nginx
diff --git a/‎internal/k8s/validation.go‎
Lines changed: 30 additions & 6 deletions b/‎internal/k8s/validation.go‎
Lines changed: 30 additions & 6 deletions
diff --git a/‎internal/k8s/validation_test.go‎
Lines changed: 80 additions & 12 deletions b/‎internal/k8s/validation_test.go‎
Lines changed: 80 additions & 12 deletions
@@ -64,13 +64,24 @@ const (
 )
 
 const (
-	commaDelimiter           = ","
-	annotationValueFmt       = `([^"$\\]|\\[^$])*`
-	jwtTokenValueFmt         = "\\$" + annotationValueFmt
+	commaDelimiter     = ","
+	annotationValueFmt = `([^"$\\]|\\[^$])*`
+	pathFmt            = `/[^\s{};]*`
+	jwtTokenValueFmt   = "\\$" + annotationValueFmt
+)
+
+const (
 	annotationValueFmtErrMsg = `a valid annotation value must have all '"' escaped and must not contain any '$' or end with an unescaped '\'`
+	pathErrMsg               = "must start with / and must not include any whitespace character, `{`, `}` or `;`"
 	jwtTokenValueFmtErrMsg   = `a valid annotation value must start with '$', have all '"' escaped, and must not contain any '$' or end with an unescaped '\'`
 )
 
+var (
+	pathRegexp                        = regexp.MustCompile("^" + pathFmt + "$")
+	validAnnotationValueRegex         = regexp.MustCompile("^" + annotationValueFmt + "$")
+	validJWTTokenAnnotationValueRegex = regexp.MustCompile("^" + jwtTokenValueFmt + "$")
+)
+
 type annotationValidationContext struct {
 	annotations           map[string]string
 	specServices          map[string]bool
@@ -90,9 +101,6 @@ type (
 	validatorFunc              func(val string) error
 )
 
-var validAnnotationValueRegex = regexp.MustCompile("^" + annotationValueFmt + "$")
-var validJWTTokenAnnotationValueRegex = regexp.MustCompile("^" + jwtTokenValueFmt + "$")
-
 var (
 	// annotationValidations defines the various validations which will be applied in order to each ingress annotation.
 	// If any specified validation fails, the remaining validations for that annotation will not be run.
@@ -729,6 +737,7 @@ func validateIngressSpec(spec *networking.IngressSpec, fieldPath *field.Path) fi
 		for _, path := range r.HTTP.Paths {
 			idxPath := idxRule.Child("http").Child("path").Index(i)
 
+			allErrs = append(allErrs, validatePath(path.Path, fieldPath)...)
 			allErrs = append(allErrs, validateBackend(&path.Backend, idxPath.Child("backend"))...)
 		}
 	}
@@ -746,6 +755,21 @@ func validateBackend(backend *networking.IngressBackend, fieldPath *field.Path)
 	return allErrs
 }
 
+func validatePath(path string, fieldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if path == "" {
+		return append(allErrs, field.Required(fieldPath, ""))
+	}
+
+	if !pathRegexp.MatchString(path) {
+		msg := validation.RegexError(pathErrMsg, pathFmt, "/", "/path", "/path/subpath-123")
+		return append(allErrs, field.Invalid(fieldPath, path, msg))
+	}
+
+	return allErrs
+}
+
 func validateMasterSpec(spec *networking.IngressSpec, fieldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 
@@ -2544,7 +2544,7 @@ func TestValidateNginxIngressAnnotations(t *testing.T) {
 func TestValidateIngressSpec(t *testing.T) {
 	tests := []struct {
 		spec           *networking.IngressSpec
-		expectedErrors []string
+		expectedErrors []field.ErrorType
 		msg            string
 	}{
 		{
@@ -2570,6 +2570,56 @@ func TestValidateIngressSpec(t *testing.T) {
 			expectedErrors: nil,
 			msg:            "valid input",
 		},
+		{
+			spec: &networking.IngressSpec{
+				Rules: []networking.IngressRule{
+					{
+						Host: "foo.example.com",
+						IngressRuleValue: networking.IngressRuleValue{
+							HTTP: &networking.HTTPIngressRuleValue{
+								Paths: []networking.HTTPIngressPath{
+									{
+										Path: `/tea\{custom_value}`,
+										Backend: networking.IngressBackend{
+											Service: &networking.IngressServiceBackend{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedErrors: []field.ErrorType{
+				field.ErrorTypeInvalid,
+			},
+			msg: "test invalid characters in path",
+		},
+		{
+			spec: &networking.IngressSpec{
+				Rules: []networking.IngressRule{
+					{
+						Host: "foo.example.com",
+						IngressRuleValue: networking.IngressRuleValue{
+							HTTP: &networking.HTTPIngressRuleValue{
+								Paths: []networking.HTTPIngressPath{
+									{
+										Path: "",
+										Backend: networking.IngressBackend{
+											Service: &networking.IngressServiceBackend{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedErrors: []field.ErrorType{
+				field.ErrorTypeRequired,
+			},
+			msg: "test empty in path",
+		},
 		{
 			spec: &networking.IngressSpec{
 				DefaultBackend: &networking.IngressBackend{
@@ -2588,8 +2638,8 @@ func TestValidateIngressSpec(t *testing.T) {
 			spec: &networking.IngressSpec{
 				Rules: []networking.IngressRule{},
 			},
-			expectedErrors: []string{
-				"spec.rules: Required value",
+			expectedErrors: []field.ErrorType{
+				field.ErrorTypeRequired,
 			},
 			msg: "zero rules",
 		},
@@ -2601,8 +2651,8 @@ func TestValidateIngressSpec(t *testing.T) {
 					},
 				},
 			},
-			expectedErrors: []string{
-				"spec.rules[0].host: Required value",
+			expectedErrors: []field.ErrorType{
+				field.ErrorTypeRequired,
 			},
 			msg: "empty host",
 		},
@@ -2617,8 +2667,8 @@ func TestValidateIngressSpec(t *testing.T) {
 					},
 				},
 			},
-			expectedErrors: []string{
-				`spec.rules[1].host: Duplicate value: "foo.example.com"`,
+			expectedErrors: []field.ErrorType{
+				field.ErrorTypeDuplicate,
 			},
 			msg: "duplicated host",
 		},
@@ -2633,8 +2683,8 @@ func TestValidateIngressSpec(t *testing.T) {
 					},
 				},
 			},
-			expectedErrors: []string{
-				"spec.defaultBackend.resource: Forbidden: resource backends are not supported",
+			expectedErrors: []field.ErrorType{
+				field.ErrorTypeForbidden,
 			},<
6968
/div>
 			msg: "invalid default backend",
 		},
@@ -2658,16 +2708,16 @@ func TestValidateIngressSpec(t *testing.T) {
 					},
 				},
 			},
-			expectedErrors: []string{
-				"spec.rules[0].http.path[0].backend.resource: Forbidden: resource backends are not supported",
+			expectedErrors: []field.ErrorType{
+				field.ErrorTypeForbidden,
 			},
 			msg: "invalid backend",
 		},
 	}
 
 	for _, test := range tests {
 		allErrs := validateIngressSpec(test.spec, field.NewPath("spec"))
-		assertion := assertErrors("validateIngressSpec()", test.msg, allErrs, test.expectedErrors)
+		assertion := assertErrorTypes(test.msg, allErrs, test.expectedErrors)
 		if assertion != "" {
 			t.Error(assertion)
 		}
@@ -2843,6 +2893,14 @@ func TestValidateMinionSpec(t *testing.T) {
 	}
 }
 
+func assertErrorTypes(msg string, allErrs field.ErrorList, expectedErrors []field.ErrorType) string {
+	returnedErrors := errorListToTypes(allErrs)
+	if !reflect.DeepEqual(returnedErrors, expectedErrors) {
+		return fmt.Sprintf("%s returned %s but expected %s", msg, returnedErrors, expectedErrors)
+	}
+	return ""
+}
+
 func assertErrors(funcName string, msg string, allErrs field.ErrorList, expectedErrors []string) string {
 	errors := errorListToStrings(allErrs)
 	if !reflect.DeepEqual(errors, expectedErrors) {
@@ -2865,6 +2923,16 @@ func errorListToStrings(list field.ErrorList) []string {
 	return result
 }
 
+func errorListToTypes(list field.ErrorList) []field.ErrorType {
+	var result []field.ErrorType
+
+	for _, e := range list {
+		result = append(result, e.Type)
+	}
+
+	return result
+}
+
 func TestGetSpecServices(t *testing.T) {
 	tests := []struct {
 		spec     networking.IngressSpec