Skip to content

[release-4.18] OCPBUGS-74235: Add API validation to reject # or whitespace in spec.path #2117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
openshift-cherrypick-robot wants to merge 1 commit into
base: release-4.18
Choose a base branch
from
Open

[release-4.18] OCPBUGS-74235: Add API validation to reject # or whitespace in spec.path #2117

openshift-cherrypick-robot wants to merge 1 commit into from
+166 −6

Conversation

@openshift-cherrypick-robot
Copy link

@openshift-cherrypick-robot openshift-cherrypick-robot commented Feb 4, 2026

This is an automated cherry-pick of #2012

/assign Thealisyed

API validation:reject # or whitespace in spec.path
6f520ca 
This commit introduces api validation to reject # or whitespace
in the spec.path. This is becaause it causes HaProxy error and the
inress to become degraded.
The validation will reject any new route that tries to create with
whitespace or # in spec.path. It will allow for ratcheting.
Test cases are also introduced in the validation_test.go file

Related bug: https://issues.redhat.com/browse/OCPBUGS-47773
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 4, 2026
Merged
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 4, 2026

@openshift-cherrypick-robot: Detected clone of Jira Issue OCPBUGS-61662 with correct target version. Will retitle the PR to link to the clone.
/retitle [release-4.18] OCPBUGS-74235: Add API validation to reject # or whitespace in spec.path

Details

In response to this:

This is an automated cherry-pick of #2012

/assign Thealisyed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot changed the title [release-4.18] OCPBUGS-61662: Add API validation to reject # or whitespace in spec.path [release-4.18] OCPBUGS-74235: Add API validation to reject # or whitespace in spec.path Feb 4, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Feb 4, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 4, 2026

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-74235, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.z) matches configured target version for branch (4.18.z)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-61662 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-61662 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
  • bug has dependents

Requesting review from QA contact:
/cc @ShudiLi

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #2012

/assign Thealisyed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from Miciah, ShudiLi and frobware February 4, 2026 18:27
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 4, 2026

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@benluddy
Copy link
Contributor

benluddy commented Feb 4, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 4, 2026
@benluddy
Copy link
Contributor

benluddy commented Feb 4, 2026

/approve
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 4, 2026
@benluddy benluddy added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 4, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 4, 2026

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: benluddy, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Thealisyed added a commit to Thealisyed/openshift-apiserver that referenced this pull request Feb 9, 2026
@Thealisyed
WIP: Bump library-go for route path validation fix
2bf010a 
Bumps library-go to include the fix for OCPBUGS-47773 which rejects
routes with # or whitespace in spec.path.

Depends on: openshift/library-go#2117
@Thealisyed
Copy link

Thealisyed commented Feb 9, 2026

Launched a WIP PR in apiserver to test changes
invalid1.yaml

  apiVersion: route.openshift.io/v1                                                                                                                                                                                
  kind: Route                                                                                                                                                                                                    
  metadata:
    name: test-route-hash
    annotations:
      haproxy.router.openshift.io/rewrite-target: /
  spec:
    path: "/test-path#invalid"
    to:
      kind: Service
      name: test-svc
    port:
      targetPort: 8080
    tls:
      termination: edge

invalid2.yaml

  apiVersion: route.openshift.io/v1                                                                                                                                                                                
  kind: Route                                                                                                                                                                                                      
  metadata:                                                                                                                                                                                                        
    name: test-route-space
    annotations:
      haproxy.router.openshift.io/rewrite-target: /
  spec:
    path: "/test path with spaces"
    to:
      kind: Service
      name: test-svc
    port:
      targetPort: 8080
    tls:
      termination: edge

valid.yaml

  apiVersion: route.openshift.io/v1
  kind: Route
  metadata:
    name: test-route-valid
    annotations:
      haproxy.router.openshift.io/rewrite-target: /
  spec:
    path: "/valid-path"
    to:
      kind: Service
      name: test-svc
    port:
      targetPort: 8080
    tls:
      termination: edge

@Thealisyed
Copy link

Thealisyed commented Feb 9, 2026 

 oc get co ingress

NAME      VERSION                                                AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress   4.20.0-0-2026-02-09-112846-test-ci-ln-0540hcb-latest   True        False         False      84m     

oc new-project test-validation
  oc create service clusterip test-svc --tcp=8080:8080

Already on project "test-validation" on server "https://api.ci-ln-0540hcb-72292.gcp-2.ci.openshift.org:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app rails-postgresql-example

to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname

service/test-svc created

oc apply -f invalid1.yaml
The Route "test-route-hash" is invalid: spec.path: Invalid value: "/test-path#invalid": cannot contain # or spaces

oc get routes
No resources found in test-validation namespace.

oc get co ingress

NAME      VERSION                                                AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress   4.20.0-0-2026-02-09-112846-test-ci-ln-0540hcb-latest   True        False         False      85m     

oc apply -f valid.yaml   
route.route.openshift.io/test-route-valid created

oc get routes

NAME               HOST/PORT                                                                          PATH          SERVICES   PORT   TERMINATION   WILDCARD
test-route-valid   test-route-valid-test-validation.apps.ci-ln-0540hcb-72292.gcp-2.ci.openshift.org   /valid-path   test-svc   8080   edge          None


oc get co ingress
NAME      VERSION                                                AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress   4.20.0-0-2026-02-09-112846-test-ci-ln-0540hcb-latest   True        False         False      86m

@candita
Copy link
Contributor

candita commented Feb 10, 2026

@Thealisyed let's talk about the testing. It looks like your testing version 4.20.0-0-2026-02-09-112846-test-ci-ln-0540hcb-latest in #2117 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShudiLi ShudiLi Awaiting requested review from ShudiLi

@frobware frobware Awaiting requested review from frobware

@Miciah Miciah Awaiting requested review from Miciah

Assignees

@benluddy benluddy

@Thealisyed Thealisyed

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@openshift-cherrypick-robot @openshift-ci-robot @benluddy @Thealisyed @candita