fix: ignore casing in ApplyJSONPatch deny list (#837)

Author: hperl

jsonx/patch.go

@@ -53,7 +53,7 @@ func ApplyJSONPatch(p json.RawMessage, object interface{}, denyPaths ...string)
 		return err
 	}
 
-	denyPattern := fmt.Sprintf("{%s}", strings.Join(denyPaths, ","))
+	denyPattern := fmt.Sprintf("{%s}", strings.ToLower(strings.Join(denyPaths, ",")))
 	matcher, err := glob.Compile(denyPattern, '/')
 	if err != nil {
 		return err
@@ -68,7 +68,7 @@ func ApplyJSONPatch(p json.RawMessage, object interface{}, denyPaths ...string)
 		if err != nil {
 			return fmt.Errorf("error parsing patch operations: %v", err)
 		}
-		if matcher.Match(path) {
+		if matcher.Match(strings.ToLower(path)) {
 			return fmt.Errorf("patch includes denied path: %s", path)
 		}
 

jsonx/patch_test.go

@@ -108,10 +108,19 @@ func TestApplyJSONPatch(t *testing.T) {
 		require.Equal(t, expected, obj)
 	})
 	t.Run("case=patch denied path", func(t *testing.T) {
-		rawPatch := []byte(`[{"op": "replace", "path": "/Field1", "value": "bar"}]`)
-		obj := deepcopy.Copy(object).(TestType)
-		require.Error(t, ApplyJSONPatch(rawPatch, &obj, "/Field1"))
-		require.Equal(t, object, obj)
+		for _, path := range []string{
+			"/Field1",
+			"/field1",
+			"/fIeld1",
+			"/FIELD1",
+		} {
+			t.Run("path="+path, func(t *testing.T) {
+				rawPatch := []byte(`[{"op": "replace", "path": "/Field1", "value": "bar"}]`)
+				obj := deepcopy.Copy(object).(TestType)
+				assert.Error(t, ApplyJSONPatch(rawPatch, &obj, path))
+				require.Equal(t, object, obj)
+			})
+		}
 	})
 	t.Run("case=patch denied sub-path", func(t *testing.T) {
 		rawPatch := []byte(`[{"op": "replace", "path": "/Field3/Field1", "value": true}]`)