Skip to content

fix(sandbox): strip query string from L7 path matching#614

Open
johntmyers wants to merge 1 commit intomainfrom
fix/l7-strip-query-from-path-matching
Open

fix(sandbox): strip query string from L7 path matching#614
johntmyers wants to merge 1 commit intomainfrom
fix/l7-strip-query-from-path-matching

Conversation

@johntmyers
Copy link
Collaborator

@johntmyers johntmyers commented Mar 25, 2026

Summary

Fix L7 policy path matching to ignore query strings, so exact path rules like path: /api/v1/download correctly match requests with query parameters (e.g., /api/v1/download?slug=foo&version=1.0).

Related Issue

Refs: #607

Changes

  • Add query field to L7Request and L7RequestInfo structs to hold the query string separately from the path
  • Split request target into path and query components during HTTP parsing in parse_http_request
  • Pass query string to Rego input for future query parameter filtering support (Part 2)
  • Add l7_query field to L7_REQUEST log output for observability
  • Add unit tests for query string splitting in HTTP parser
  • Add OPA engine tests for path matching with query parameters
  • Document path matching behavior in policy-schema.md reference

Testing

Smoke tested locally with httpbin.org:

Test Request Expected Result
1 GET /get ALLOW
2 GET /get?foo=bar&baz=qux ALLOW
3 GET /headers ALLOW
4 GET /anything DENY
5 GET /anything?test=1 DENY
  • mise run pre-commit passes (excluding pre-existing license issues)
  • Unit tests added/updated (7 new tests)
  • E2E tests added/updated (not applicable - behavior change is backwards compatible)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (policy-schema.md)

@johntmyers
fix(sandbox): strip query string from L7 path matching
88b8c97 
Previously, L7 policy path rules received the full request URI including
the query string. This caused exact path rules like `path: /api/v1/download`
to silently fail when clients added query parameters (e.g.,
`/api/v1/download?slug=foo`), because Rego's glob.match treats the query
string as part of the last path segment.

This fix splits the request target into path and query components during
HTTP parsing. Path rules now match only the path component, and query
strings are passed through transparently to the upstream server. This
matches user expectations: a path rule controls which endpoints are
reachable, not which query parameters are allowed.

Changes:
- Add `query` field to L7Request and L7RequestInfo structs
- Split path/query in parse_http_request before L7 policy evaluation
- Pass query string to Rego input for future query param filtering
- Add l7_query field to L7_REQUEST log output
- Add tests for query string splitting and path matching with query params
- Document path matching behavior in policy-schema.md

Refs: /discussions/607
@johntmyers johntmyers requested a review from a team as a code owner March 25, 2026 18:23
@johntmyers johntmyers self-assigned this Mar 25, 2026
@github-actions
Copy link

github-actions bot commented Mar 25, 2026

PR Preview Action v1.8.1

QR code for preview link

🚀 View preview at
https://NVIDIA.github.io/OpenShell/pr-preview/pr-614/

Built to branch gh-pages at 2026-03-25 18:24 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

@johntmyers johntmyers added the test:e2e Requires end-to-end coverage label Mar 25, 2026
@johntmyers johntmyers mentioned this pull request Mar 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@johntmyers johntmyers

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johntmyers