plugin/acl: Fix autopath from bypassing acl checks (#8290)

This fix prevents CoreDNS `autopath` from bypassing `acl` checks
when it rewrites an allowed query into a name within an ACL-protected zone.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit is contained in:
Yong Tang
2026-07-14 22:36:06 -07:00
committed by GitHub
parent 1ba14119d0
commit 18a58b9e89
3 changed files with 72 additions and 2 deletions

70
test/acl_autopath_test.go Normal file
View File

@@ -0,0 +1,70 @@
package test
import (
"os"
"path/filepath"
"testing"
"github.com/miekg/dns"
)
func TestACLAuthorizesAutopathExpandedName(t *testing.T) {
resolvConf := filepath.Join(t.TempDir(), "resolv.conf")
if err := os.WriteFile(
resolvConf,
[]byte("search public.example protected.example\n"),
0644,
); err != nil {
t.Fatalf("Could not write resolv.conf: %s", err)
}
corefile := `.:0 {
acl protected.example. {
block
}
autopath ` + resolvConf + `
hosts {
192.0.2.123 secret.protected.example
}
}`
server, udp, _, err := CoreDNSServerAndPorts(corefile)
if err != nil {
t.Fatalf("Could not get CoreDNS serving instance: %s", err)
}
defer server.Stop()
tests := []struct {
name string
qname string
}{
{
name: "direct protected query",
qname: "secret.protected.example.",
},
{
name: "autopath expanded protected query",
qname: "secret.public.example.",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
m := new(dns.Msg)
m.SetQuestion(tc.qname, dns.TypeA)
r, err := dns.Exchange(m, udp)
if err != nil {
t.Fatalf("Query %q failed: %s", tc.qname, err)
}
if r.Rcode != dns.RcodeRefused {
t.Fatalf(
"Query %q: got rcode %s, want REFUSED; answers: %v",
tc.qname,
dns.RcodeToString[r.Rcode],
r.Answer,
)
}
})
}
}