Pattern validation for HTTP header values according to RFC 7230 #3774
Conversation
Signed-off-by: Norwin Schnyder <[email protected]>
k8s-ci-robot
added
release-note
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
needs-ok-to-test
|
Hi @snorwin. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/S
snorwin
changed the title
snorwin
force-pushed
the
httpheadervalue-cel
branch
from
3ff6e20 to
722ac23
Compare
apis/v1/httproute_types.go
Outdated
| // | ||
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:MaxLength=4096 | ||
| // <gateway:experimental:validation:XValidation:message="must only contain printable ASCII characters, optionally separated by single tabs or spaces",rule="self.matches('^[!-~]+([\\t ]?[!-~]+)*$')"> |
There was a problem hiding this comment.
While a CEL would offer a cleaner approach with meaningful error messages, the complexity appears to be too high.
Signed-off-by: Norwin Schnyder <[email protected]>
snorwin
force-pushed
the
httpheadervalue-cel
branch
from
722ac23 to
0a5580a
Compare
|
/ok-to-test I think that @robscott should check this out as well though. |
k8s-ci-robot
added
ok-to-test
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: snorwin, youngnick The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@snorwin: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Thanks @snorwin! I'm very hesitant to ever tighten validation on a GA API, but as long as we can have complete confidence that all configuration that would fail this validation would have been useless/invalid before this validation, this does seem like a net improvement.
/cc @htuch @mkosieradzki
| // | ||
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:MaxLength=4096 | ||
| // <gateway:experimental:validation:Pattern=`^[!-~]+([\t ]?[!-~]+)*$`> |
There was a problem hiding this comment.
Can you add some invalid and valid examples to https://github.com/kubernetes-sigs/gateway-api/tree/main/hack/invalid-examples/experimental and https://github.com/kubernetes-sigs/gateway-api/tree/main/examples/experimental respectively to confirm this is working as intended?
There was a problem hiding this comment.
One note - this is a header value matcher that supports two types of matches - exact and regex. I believe all forms of regex matcher used here would also be contained within US-ASCII characters, but would appreciate another confirmation of that.
|
@robscott: GitHub didn't allow me to request PR reviews from the following users: htuch, mkosieradzki. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
This PR adds an experimental pattern validation to ensure that HTTP header values consist only of printable US-ASCII characters, optionally separated by spaces or tabs, as required by RFC 7230.
Which issue(s) this PR fixes:
Fixes #3669
Does this PR introduce a user-facing change?: