coderbirju
diff --git a/‎docs/opa-middleware.md
Lines changed: 14 additions & 1 deletion b/‎docs/opa-middleware.md
Lines changed: 14 additions & 1 deletion
diff --git a/‎docs/sample-rego-policies/case1-incompatible_API.rego
Lines changed: 0 additions & 20 deletions b/‎docs/sample-rego-policies/case1-incompatible_API.rego
Lines changed: 0 additions & 20 deletions
diff --git a/‎docs/sample-rego-policies/default.rego
Lines changed: 1 addition & 1 deletion b/‎docs/sample-rego-policies/default.rego
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/sample-rego-policies/test.rego
Lines changed: 0 additions & 39 deletions b/‎docs/sample-rego-policies/test.rego
Lines changed: 0 additions & 39 deletions
diff --git a/‎e2e/e2e_test.go
Lines changed: 7 additions & 4 deletions b/‎e2e/e2e_test.go
Lines changed: 7 additions & 4 deletions
@@ -46,7 +46,20 @@ Example:
 
 ## Comprehensive API Path Protection
 
-When writing Rego policies, it's crucial to implement thorough path matching to prevent unintended access to APIs. The daemon processes API paths without strict prefix validation, which could lead to security bypasses.
+When writing Rego policies, use pattern matching for API paths to prevent unauthorized access. Simple string matching can be bypassed by adding prefixes to API paths.
+
+Consider this potentially vulnerable policy that tries to restrict access to a specific container:
+```
+# INCORRECT: Can be bypassed
+allow if {
+    not (input.Path == "/v1.43/containers/sensitive-container/json")
+}
+```
+This policy can be bypassed in multiple ways:
+1. Using container ID instead of name: `/v1.43/containers/abc123.../json`
+2. Adding path prefixes: `/custom/v1.43/containers/sensitive-container/json`
+
+Follow the path matching best practices below to properly secure your resources.
 
 ## Path Matching Best Practices
 
 
@@ -33,6 +33,6 @@ is_plugins if {
 }
 
 is_forbidden_container if {
-    intpu.Method == "GET"
+    input.Method == "GET"
     glob.match("/**/container/1f576a797a486438548377124f6cb7770a5cb7c8ff6a11c069cb4128d3f59462/json", ["/"], input.Path)
 }
@@ -33,17 +33,15 @@ func TestRun(t *testing.T) {
 	} else {
 		t.Skip("E2E tests skipped. Set TEST_E2E=1 to run regular E2E tests or MIDDLEWARE_E2E=1 to run OPA middleware tests")
 	}
+}
 
+func runOPATests(t *testing.T) {
 	if err := parseTestFlags(); err != nil {
 		log.Println("failed to parse go test flags", err)
 		os.Exit(1)
 	}
 
 	opt, _ := option.New([]string{*Subject, "--namespace", "finch"})
-}
-
-func runOPATests(t *testing.T) {
-	opt, _ := option.New([]string{*Subject, "--namespace", "finch"})
 
 	ginkgo.SynchronizedBeforeSuite(func() []byte {
 		tests.SetupLocalRegistry(opt)
@@ -67,6 +65,11 @@ func runOPATests(t *testing.T) {
 }
 
 func runE2ETests(t *testing.T) {
+	if err := parseTestFlags(); err != nil {
+		log.Println("failed to parse go test flags", err)
+		os.Exit(1)
+	}
+
 	opt, _ := option.New([]string{*Subject, "--namespace", "finch"})
 
 	ginkgo.SynchronizedBeforeSuite(func() []byte {
Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,6 @@ is_plugins if {`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`is_forbidden_container if {`
`36`		`- intpu.Method == "GET"`
	`36`	`+ input.Method == "GET"`
`37`	`37`	`glob.match("/**/container/1f576a797a486438548377124f6cb7770a5cb7c8ff6a11c069cb4128d3f59462/json", ["/"], input.Path)`
`38`	`38`	`}`