check if port is between 0 and 65535 (#116)

metal-stack · Jan 12, 2022 · 38aa3f7 · 38aa3f7
1 parent f7effa3
commit 38aa3f7
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/api/v1/clusterwidenetworkpolicy_types.go b/api/v1/clusterwidenetworkpolicy_types.go
@@ -133,6 +133,10 @@ func validatePorts(ports []networking.NetworkPolicyPort) *multierror.Error {
 			errors = multierror.Append(errors, fmt.Errorf("only int ports are supported, but %v given", p.Port))
 		}
 
+		if p.Port != nil && (p.Port.IntValue() > 65535 || p.Port.IntValue() <= 0) {
+			errors = multierror.Append(errors, fmt.Errorf("only ports between 0 and 65535 are allowed, but %v given", p.Port))
+		}
+
 		if p.Protocol != nil {
 			proto := *p.Protocol
 			if proto != corev1.ProtocolUDP && proto != corev1.ProtocolTCP {

diff --git a/api/v1/clusterwidenetworkpolicy_types_test.go b/api/v1/clusterwidenetworkpolicy_types_test.go
@@ -30,6 +30,7 @@ func TestPolicySpec_Validate(t *testing.T) {
 	port1 := intstr.FromInt(8080)
 	port2 := intstr.FromInt(8081)
 	invalid := intstr.FromString("invalid")
+	invalidPort := intstr.FromInt(99999)
 	tests := []struct {
 		name    string
 		Ingress []IngressRule
@@ -91,6 +92,25 @@ func TestPolicySpec_Validate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "invalid port",
+			Ingress: []IngressRule{
+				{
+					From: []networking.IPBlock{
+						{
+							CIDR: "1.1.0.0/24",
+						},
+					},
+					Ports: []networking.NetworkPolicyPort{
+						{
+							Protocol: &tcp,
+							Port:     &invalidPort,
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		tt := tt