Skip to content

fix(sandbox): strip query string from L7 path matching#614

Closed
johntmyers wants to merge 1 commit intomainfrom
fix/l7-strip-query-from-path-matching
Closed

fix(sandbox): strip query string from L7 path matching#614
johntmyers wants to merge 1 commit intomainfrom
fix/l7-strip-query-from-path-matching

Conversation

@johntmyers
Copy link
Copy Markdown
Collaborator

@johntmyers johntmyers commented Mar 25, 2026

Summary

Fix L7 policy path matching to ignore query strings, so exact path rules like path: /api/v1/download correctly match requests with query parameters (e.g., /api/v1/download?slug=foo&version=1.0).

Related Issue

Refs: #607

Changes

  • Add query field to L7Request and L7RequestInfo structs to hold the query string separately from the path
  • Split request target into path and query components during HTTP parsing in parse_http_request
  • Pass query string to Rego input for future query parameter filtering support (Part 2)
  • Add l7_query field to L7_REQUEST log output for observability
  • Add unit tests for query string splitting in HTTP parser
  • Add OPA engine tests for path matching with query parameters
  • Document path matching behavior in policy-schema.md reference

Testing

Smoke tested locally with httpbin.org:

Test Request Expected Result
1 GET /get ALLOW
2 GET /get?foo=bar&baz=qux ALLOW
3 GET /headers ALLOW
4 GET /anything DENY
5 GET /anything?test=1 DENY
  • mise run pre-commit passes (excluding pre-existing license issues)
  • Unit tests added/updated (7 new tests)
  • E2E tests added/updated (not applicable - behavior change is backwards compatible)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (policy-schema.md)

@johntmyers johntmyers requested a review from a team as a code owner March 25, 2026 18:23
@johntmyers johntmyers self-assigned this Mar 25, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 25, 2026
edited
Loading

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-03-30 21:01 UTC

@johntmyers johntmyers added the test:e2e Requires end-to-end coverage label Mar 25, 2026
@johntmyers johntmyers mentioned this pull request Mar 25, 2026
Closed
@johntmyers johntmyers force-pushed the fix/l7-strip-query-from-path-matching branch from 88b8c97 to fb96e25 Compare March 30, 2026 20:01
drew
drew previously approved these changes Mar 30, 2026
View reviewed changes
pimlock
pimlock previously approved these changes Mar 30, 2026
View reviewed changes
crates/openshell-sandbox/src/l7/rest.rs Outdated
Comment on lines +123 to +124
// bytes (forwarded to upstream) are left untouched — only the policy
// evaluation fields are split.
Copy link
Copy Markdown
Collaborator

@pimlock pimlock Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just out of curiosity I checked the untouched — only and it actually the em-dash (U+2014) vs regular ASCII hyphen. Based on definition, em-dash is more correct, but not something that is easy to type on a keyboard.
With agents writing these, that's actually okay. Commenting for awareness, I know using an em-dash is one indicator of AI generated content, but we are upfront about this :)

@johntmyers johntmyers force-pushed the fix/l7-strip-query-from-path-matching branch from 21565f2 to 6541591 Compare March 30, 2026 20:31
@johntmyers
fix(sandbox): strip query string from L7 path matching
e6cda0d 
Previously, L7 policy path rules received the full request URI including
the query string. This caused exact path rules like `path: /api/v1/download`
to silently fail when clients added query parameters (e.g.,
`/api/v1/download?slug=foo`), because Rego's glob.match treats the query
string as part of the last path segment.

This fix splits the request target into path and query components during
HTTP parsing. Path rules now match only the path component, and query
strings are passed through transparently to the upstream server. This
matches user expectations: a path rule controls which endpoints are
reachable, not which query parameters are allowed.

Changes:
- Add `query` field to L7Request and L7RequestInfo structs
- Split path/query in parse_http_request before L7 policy evaluation
- Pass query string to Rego input for future query param filtering
- Add l7_query field to L7_REQUEST log output
- Add tests for query string splitting and path matching with query params
- Document path matching behavior in policy-schema.md

Refs: /discussions/607
@johntmyers johntmyers dismissed stale reviews from pimlock and drew via e6cda0d March 30, 2026 20:57
@johntmyers johntmyers force-pushed the fix/l7-strip-query-from-path-matching branch from 6541591 to e6cda0d Compare March 30, 2026 20:57
@johntmyers
Copy link
Copy Markdown
Collaborator Author

johntmyers commented Mar 30, 2026

Closing as superseded by #617, which implemented the full query parameter matching feature including the path/query splitting fix this PR introduced.

@johntmyers johntmyers closed this Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drew drew drew left review comments

@pimlock pimlock pimlock left review comments

Assignees

@johntmyers johntmyers

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@johntmyers @drew @pimlock