Enhance hash_without_default plugin to handle map and geo blocks without default values #82

dvershinin · dvershinin · commit 58025afc6a87 · 2025-10-19T19:26:12.000+02:00
diff --git a/gixy/plugins/hash_without_default.py b/gixy/plugins/hash_without_default.py
@@ -1,5 +1,7 @@
 import gixy
 from gixy.plugins.plugin import Plugin
+from gixy.directives.directive import MapDirective
+from gixy.directives.block import MapBlock, GeoBlock
 
 class hash_without_default(Plugin):
     summary = "Detect when a hash block (map, geo) is used without a default value."
@@ -12,10 +14,43 @@ def __init__(self, config):
         super(hash_without_default, self).__init__(config)
 
     def audit(self, directive):
+        # Collect entries from this block, following includes when present
+        if isinstance(directive, MapBlock):
+            entries = list(directive.gather_map_directives(directive.children))
+        elif isinstance(directive, GeoBlock):
+            entries = list(directive.gather_geo_directives(directive.children))
+        else:
+            entries = directive.children
+
         found_default = False
-        for child in directive.children:
-            if child.src_val == 'default' and child.dest_val is not None:
+        for child in entries:
+            if isinstance(child, MapDirective) and child.src_val == 'default' and child.dest_val is not None:
                 found_default = True
                 break
-        if not found_default:
-            self.add_issue(directive=[directive] + directive.children, reason="Missing default value in {0} ${1}".format(directive.name, directive.variable))
+
+        if found_default:
+            return
+
+        # Special-case: for map blocks, a single mapping entry without an explicit default
+        # is commonly used to intentionally yield an empty string for all other cases.
+        # This is especially useful with limit_req/limit_conn where empty keys disable limits.
+        # In that scenario, requiring an explicit default creates noise. Therefore, only warn
+        # for map when there are two or more mapping entries and no explicit default.
+        if directive.name == 'map':
+            entries_count = 0
+            for child in entries:
+                if not isinstance(child, MapDirective):
+                    continue
+                if child.src_val == 'default':
+                    continue
+                entries_count += 1
+
+            # Do not warn for single-entry maps without default
+            if entries_count <= 1:
+                return
+
+        # geo continues to require an explicit default regardless of entries count
+        self.add_issue(
+            directive=[directive] + directive.children,
+            reason="Missing default value in {0} ${1}".format(directive.name, directive.variable),
+        )
diff --git a/tests/plugins/simply/hash_without_default/map_no_default.conf b/tests/plugins/simply/hash_without_default/map_no_default.conf
@@ -1,5 +1,6 @@
 http {
   map $host $hostmap {
     example.com value;
+    example.org other;
   }
 }
diff --git a/tests/plugins/simply/hash_without_default/map_single_entry_no_default_fp.conf b/tests/plugins/simply/hash_without_default/map_single_entry_no_default_fp.conf
@@ -0,0 +1,7 @@
+http {
+  map $request_method $post_binary_remote_addr {
+    POST $binary_remote_addr;
+  }
+}
+
+

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`http {`
`2`	`2`	`map $host $hostmap {`
`3`	`3`	`example.com value;`
	`4`	`+ example.org other;`
`4`	`5`	`}`
`5`	`6`	`}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,7 @@ @@
 +http {
 +  map $request_method $post_binary_remote_addr {
 +    POST $binary_remote_addr;
 +  }
 +}
++
++