From 7f273cc1c5541d1c17950a79b1e918341934ce54 Mon Sep 17 00:00:00 2001
From: Fabiano Parente <fabiano@nunes.me>
Date: Thu, 9 Jan 2025 07:37:41 -0300
Subject: [PATCH] MINOR: Refine route-acl rules to prevent unintended prefix
 matches

Since `route-acl` annotated rules take precedence over others, this
commit updates its behavior to ensure they do not unintentionally
overwrite other rules that share the same prefix.

For example, a rule matching the path /api should not inadvertently
handle requests to /apiary.
---
 .aspell.yml        | 1 +
 pkg/route/route.go | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.aspell.yml b/.aspell.yml
index 260a5fb4..7ee48f4d 100644
--- a/.aspell.yml
+++ b/.aspell.yml
@@ -1,6 +1,7 @@
 mode: commit
 min_length: 3
 allowed:
+  - acl
   - aspell
   - repo
   - yaml
diff --git a/pkg/route/route.go b/pkg/route/route.go
index 5178a7ff..3d5b6fc8 100644
--- a/pkg/route/route.go
+++ b/pkg/route/route.go
@@ -110,7 +110,12 @@ func AddCustomRoute(route Route, routeACLAnn string, api api.HAProxyClient) (err
 		if route.Path.PathTypeMatch == store.PATH_TYPE_EXACT {
 			routeCond = fmt.Sprintf("%s{ path %s }", routeCond, route.Path.Path)
 		} else {
-			routeCond = fmt.Sprintf("%s{ path -m beg %s }", routeCond, route.Path.Path)
+			if route.Path.Path == "/" {
+				routeCond = fmt.Sprintf("%s{ path -m beg / }", routeCond)
+			} else {
+				path := strings.TrimSuffix(route.Path.Path, "/")
+				routeCond = fmt.Sprintf("%s{ path -m reg ^%s($|/) }", routeCond, path)
+			}
 		}
 	}
 	routeCond = fmt.Sprintf("%s { %s } ", routeCond, routeACLAnn)