From 8d4a8c5208319da8b5e474837f915abba94cb3ac Mon Sep 17 00:00:00 2001 From: wollomatic Date: Sun, 3 May 2026 15:11:52 +0200 Subject: [PATCH 1/2] clarify support for multiple `-allow*` entries in README examples and notes --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 42df4f4..6c2c317 100644 --- a/README.md +++ b/README.md @@ -93,12 +93,12 @@ Use Go's regexp syntax to create the patterns for these parameters. To avoid ins Examples (command-line): + `'-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'` could be used for allowing access to the docker socket for Traefik v2. + `'-allowHEAD=.*'` allows all HEAD requests. -+ `'-allowGET=/version -allowGET=/_ping'` use allow `GET` multiple times ++ `'-allowGET=/version -allowGET=/_ping'` supports using `-allowGET` multiple times Examples (env variables): + `'SP_ALLOW_GET="/v1\..{1,2}/(version|containers/.*|events.*)"'` could be used for allowing access to the docker socket for Traefik v2. + `'SP_ALLOW_HEAD=".*"'` allows all HEAD requests. -+ `'SP_ALLOW_GET="/version" SP_ALLOW_GET_2="/_ping"'` use allow `GET` multiple times ++ `'SP_ALLOW_GET="/version" SP_ALLOW_GET_2="/_ping"'` supports multiple `SP_ALLOW_GET` entries For more information, refer to the [Go regexp documentation](https://golang.org/pkg/regexp/syntax/). @@ -107,7 +107,7 @@ An excellent online regexp tester is [regex101.com](https://regex101.com/). To determine which HTTP requests your client application uses, you could switch socket-proxy to debug log level and look at the log output while allowing all requests in a secure environment. > [!NOTE] -> Starting with version 1.12.0, the socket-proxy can set multiple -allow* in params, environment, or docker labels. +> Starting with version 1.12.0, the socket-proxy supports using multiple -allow* entries in params, environment, or docker labels. #### Setting up bind mount restrictions From 62b8ae8134e77a3e2cbbdfd16440e3efce443bd4 Mon Sep 17 00:00:00 2001 From: wollomatic Date: Sun, 3 May 2026 15:19:59 +0200 Subject: [PATCH 2/2] fix issues found by Coderabbit in PR #130 --- internal/config/config.go | 8 ++------ internal/config/config_test.go | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/internal/config/config.go b/internal/config/config.go index d2b5cda..f929bf1 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -690,12 +690,8 @@ func extractLabelData(cntr container.Summary) (map[string][]*regexp.Regexp, []st for labelName, labelValue := range cntr.Labels { if strings.HasPrefix(labelName, allowedDockerLabelPrefix) && labelValue != "" { allowSpec := strings.ToUpper(strings.TrimPrefix(labelName, allowedDockerLabelPrefix)) - if slices.ContainsFunc(supportedHTTPMethods, func(method string) bool { - // allowSpec starts with the method name like socket-proxy.allow.get.1 - return strings.HasPrefix(allowSpec, method) - }) { - // extract the method name from allowSpec - method, _, _ := strings.Cut(allowSpec, ".") + method, _, _ := strings.Cut(allowSpec, ".") + if slices.Contains(supportedHTTPMethods, method) { r, err := compileRegexp(labelValue, method, "docker container label") if err != nil { return nil, nil, err diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 0067399..116408a 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -6,6 +6,7 @@ import ( "os" "reflect" "regexp" + "sort" "strconv" "testing" @@ -108,8 +109,18 @@ func regexMapsEqual(a, b map[string][]*regexp.Regexp) bool { if !ok || len(aRegexes) != len(bRegexes) { return false } - for i, ar := range aRegexes { - if ar.String() != bRegexes[i].String() { + aRegexStrings := make([]string, 0, len(aRegexes)) + for _, ar := range aRegexes { + aRegexStrings = append(aRegexStrings, ar.String()) + } + bRegexStrings := make([]string, 0, len(bRegexes)) + for _, br := range bRegexes { + bRegexStrings = append(bRegexStrings, br.String()) + } + sort.Strings(aRegexStrings) + sort.Strings(bRegexStrings) + for i, ar := range aRegexStrings { + if ar != bRegexStrings[i] { return false } }