[Bug] ACL invalid policy accepted #1033

New Issue

adam · 2025-12-29T02:27:50+01:00

adam commented

2025-12-29 02:27:50 +01:00

Originally created by @lethedata on GitHub (May 25, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

Running policy check with invalid src/dst returns "Policy is valid"

Expected Behavior

Policy check fails and returns an error.

Steps To Reproduce

Create acls.jsonc policy using the configuration below
Run policy check against bad acls.jsonc file: headscale policy check -f ./acls.jsonc
Returns Policy is valid

{
    "acls": [
        { "action": "accept", "BAD": ["FOO:BAR:FOO:BAR"], "BAD": ["BAD:BAD:BAD:BAD"] }
      ]
}

Environment

- OS: Fedora CoreOS 42.20250427.3.0
- Headscale version: v0.26.0

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Debug information

{
    "acls": [
        { "action": "accept", "BAD": ["FOO:BAR:FOO:BAR"], "BAD": ["BAD:BAD:BAD:BAD"] }
      ]
}

Originally created by @lethedata on GitHub (May 25, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior Running policy check with invalid src/dst returns "Policy is valid" ### Expected Behavior Policy check fails and returns an error. ### Steps To Reproduce 1) Create `acls.jsonc` policy using the configuration below 2) Run policy check against bad `acls.jsonc` file: `headscale policy check -f ./acls.jsonc` 3) Returns `Policy is valid` ```jsonc { "acls": [ { "action": "accept", "BAD": ["FOO:BAR:FOO:BAR"], "BAD": ["BAD:BAD:BAD:BAD"] } ] } ``` ### Environment ```markdown - OS: Fedora CoreOS 42.20250427.3.0 - Headscale version: v0.26.0 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container ### Debug information ```jsonc { "acls": [ { "action": "accept", "BAD": ["FOO:BAR:FOO:BAR"], "BAD": ["BAD:BAD:BAD:BAD"] } ] } ```

adam added the bug no-stale-bot policy 📝 labels 2025-12-29 02:27:50 +01:00

adam closed this issue

2025-12-29 02:27:50 +01:00

adam commented

2025-12-29 02:27:51 +01:00

@Codelica commented on GitHub (May 28, 2025):

Please just keep one thing in mind if the plan is to validate all input properties on the ACL. A few months ago @goodieshq and I noticed that additional properties could be added to an ACL entry which were stored and ignored. This actually allows for some very nice/powerful UI state to be stored for the Headscale-Admin GUI project. For example ACL rules can be named, UI collapse state stored, etc. Currently this is a single property tree named #ha-meta on the ACL entry to keep it isolated. Perhaps when it comes to validation, property names that start with # could be ignored for metadata/comments? Please :)

@Codelica commented on GitHub (May 28, 2025): Please just keep one thing in mind if the plan is to validate **all** input properties on the ACL. A few months ago @goodieshq and I noticed that additional properties could be added to an ACL entry which were stored and ignored. This actually allows for some very nice/powerful UI state to be stored for the Headscale-Admin GUI project. For example ACL rules can be named, UI collapse state stored, etc. Currently this is a single property tree named `#ha-meta` on the ACL entry to keep it isolated. Perhaps when it comes to validation, property names that start with `#` could be ignored for metadata/comments? Please :) ![Image](https://github.com/user-attachments/assets/fa9d0b76-4d32-4774-925a-d95393b9ebc8)

adam commented

2025-12-29 02:27:51 +01:00

@kradalby commented on GitHub (Sep 9, 2025):

This is interesting. I am not very concerned that the example validates as a valid policy. The most annoying would be mistyped versions of the correct fields that are not caught, srd vs src for example.

The "use the policy as JSON storage" is quite funny too, I suppose that is relatively fine.

We can do what @Codelica suggests and reserve things prefixed with #, and then validate all the other fields to get something in between, both better validation, but also some flexibility, without letting it go "too far".

@kradalby commented on GitHub (Sep 9, 2025): This is interesting. I am not very concerned that the example validates as a valid policy. The most annoying would be mistyped versions of the correct fields that are not caught, `srd` vs `src` for example. The "use the policy as JSON storage" is quite funny too, I suppose that is relatively fine. We can do what @Codelica suggests and reserve things prefixed with `#`, and then validate all the other fields to get something in between, both better validation, but also some flexibility, without letting it go "too far".

adam commented

2025-12-29 02:27:51 +01:00

@lethedata commented on GitHub (Sep 9, 2025):

This is interesting. I am not very concerned that the example validates as a valid policy. The most annoying would be mistyped versions of the correct fields that are not caught, srd vs src for example.

A mistyped dnt over dst typo is actually what lead to this issue. It was originally going to just be about the typo being accepted but after messing around I realized there was no validations allowing the above example to return valid. I used this unrealistic example as it very obviously shows what is going on at a glance without taking a second to locate the non-obvious typo.

@lethedata commented on GitHub (Sep 9, 2025): > This is interesting. I am not very concerned that the example validates as a valid policy. The most annoying would be mistyped versions of the correct fields that are not caught, `srd` vs `src` for example. > A mistyped `dnt` over `dst` typo is actually what lead to this issue. It was originally going to just be about the typo being accepted but after messing around I realized there was no validations allowing the above example to return valid. I used this unrealistic example as it very obviously shows what is going on at a glance without taking a second to locate the non-obvious typo.

adam referenced this issue

2025-12-29 02:31:52 +01:00

[PR #1033] [CLOSED] docs(README): update contributors #1829

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1033