Add missing control char on regex validation

internal/ingress/controller/controller.go

@@ -305,6 +305,18 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 
 	k8s.SetDefaultNGINXPathType(ing)
 
+	for _, rule := range ing.Spec.Rules {
+		if rule.HTTP == nil {
+			continue
+		}
+
+		for _, path := range rule.HTTP.Paths {
+			if !utilingress.IsSafePath(ing, path.Path) {
+				return fmt.Errorf("ingress contains invalid path: %s", path.Path)
+			}
+		}
+	}
+
 	allIngresses := n.store.ListIngresses()
 
 	filter := func(toCheck *ingress.Ingress) bool {

internal/ingress/controller/controller_test.go

@@ -339,6 +339,23 @@ func TestCheckIngress(t *testing.T) {
 				t.Errorf("with a new ingress without error, no error should be returned")
 			}
 		})
+
+		t.Run("When invalid path is passed to Ingress", func(t *testing.T) {
+			nginx.store = fakeIngressStore{
+				ingresses: []*ingress.Ingress{},
+			}
+			nginx.command = testNginxTestCommand{
+				t:   t,
+				err: nil,
+			}
+			ing.Spec.Rules[0].HTTP.Paths = append(ing.Spec.Rules[0].HTTP.Paths, networking.HTTPIngressPath{
+				Path: "/foo/bar/;xpto",
+			})
+			if err := nginx.CheckIngress(ing); err == nil {
+				t.Errorf("with an invalid path, ingress should be rejected")
+			}
+		})
+
 	})
 
 	t.Run("When the ingress is marked as deleted", func(t *testing.T) {

pkg/util/ingress/ingress.go

@@ -32,14 +32,14 @@ import (
 
 const (
 	alphaNumericChars = `\-\.\_\~a-zA-Z0-9/`
-	regexEnabledChars = `\^\$\[\]\(\)\{\}\*\+`
+	regexEnabledChars = `\^\$\[\]\(\)\{\}\*\+\?\|`
 )
 
 var (
 	// pathAlphaNumeric is a regex validation of something like "^/[a-zA-Z]+$" on path
-	pathAlphaNumeric = regexp.MustCompile("^/[" + alphaNumericChars + "]*$").MatchString
+	pathAlphaNumeric = regexp.MustCompile("^[/" + alphaNumericChars + "]*$").MatchString
 	// pathRegexEnabled is a regex validation of paths that may contain regex.
-	pathRegexEnabled = regexp.MustCompile("^/[" + alphaNumericChars + regexEnabledChars + "]*$").MatchString
+	pathRegexEnabled = regexp.MustCompile("^[/" + alphaNumericChars + regexEnabledChars + "]*$").MatchString
 )
 
 func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string {
@@ -251,7 +251,17 @@ func BuildRedirects(servers []*ingress.Server) []*redirect {
 // It will behave differently if regex is enabled or not
 func IsSafePath(copyIng *networkingv1.Ingress, path string) bool {
 	isRegex, _ := parser.GetBoolAnnotation("use-regex", copyIng)
-	if isRegex {
+	isRewrite, _ := parser.GetBoolAnnotation("rewrite-target", copyIng)
+	isImplSpecific := false
+	for _, rules := range copyIng.Spec.Rules {
+		for _, paths := range rules.HTTP.Paths {
+			if paths.PathType != nil && *paths.PathType == networkingv1.PathTypeImplementationSpecific {
+				isImplSpecific = true
+				break
+			}
+		}
+	}
+	if isRegex || isRewrite || isImplSpecific {
 		return pathRegexEnabled(path)
 	}
 	return pathAlphaNumeric(path)

pkg/util/ingress/ingress_test.go

@@ -158,6 +158,18 @@ func TestIsSafePath(t *testing.T) {
 		path    string
 		want    bool
 	}{
+		{
+			name:    "should accept empty path",
+			want:    true,
+			copyIng: generateDumbIngressforPathTest(false),
+			path:    "",
+		},
+		{
+			name:    "should accept / path",
+			want:    true,
+			copyIng: generateDumbIngressforPathTest(false),
+			path:    "/",
+		},
 		{
 			name:    "should accept valid path with regex disabled",
 			want:    true,
@@ -194,6 +206,18 @@ func TestIsSafePath(t *testing.T) {
 			copyIng: generateDumbIngressforPathTest(true),
 			path:    "/foo/bar/(.+)",
 		},
+		{
+			name:    "should accept another regex path when regex is enabled",
+			want:    true,
+			copyIng: generateDumbIngressforPathTest(true),
+			path:    "/v1/?(.*)",
+		},
+		{
+			name:    "should accept more regex path when regex is enabled",
+			want:    true,
+			copyIng: generateDumbIngressforPathTest(true),
+			path:    "/something(/|$)(.*)",
+		},
 		{
 			name:    "should reject regex path when regex is enabled but the path is invalid",
 			want:    false,