Conversation
… longer contaminates unrelated ports A single :0 (wildcard-port) entry was forcing every other endpoint in the slice through `rewritePort` and being analyzed under the wildcard sub-tree, even when its concrete port was unrelated. Result: input like [":0/health", ":443/login"] collapsed to [":0/health", ":0/login"], silently widening the captured surface area. Fix: drop the global wildcardPort detection. Each endpoint is now analyzed under its own port; cross-port folding is the explicit job of MergeDuplicateEndpoints, which only merges same-(path, direction) specific-port siblings into an explicit :0 entry. The merge is now symmetric — wildcard-after-specific sweeps `seen` and absorbs prior specific-port entries; specific-after-wildcard folds in as before. Tests: - 3 new regression tests for the contamination + reverse-order paths - existing "Test with 0 port" updated to encode correct behavior Flagged in upstream review on kubescape#316. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
|
Summary:
|
entlein
added a commit
to k8sstormcenter/node-agent
that referenced
this pull request
Apr 29, 2026
…e036602) (#34) Picks up k8sstormcenter/storage#21: fix(dynamicpathdetector): :0 wildcard port no longer contaminates unrelated concrete-port endpoints. Sibling branch on node-agent so the matrix CI can validate the fix end-to-end before either side merges. Co-authored-by: Entlein <eineintlein@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
entlein
added a commit
that referenced
this pull request
Apr 29, 2026
…eEndpoints (#22) The table-driven TestAnalyzeEndpoints shared one PathAnalyzer across all subtests. Because AnalyzeEndpoints mutates the analyzer trie, expected outputs of later subtests were silently coupled to the trie state left by earlier ones — running any case in isolation would have exercised a different state and could mask regressions. Move the analyzer construction inside the t.Run loop so each subtest starts from a fresh trie. Restore the 'Test with 0 port' expected output to its order-independent shape (the :80 entry stays as :80/users/⋯/posts/101 because no other input reaches the trie's dynamic-collapse threshold within that case). Addresses CodeRabbit review on #21. Co-authored-by: Entlein <eineintlein@gmail.com>
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wildcardPortdetection inAnalyzeEndpointsthat broadcast a single:0entry across the whole slice —[":0/health", ":443/login"]no longer collapses to[":0/health", ":0/login"].MergeDuplicateEndpointsand only fires for same-(path, direction) siblings of an explicit:0entry.MergeDuplicateEndpointsmade order-symmetric: a wildcard arriving after its specific-port siblings now sweepsseenand absorbs them (previously only the specific-after-wildcard direction worked).Why
Flagged by Matthias on upstream kubescape#316 — single
:0entries were silently widening captured endpoints into unrelated concrete ports.Tests
TestAnalyzeEndpoints_WildcardDoesNotContaminateUnrelatedPathsTestAnalyzeEndpoints_OnlyMatchingPathsFoldIntoWildcardTestMergeDuplicateEndpoints_SpecificFirstThenWildcardTestAnalyzeEndpoints/Test_with_0_portupdated — it had encoded the buggy behavior as expected output.pkg/registry/file/...suite still passes (consumers: applicationprofile / containerprofile processors).Test plan
fix/endpoint-wildcard-port-overbroadenbranch in node-agent🤖 Generated with Claude Code