From bb8dfa568a8b7f738366bdbf0a3b08382a9edd2d Mon Sep 17 00:00:00 2001
From: Jesper Noordsij <45041769+jnoordsij@users.noreply.github.com>
Date: Tue, 8 Apr 2025 09:38:04 +0200
Subject: [PATCH] Restrict regex validation of HTTP status codes for Ingress
 CRD resources

---
 .../dynamic-configuration/kubernetes-crd-definition-v1.yml      | 2 +-
 .../reference/dynamic-configuration/traefik.io_middlewares.yaml | 2 +-
 integration/fixtures/k8s/01-traefik-crd.yml                     | 2 +-
 pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
index f14cce498..e97835ef1 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -1250,7 +1250,7 @@ spec:
                       as ranges by separating two codes with a dash (500-599),
                       or a combination of the two (404,418,500-599).
                     items:
-                      pattern: ^([0-5][0-9]{2}[,-]?)+$
+                      pattern: ^([1-5][0-9]{2}[,-]?)+$
                       type: string
                     type: array
                   statusRewrites:
diff --git a/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml b/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
index 0f576eb39..404d1d3b6 100644
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
@@ -481,7 +481,7 @@ spec:
                       as ranges by separating two codes with a dash (500-599),
                       or a combination of the two (404,418,500-599).
                     items:
-                      pattern: ^([0-5][0-9]{2}[,-]?)+$
+                      pattern: ^([1-5][0-9]{2}[,-]?)+$
                       type: string
                     type: array
                   statusRewrites:
diff --git a/integration/fixtures/k8s/01-traefik-crd.yml b/integration/fixtures/k8s/01-traefik-crd.yml
index f14cce498..e97835ef1 100644
--- a/integration/fixtures/k8s/01-traefik-crd.yml
+++ b/integration/fixtures/k8s/01-traefik-crd.yml
@@ -1250,7 +1250,7 @@ spec:
                       as ranges by separating two codes with a dash (500-599),
                       or a combination of the two (404,418,500-599).
                     items:
-                      pattern: ^([0-5][0-9]{2}[,-]?)+$
+                      pattern: ^([1-5][0-9]{2}[,-]?)+$
                       type: string
                     type: array
                   statusRewrites:
diff --git a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go
index f42f43a5f..a64ae9579 100644
--- a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go
+++ b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go
@@ -67,7 +67,7 @@ type ErrorPage struct {
 	// as multiple comma-separated numbers (500,502),
 	// as ranges by separating two codes with a dash (500-599),
 	// or a combination of the two (404,418,500-599).
-	// +kubebuilder:validation:items:Pattern=`^([0-5][0-9]{2}[,-]?)+$`
+	// +kubebuilder:validation:items:Pattern=`^([1-5][0-9]{2}[,-]?)+$`
 	Status []string `json:"status,omitempty"`
 	// StatusRewrites defines a mapping of status codes that should be returned instead of the original error status codes.
 	// For example: "418": 404 or "410-418": 404