fix: prevent JSON injection in static maas-api AuthPolicy X-MaaS-Group header

jrhyness · claude · jrhyness · commit b5586791add3 · 2026-03-26T16:12:13.000-04:00
Replace string concatenation with proper JSON serialization in the static maas-api AuthPolicy to prevent JSON injection vulnerabilities. Before (vulnerable to JSON injection): expression: '''["'' + auth.metadata.apiKeyValidation.groups.join(''","'') + ''"]''' After (secure): expression: string(auth.metadata.apiKeyValidation.groups) The string() function in CEL properly serializes arrays to JSON with proper escaping, preventing injection of malformed JSON or special characters. This matches the fix already applied to controller-generated AuthPolicies in commit 00db174, but the static maas-api AuthPolicy was missed. Addresses CodeRabbit security finding (lines 463-466 comment). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/deployment/base/maas-api/policies/auth-policy.yaml b/deployment/base/maas-api/policies/auth-policy.yaml
@@ -72,7 +72,7 @@ spec:
             when:
               - predicate: request.headers.authorization.startsWith("Bearer sk-oai-")
             plain:
-              expression: '''["'' + auth.metadata.apiKeyValidation.groups.join(''","'') + ''"]'''
+              expression: string(auth.metadata.apiKeyValidation.groups)
             priority: 0
           # Groups: from OpenShift identity as JSON array (when OC token used)
           X-MaaS-Group-OC:
