fix: integrate Allow and Deny flags with NetworkPolicy validation

noaho · noaho · commit 93e9581d40cc · 2025-08-05T14:38:54.000+07:00
- Add missing flag integration in createNetworkpolicyInstance()
  - Fixes broken IP filtering where -allow and -deny flags were ignored
  - Add test coverage for Allow/Deny flag validation

  The NetworkPolicy instance was created without the Allow/Deny flag values,
  causing all IP filtering to be bypassed regardless of command-line flags
diff --git a/runner/runner.go b/runner/runner.go
@@ -412,6 +412,11 @@ func (runner *Runner) createNetworkpolicyInstance(options *Options) (*networkpol
 			npOptions.DenyList = append(npOptions.DenyList, exclude)
 		}
 	}
+	
+	// Add Allow and Deny flag integration
+	npOptions.AllowList = append(npOptions.AllowList, options.Allow...)
+	npOptions.DenyList = append(npOptions.DenyList, options.Deny...)
+	
 	np, err := networkpolicy.New(npOptions)
 	return np, err
 }
diff --git a/runner/runner_test.go b/runner/runner_test.go
@@ -222,3 +222,37 @@ func TestRunner_CSVRow(t *testing.T) {
 		t.Error("CSV sanitization incorrectly modified non-vulnerable field")
 	}
 }
+
+func TestCreateNetworkpolicyInstance_AllowDenyFlags(t *testing.T) {
+	// Test Allow flag blocks IPs outside allowed range
+	options := &Options{}
+	options.Allow = []string{"192.168.1.0/24"}
+	
+	runner := &Runner{}
+	np, err := runner.createNetworkpolicyInstance(options)
+	require.Nil(t, err, "could not create networkpolicy instance")
+	require.NotNil(t, np, "networkpolicy instance should not be nil")
+	
+	// Should block IP outside allowed range
+	allowed := np.Validate("8.8.8.8")
+	require.False(t, allowed, "IP outside allowed range should be blocked")
+	
+	// Should allow IP inside allowed range  
+	allowed = np.Validate("192.168.1.10")
+	require.True(t, allowed, "IP inside allowed range should be allowed")
+	
+	// Test Deny flag blocks IPs in denied range
+	options = &Options{}
+	options.Deny = []string{"127.0.0.0/8"}
+	
+	np, err = runner.createNetworkpolicyInstance(options)
+	require.Nil(t, err, "could not create networkpolicy instance")
+	
+	// Should block IP in denied range
+	allowed = np.Validate("127.0.0.1")
+	require.False(t, allowed, "IP in denied range should be blocked")
+	
+	// Should allow IP outside denied range
+	allowed = np.Validate("8.8.8.8")
+	require.True(t, allowed, "IP outside denied range should be allowed")
+}

Original file line number	Diff line number	Diff line change
`@@ -412,6 +412,11 @@ func (runner Runner) createNetworkpolicyInstance(options Options) (*networkpol`
`412`	`412`	`npOptions.DenyList = append(npOptions.DenyList, exclude)`
`413`	`413`	`}`
`414`	`414`	`}`
	`415`	`+`
	`416`	`+ // Add Allow and Deny flag integration`
	`417`	`+ npOptions.AllowList = append(npOptions.AllowList, options.Allow...)`
	`418`	`+ npOptions.DenyList = append(npOptions.DenyList, options.Deny...)`
	`419`	`+`
`415`	`420`	`np, err := networkpolicy.New(npOptions)`
`416`	`421`	`return np, err`
`417`	`422`	`}`