updating a domain path.

The modified line was passing the domain name as a literal string, but it is actually interpreted as a regular expression internally.

I couldn’t find a way to exploit this issue, but it could still cause data corruption if a domain name accidentally contains regex metacharacters.

Note that this same technique is already used in a similar situation on line 1118.

A common example is when an organization uses its DNS name as the "domain" (tenant), like company.com.

In this case, the . (dot) is treated as a regex wildcard, meaning it can match any character...

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • Build/CI
  • Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

image

How Has This Been Tested?

This fix was not tested. I am not a Java developer, and I have no skill for such a thing.

How did you try to break this feature and the system with this change?

I could trigger, but I could not exploit this bug.

image

@daviftorres
Merge pull request #1 from apache/main
9755ba5 
Pulling upstream.
@daviftorres
Merge branch 'apache:main' into main
e476a68
@daviftorres
Merge branch 'apache:main' into main
de4adaa
@daviftorres
Merge branch 'apache:main' into main
efafe00
@daviftorres
Merge branch 'apache:main' into main
6e9af51
@daviftorres
Merge branch 'apache:main' into main
b6b5bfd
@daviftorres
Domain is passed as a REGEX pattern, not a literal string.
274c5f7 
This change ensures consistency with how paths are parsed when updating a domain path.

The modified line was passing the domain name as a literal string, but it is actually interpreted as a regular expression internally.

I couldn’t find a way to exploit this issue, but it could still cause data corruption if a domain name accidentally contains regex metacharacters.

Note that this same technique is already used in a similar situation on line 1118.

A common example is when an organization uses its DNS name as the "domain" (tenant), like `company.com`.

In this case, the `.` (dot) is treated as a regex wildcard, meaning it can match any character...
DaanHoogland
DaanHoogland reviewed Mar 31, 2026
View reviewed changes
server/src/main/java/com/cloud/user/DomainManagerImpl.java
Comment on lines 1016 to 1020
if (newParentDomainResourceLimit == Resource.RESOURCE_UNLIMITED) {
return;
}

if (currentDomainResourceCount + newParentDomainResourceCount > newParentDomainResourceLimit) {
Copy link
Copy Markdown
Contributor

@DaanHoogland DaanHoogland Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@daviftorres is this what you mean with the line already interpreting the domain as a regex? I do not see what you mean.

Copy link
Copy Markdown
Contributor Author

@daviftorres daviftorres Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are correct @DaanHoogland . I also pointed out another part of the code where some character scaping is done for that reason, but incomplete.

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 31, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.52%. Comparing base (18075ae) to head (1a7c634).
⚠️ Report is 3 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (18075ae) and HEAD (1a7c634). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (18075ae) HEAD (1a7c634)
unittests 1 0
Additional details and impacted files 
@@              Coverage Diff              @@
##               main   #12937       +/-   ##
=============================================
- Coverage     18.01%    3.52%   -14.49%     
=============================================
  Files          5968      464     -5504     
  Lines        537218    40063   -497155     
  Branches      65977     7534    -58443     
=============================================
- Hits          96801     1414    -95387     
+ Misses       429498    38461   -391037     
+ Partials      10919      188    -10731
Flag Coverage Δ
uitests 3.52% <ø> (-0.01%) ⬇️
unittests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@daviftorres
Refine regex pattern for domain path matching
1a7c634 
Updated regex pattern to escape only the '/' character while noting potential risks with the wildcard '.' character.
daviftorres
daviftorres commented Mar 31, 2026
View reviewed changes
server/src/main/java/com/cloud/user/DomainManagerImpl.java
DomainVO domainWithResourceUsedByDomainToBeMoved = _domainDao.findById(entry.getKey());

Pattern pattern = Pattern.compile(domainWithResourceUsedByDomainToBeMoved.getPath().replace("/", "\\/").concat(".*"));
Pattern pattern = Pattern.compile(domainWithResourceUsedByDomainToBeMoved.getPath().replace("/", "\\/").concat(".*")); // This only scaped one Regex metacharacter (/). The wildcard `.` is more common and dangerous in my opinion.
Copy link
Copy Markdown
Contributor Author

@daviftorres daviftorres Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DaanHoogland ,

I did not propose a fix because I need help for that.

@DaanHoogland
Copy link
Copy Markdown
Contributor

DaanHoogland commented Mar 31, 2026

I have no idea if this is a sensible change @daviftorres , I cannot see the issue and do not see what the change entails in behavioural change.

@daviftorres
Copy link
Copy Markdown
Contributor Author

daviftorres commented Mar 31, 2026

I have no idea if this is a sensible change @daviftorres , I cannot see the issue and do not see what the change entails in behavioural change.

If a domain name contains regex metacharacters, renaming it can fail because the regex gets interpreted incorrectly.
A proper solution already exists in this file (line 1118), so I reused that implementation.

By the way, I’m fine if you decide not to proceed. I just wanted to point out an issue I came across, which could potentially lead to data corruption if certain conditions are met.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DaanHoogland DaanHoogland DaanHoogland left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@daviftorres @DaanHoogland