Skip to content

xds: reject rbac not_rule/not_id with no inner matcher#9220

Open
nvxbug wants to merge 1 commit into
grpc:masterfrom
nvxbug:rbac-not-rule-inner-matcher
Open

xds: reject rbac not_rule/not_id with no inner matcher#9220
nvxbug wants to merge 1 commit into
grpc:masterfrom
nvxbug:rbac-not-rule-inner-matcher

Conversation

@nvxbug

@nvxbug nvxbug commented Jul 4, 2026

Copy link
Copy Markdown

matchersFromPermissions and matchersFromPrincipals build a not_rule/not_id by recursing on a single-element slice and then reading mList[0]. The recursion returns nothing when the wrapped inner rule is one gRPC RBAC does not turn into a matcher: an empty inner rule, a requested_server_name or non-inverted metadata permission, or a deprecated source_ip / metadata principal. An RBAC config carried in an xDS HTTP filter (or an authz policy) with a not_rule{} or not_id{} of that shape indexes an empty slice and panics during resource parsing, and nothing recovers it in the xdsclient decode path.

Return an error from the two builders when the inner rule produces no matcher, so the resource is rejected the way other invalid RBAC fields are instead of crashing the process. Keeping the check next to the mList[0] read covers the permission and principal sites with the same guard.

RELEASE NOTES:

  • xds: fix a panic parsing an RBAC config whose not_rule or not_id wraps an unsupported inner matcher

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant