This is a followup PR to openshift#1364

The header name max size limit is changed to 255. This was changed as haproxy does not allow more 255 bytes to be set for header name because of the reason mentioned here: https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/ Issue link: https://issues.redhat.com/browse/OCPBUGS-17414
martin-aders · Aug 7, 2023 · 806dcee · 806dcee
1 parent 26b8597
commit 806dcee
Show file tree

Hide file tree

Showing 11 changed files with 28 additions and 28 deletions.
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
diff --git a/openapi/openapi.json b/openapi/openapi.json
@@ -25579,7 +25579,7 @@
           "$ref": "#/definitions/com.github.openshift.api.operator.v1.IngressControllerHTTPHeaderActionUnion"
         },
         "name": {
-          "description": "name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, \"-!#$%&'*+.^_`\". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.",
+          "description": "name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, \"-!#$%&'*+.^_`\". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.",
           "type": "string",
           "default": ""
         }
@@ -31438,7 +31438,7 @@
           "$ref": "#/definitions/com.github.openshift.api.route.v1.RouteHTTPHeaderActionUnion"
         },
         "name": {
-          "description": "name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, \"-!#$%&'*+.^_`\". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.",
+          "description": "name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, \"-!#$%&'*+.^_`\". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.",
           "type": "string",
           "default": ""
         }

diff --git a/operator/v1/0000_50_ingress-operator_00-ingresscontroller.crd.yaml b/operator/v1/0000_50_ingress-operator_00-ingresscontroller.crd.yaml
@@ -296,8 +296,8 @@ spec:
                                   - message: set is required when type is Set, and forbidden otherwise
                                     rule: 'has(self.type) && self.type == ''Set'' ?  has(self.set) : !has(self.set)'
                               name:
-                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.'
-                                maxLength: 1024
+                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.'
+                                maxLength: 255
                                 minLength: 1
                                 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
                                 type: string
@@ -356,8 +356,8 @@ spec:
                                   - message: set is required when type is Set, and forbidden otherwise
                                     rule: 'has(self.type) && self.type == ''Set'' ?  has(self.set) : !has(self.set)'
                               name:
-                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.'
-                                maxLength: 1024
+                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.'
+                                maxLength: 255
                                 minLength: 1
                                 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
                                 type: string

diff --git a/operator/v1/types_ingress.go b/operator/v1/types_ingress.go
@@ -1473,11 +1473,11 @@ type IngressControllerHTTPHeader struct {
 	// The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`".
 	// The following header names are reserved and may not be modified via this API:
 	// Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie.
-	// It must be no more than 1024 characters in length.
+	// It must be no more than 255 characters in length.
 	// Header name must be unique.
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:MaxLength=1024
+	// +kubebuilder:validation:MaxLength=255
 	// +kubebuilder:validation:Pattern="^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$"
 	// +kubebuilder:validation:XValidation:rule="self.lowerAscii() != 'strict-transport-security'",message="strict-transport-security header may not be modified via header actions"
 	// +kubebuilder:validation:XValidation:rule="self.lowerAscii() != 'proxy'",message="proxy header may not be modified via header actions"

diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go
diff --git a/route/v1/generated.proto b/route/v1/generated.proto
diff --git a/route/v1/route-CustomNoUpgrade.crd.yaml b/route/v1/route-CustomNoUpgrade.crd.yaml
@@ -128,9 +128,9 @@ spec:
                                   - rule: 'has(self.type) && self.type == ''Set'' ?  has(self.set) : !has(self.set)'
                                     message: set is required when type is Set, and forbidden otherwise
                               name:
-                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.'
+                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.'
                                 type: string
-                                maxLength: 1024
+                                maxLength: 255
                                 minLength: 1
                                 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
                                 x-kubernetes-validations:
@@ -186,9 +186,9 @@ spec:
                                   - rule: 'has(self.type) && self.type == ''Set'' ?  has(self.set) : !has(self.set)'
                                     message: set is required when type is Set, and forbidden otherwise
                               name:
-                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.'
+                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.'
                                 type: string
-                                maxLength: 1024
+                                maxLength: 255
                                 minLength: 1
                                 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
                                 x-kubernetes-validations:

diff --git a/route/v1/route-TechPreviewNoUpgrade.crd.yaml b/route/v1/route-TechPreviewNoUpgrade.crd.yaml
@@ -128,9 +128,9 @@ spec:
                                   - rule: 'has(self.type) && self.type == ''Set'' ?  has(self.set) : !has(self.set)'
                                     message: set is required when type is Set, and forbidden otherwise
                               name:
-                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.'
+                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.'
                                 type: string
-                                maxLength: 1024
+                                maxLength: 255
                                 minLength: 1
                                 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
                                 x-kubernetes-validations:
@@ -186,9 +186,9 @@ spec:
                                   - rule: 'has(self.type) && self.type == ''Set'' ?  has(self.set) : !has(self.set)'
                                     message: set is required when type is Set, and forbidden otherwise
                               name:
-                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.'
+                                description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.'
                                 type: string
-                                maxLength: 1024
+                                maxLength: 255
                                 minLength: 1
                                 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
                                 x-kubernetes-validations: