Merge pull request #6980 from BenTheElder/no-capture-groups

k8s-ci-robot · web-flow · commit 4cf652f2672d · 2024-07-12T10:17:48.000-07:00
implement regex without capture groups, which are not permitted
diff --git a/infra/gcp/terraform/modules/oci-proxy/cloud-armor.tf b/infra/gcp/terraform/modules/oci-proxy/cloud-armor.tf
@@ -76,7 +76,7 @@ resource "google_compute_security_policy" "cloud-armor" {
         # OCI pull / list calls: /v2/<name>/(blobs|manifests|tags)/<reference>
         # https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints
         # NOTE: AR doesn't support referrers API
-        expression = "!request.path.matches('(?:^/?$)|(?:^/privacy$)|(?:^/v2/?$)|(?:^/v2/.+/(:?blobs|manifests|tags)/.+$)')"
+        expression = "!request.path.matches('^/$|^/privacy$|^/v2/?$|^/v2/.+/blobs/.+$|^/v2/.+/manifests/.+$|^/v2/.+/tags/.+$')"
       }
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ resource "google_compute_security_policy" "cloud-armor" {`
`76`	`76`	`# OCI pull / list calls: /v2/<name>/(blobs\|manifests\|tags)/<reference>`
`77`	`77`	`# https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints`
`78`	`78`	`# NOTE: AR doesn't support referrers API`
`79`		`- expression = "!request.path.matches('(?:^/?$)\|(?:^/privacy$)\|(?:^/v2/?$)\|(?:^/v2/.+/(:?blobs\|manifests\|tags)/.+$)')"`
	`79`	`+ expression = "!request.path.matches('^/$\|^/privacy$\|^/v2/?$\|^/v2/.+/blobs/.+$\|^/v2/.+/manifests/.+$\|^/v2/.+/tags/.+$')"`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`	`}`