Reject invalid whitespace in HM url_path value

Plain whitespace characters in url_path must be rejected because
they may allow authorized users to inject arbitrary HAProxy
directives in the configuration of amphorae.

Story: 2008994
Task: 42656
Change-Id: I0f4c59a2928f2a813171109aaf73a1d7dff9eefe

octavia/common/validate.py

@@ -55,6 +55,7 @@ def url_path(url_path):
         p_url = rfc3986.urlparse(rfc3986.normalize_uri(url_path))
 
         invalid_path = (
+            re.search(r"\s", url_path) or
             p_url.scheme or p_url.userinfo or p_url.host or
             p_url.port or
             p_url.path is None or

octavia/tests/unit/common/test_validate.py

@@ -44,6 +44,15 @@ class TestValidations(base.TestCase):
         self.assertRaises(exceptions.InvalidURL, validate.url,
                           'ssh://www.example.com/')
 
+    def test_validate_url_path(self):
+        self.assertTrue(validate.url_path('/foo'))
+        self.assertTrue(validate.url_path('/foo%0Abar'))
+
+    def test_validate_bad_url_path(self):
+        self.assertRaises(exceptions.InvalidURLPath, validate.url_path, 'foo')
+        self.assertRaises(exceptions.InvalidURLPath, validate.url_path,
+                          '/foo\nbar')
+
     def test_validate_header_name(self):
         ret = validate.header_name('Some-header')
         self.assertTrue(ret)

releasenotes/notes/validate-url_path-value-in-requests-3eb3adedcd696433.yaml

@@ -0,0 +1,7 @@
+---
+issues:
+  - |
+    Fixed configuration issue which allowed authenticated and authorized
+    users to inject code into HAProxy configuration using API requests.
+    Octavia API no longer accepts unencoded whitespace characters in url_path values
+    in update requests for healthmonitors.