Skip to content

Shoot input validation#1479

Merged
kon-angelo merged 3 commits intomasterfrom
feature/input-validation
Sep 18, 2025
Merged

Shoot input validation#1479
kon-angelo merged 3 commits intomasterfrom
feature/input-validation

Conversation

@kon-angelo
Copy link
Copy Markdown
Contributor

@kon-angelo kon-angelo commented Sep 17, 2025
edited
Loading

How to categorize this PR?

/area control-plane
/kind enhancement
/platform aws

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #1491

Special notes for your reviewer:

Release note:

Input validation for shoot fields

kon-angelo and others added 2 commits September 17, 2025 17:06
@kon-angelo @hebelsan
Add input validation (#6)
eb129da 
Co-authored-by: Alexander Hebel <a.hebelsun@gmail.com>
@hebelsan @kon-angelo
Fix AWS IAM instance profile input validation
7961a9e
@kon-angelo kon-angelo requested a review from a team as a code owner September 17, 2025 15:14
@gardener-robot gardener-robot added area/control-plane Control plane related kind/enhancement Enhancement, improvement, extension platform/aws Amazon web services platform/infrastructure needs/review Needs review size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 17, 2025
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 17, 2025
@gardener-robot gardener-robot added the needs/second-opinion Needs second review by someone else label Sep 17, 2025
@github-actions github-actions bot added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Sep 17, 2025
hebelsan
hebelsan reviewed Sep 17, 2025
View reviewed changes
pkg/apis/aws/validation/filter.go Outdated
GatewayEndpointRegex = `^\w+(\.\w+)*$`

validateK8sResourceName = combineValidationFuncs(regex(k8sResourceNameRegex), minLength(1), maxLength(253))
validateVpcID = combineValidationFuncs(regex(VpcIDRegex), maxLength(255))
Copy link
Copy Markdown
Contributor

@hebelsan hebelsan Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the current approach, if an empty value is checked by a validator without minLength() it will pass through, because regex returns early without error...
I don't think this is the behaviour we want.
we could add minLength(1) to all or adjust the regex function.

Copy link
Copy Markdown
Contributor

@hebelsan hebelsan Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, we should add test cases for these empty values!

hebelsan
hebelsan reviewed Sep 17, 2025
View reviewed changes
pkg/apis/aws/validation/filter.go Outdated
return func(name string, fld *field.Path) field.ErrorList {
var allErrs field.ErrorList
if utf8.RuneCountInString(name) < min {
return field.ErrorList{field.Invalid(fld, name, fmt.Sprintf("must not be fewer than %d characters, got %d", min, len(name)))}
Copy link
Copy Markdown
Contributor

@hebelsan hebelsan Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To prevent confusion, let's use utf8.RuneCountInString() also in the error message.

wpross
wpross requested changes Sep 18, 2025
View reviewed changes
@gardener-robot gardener-robot added the needs/changes Needs (more) changes label Sep 18, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Sep 18, 2025

The changes primarily revolve around validating AWS configuration inputs more strictly by introducing various regular expressions. It enhances input validation for a range of AWS resource identifiers and names, including VPC IDs, IAM instance profile names and ARNs, and more. This will improve error handling and user experience by capturing invalid configurations earlier. The accompanying tests ensure these validations work as intended.

Walkthrough

  • New Feature: Added validation rules for AWS resource names (e.g., ingress class name, VPC IDs) using regex patterns.
  • Test: Introduced new test cases to validate configurations using regex patterns; ensures that only valid inputs are accepted.
  • Refactor: Consolidated validation logic into reusable functions for various AWS resource identifiers and names.
  • Chore: Updated function and variable names for enhanced clarity and alignment with refactored code logic.

Model: gpt-4o | Prompt Tokens: 7124 | Completion Tokens: 170

@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 18, 2025
@github-actions github-actions bot removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 18, 2025
hebelsan
hebelsan approved these changes Sep 18, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@hebelsan hebelsan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/changes Needs (more) changes needs/review Needs review needs/second-opinion Needs second review by someone else labels Sep 18, 2025
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 18, 2025
@github-actions github-actions bot removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 18, 2025
@kon-angelo kon-angelo requested a review from wpross September 18, 2025 12:01
@kon-angelo kon-angelo merged commit cb5045f into master Sep 18, 2025
90 checks passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Sep 18, 2025
@kon-angelo kon-angelo deleted the feature/input-validation branch September 18, 2025 13:04
@ghost ghost added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 25, 2025
@wpross wpross mentioned this pull request Dec 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hebelsan hebelsan hebelsan approved these changes

@wpross wpross wpross approved these changes

Assignees

No one assigned

Labels

area/control-plane Control plane related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) platform/aws Amazon web services platform/infrastructure reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/L Denotes a PR that changes 100-499 lines, ignoring generated files. status/closed Issue is closed (either delivered or triaged)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2025-59823: Terraform code injection may be possible when Terraformer is used for infrastructure provisioning

6 participants

@kon-angelo @hebelsan @wpross @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot