GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder

The highest tagged major version is v2.

regosql

package

v0.26.1 Latest Latest Go to latest Published: Jul 12, 2023 License: AGPL-3.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/coder/coder

Links

Open Source Insights

Documentation ¶

Overview ¶

Package regosql converts rego queries into SQL WHERE clauses. This is so the rego queries can be used to filter the results of a SQL query.

Index ¶

func ConvertRegoAst(cfg ConvertConfig, partial *rego.PartialQueries) (sqltypes.BooleanNode, error)
func DefaultVariableConverter() *sqltypes.VariableConverter
func NoACLConverter() *sqltypes.VariableConverter
func TemplateConverter() *sqltypes.VariableConverter
type ACLGroupVar
- func ACLGroupMatcher(fieldReference sqltypes.VariableMatcher, structSQL string, structPath []string) ACLGroupVar
type ConvertConfig

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ConvertRegoAst ¶

func ConvertRegoAst(cfg ConvertConfig, partial *rego.PartialQueries) (sqltypes.BooleanNode, error)

ConvertRegoAst converts partial rego queries into a single SQL where clause. If the query equates to "true" then the user should have access.

func DefaultVariableConverter ¶

func DefaultVariableConverter() *sqltypes.VariableConverter

func NoACLConverter ¶

func NoACLConverter() *sqltypes.VariableConverter

NoACLConverter should be used when the target SQL table does not contain group or user ACL columns.

func TemplateConverter ¶

func TemplateConverter() *sqltypes.VariableConverter

Types ¶

type ACLGroupVar ¶

type ACLGroupVar struct {
	StructSQL string
	// input.object.group_acl -> ["input", "object", "group_acl"]
	StructPath []string

	// FieldReference handles referencing the subfields, which could be
	// more variables. We pass one in as the global one might not be correctly
	// scoped.
	FieldReference sqltypes.VariableMatcher

	// Instance fields
	Source    sqltypes.RegoSource
	GroupNode sqltypes.Node
}

ACLGroupVar is a variable matcher that handles group_acl and user_acl. The sql type is a jsonb object with the following structure:

"group_acl": {
 "<group_name>": ["<actions>"]
}

This is a custom variable matcher as json objects have arbitrary complexity.

func ACLGroupMatcher ¶

func ACLGroupMatcher(fieldReference sqltypes.VariableMatcher, structSQL string, structPath []string) ACLGroupVar

func (ACLGroupVar) ContainsSQL ¶

func (g ACLGroupVar) ContainsSQL(cfg *sqltypes.SQLGenerator, other sqltypes.Node) (string, error)

func (ACLGroupVar) ConvertVariable ¶

func (g ACLGroupVar) ConvertVariable(rego ast.Ref) (sqltypes.Node, bool)

func (ACLGroupVar) SQLString ¶

func (g ACLGroupVar) SQLString(cfg *sqltypes.SQLGenerator) string

func (ACLGroupVar) UseAs ¶

func (ACLGroupVar) UseAs() sqltypes.Node

type ConvertConfig ¶

type ConvertConfig struct {
	// VariableConverter is called each time a var is encountered. This creates
	// the SQL ast for the variable. Without this, the SQL generator does not
	// know how to convert rego variables into SQL columns.
	VariableConverter sqltypes.VariableMatcher
}

ConvertConfig is required to generate SQL from the rego queries.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
sqltypes Package sqltypes contains the types used to convert rego queries into SQL.	Package sqltypes contains the types used to convert rego queries into SQL.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL