Allow RegularExpression for path match be RE2/PCRE friendly. (#4450)

Problem: Users had trouble specifying the PCRE style regex expressions when migrating from nginx-ingress

Solution: Use regexp2 to validate regular expression which is Perl5 library and ensure it is PCRE and RE2 friendly to avoid any breaking changes.

Author: salonichf5

go.mod

@@ -3,6 +3,7 @@ module github.com/nginx/nginx-gateway-fabric/v2
 go 1.24.2
 
 require (
+	github.com/dlclark/regexp2 v1.11.5
 	github.com/envoyproxy/go-control-plane/envoy v1.36.0
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/go-logr/logr v1.4.3

go.sum

@@ -35,6 +35,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
+github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
 github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=

internal/controller/nginx/config/validation/common.go

@@ -6,6 +6,7 @@ import (
 	"regexp"
 	"strings"
 
+	"github.com/dlclark/regexp2"
 	k8svalidation "k8s.io/apimachinery/pkg/util/validation"
 )
 
@@ -15,7 +16,7 @@ const (
 )
 
 var (
-	pathRegexp   = regexp.MustCompile("^" + pathFmt + "$")
+	pathRegexp   = regexp2.MustCompile("^"+pathFmt+"$", 0)
 	pathExamples = []string{"/", "/path", "/path/subpath-123"}
 )
 
@@ -91,7 +92,9 @@ func validatePath(path string) error {
 		return nil
 	}
 
-	if !pathRegexp.MatchString(path) {
+	if valid, err := pathRegexp.MatchString(path); err != nil {
+		return fmt.Errorf("failed to validate path %q: %w", path, err)
+	} else if !valid {
 		msg := k8svalidation.RegexError(pathErrMsg, pathFmt, pathExamples...)
 		return errors.New(msg)
 	}
@@ -108,56 +111,39 @@ func validatePathInMatch(path string) error {
 	if path == "" {
 		return errors.New("cannot be empty")
 	}
-
-	if !pathRegexp.MatchString(path) {
+	if valid, err := pathRegexp.MatchString(path); err != nil {
+		return fmt.Errorf("failed to validate path in match %q: %w", path, err)
+	} else if !valid {
 		msg := k8svalidation.RegexError(pathErrMsg, pathFmt, pathExamples...)
 		return errors.New(msg)
 	}
 
 	return nil
 }
 
-// validatePathInRegexMatch a path used in a regex location directive.
-// 1. Must be non-empty and start with '/'
-// 2. Forbidden characters in NGINX location context: {}, ;, whitespace
-// 3. Must compile under Go's regexp (RE2)
-// 4. Disallow unescaped '$' (NGINX variables / PCRE backrefs)
-// 5. Disallow lookahead/lookbehind (unsupported in RE2)
-// 6. Disallow backreferences like \1, \2 (RE2 unsupported).
+// validatePathInRegexMatch validates a path used in a regex location directive.
+//
+// It uses Perl5 compatible regexp2 package along with RE2 compatibility.
+//
+// Checks:
+//  1. Non-empty.
+//  2. Satisfies NGINX location path shape.
+//  3. Compiles as a regexp2 regular expression with RE2 option to support named capturing group.
+//     No extra bans on backrefs, lookarounds, '$'.
 func validatePathInRegexMatch(path string) error {
 	if path == "" {
 		return errors.New("cannot be empty")
 	}
 
-	if !pathRegexp.MatchString(path) {
-		return errors.New(k8svalidation.RegexError(pathErrMsg, pathFmt, pathExamples...))
-	}
-
-	if _, err := regexp.Compile(path); err != nil {
-		return fmt.Errorf("invalid RE2 regex for path '%s': %w", path, err)
-	}
-
-	for i := range len(path) {
-		if path[i] == '$' && (i == 0 || path[i-1] != '\\') {
-			return fmt.Errorf("invalid unescaped `$` at position %d in path '%s'", i, path)
-		}
-	}
-
-	lookarounds := []string{"(?=", "(?!", "(?<=", "(?<!"}
-	for _, la := range lookarounds {
-		if strings.Contains(path, la) {
-			return fmt.Errorf("lookahead/lookbehind '%s' found in path '%s' which is not supported in RE2", la, path)
-		}
+	if valid, err := pathRegexp.MatchString(path); err != nil {
+		return fmt.Errorf("failed to validate path %q: %w", path, err)
+	} else if !valid {
+		msg := k8svalidation.RegexError(pathErrMsg, pathFmt, pathExamples...)
+		return errors.New(msg)
 	}
 
-	backref := regexp.MustCompile(`\\[0-9]+`)
-	matches := backref.FindAllStringIndex(path, -1)
-	if len(matches) > 0 {
-		var positions []string
-		for _, m := range matches {
-			positions = append(positions, fmt.Sprintf("[%d-%d]", m[0], m[1]))
-		}
-		return fmt.Errorf("backreference(s) %v found in path '%s' which are not supported in RE2", positions, path)
+	if _, err := regexp2.Compile(path, regexp2.RE2); err != nil {
+		return fmt.Errorf("invalid regex for path %q: %w", path, err)
 	}
 
 	return nil

internal/controller/nginx/config/validation/common_test.go

@@ -127,29 +127,37 @@ func TestValidatePathInRegexMatch(t *testing.T) {
 	testValidValuesForSimpleValidator(
 		t,
 		validator,
-		`/api/v[0-9]+`,
-		`/users/(?P<id>[0-9]+)`,
-		`/foo_service/\w+`,
-		`/foo/bar`,
-		`/foo/\\$bar`,
+		`/api/v[0-9]+`,                 // basic char class + quantifier
+		`/users/(?P<id>[0-9]+)`,        // re2-style named group
+		`/users/(?<id>[0-9]+)`,         // pcre-style named group
+		`/foo_service/\w+`,             // \w class
+		`/foo/bar`,                     // plain literal path
+		`/foo/\\$bar`,                  // escaped backslash + dollar
+		`/foo/(\w+)\1$`,                // numeric backreference
+		`/foo(?=bar)/baz`,              // lookahead
+		`/(service\/(?!private/).*)`,   // negative lookahead
+		`/rest/.*/V1/order/get/.*`,     // wildcard match
+		`/users/(?P<id>[0-9]+)/\k<id>`, // named backreference
+		`/foo(?<=/foo)\w+`,             // fixed-width lookbehind
+		`/foo(?<=\w+)bar`,              // variable-width lookbehind
+		`/foo(?=bar)`,                  // lookahead
+		`/users/(?=admin|staff)\w+`,    // alternation in lookahead
+		`/api/v1(?=/)`,                 // lookahead for slash
 	)
 
 	testInvalidValuesForSimpleValidator(
 		t,
 		validator,
-		``,
-		`(foo`,
-		`/path with space`,
-		`/foo;bar`,
-		`/foo{2}`,
-		`/foo$bar`,
-		`/foo(?=bar)`,
-		`/foo(?!bar)`,
-		`/foo(?<=bar)`,
-		`/foo(?<!bar)`,
-		`(\w+)\1$`,
-		`(\w+)\2$`,
-		`/foo/(?P<bad-name>[0-9]+)`,
-		`/foo/(?P<bad name>[0-9]+)`,
+		``,                          // empty: must be non-empty
+		`(foo`,                      // unbalanced parenthesis
+		`/path with space`,          // whitespace forbidden by pathFmt
+		`/foo;bar`,                  // ';' forbidden by pathFmt
+		`/foo{2}`,                   // '{' '}' forbidden by pathFmt
+		`(\w+)\2$`,                  // invalid backref: group 2 doesn't exist
+		`/foo/(?P<bad-name>[0-9]+)`, // invalid group name: hyphen not allowed
+		`/foo/(?P<bad name>[0-9]+)`, // invalid group name: space not allowed
+		`(\w+)\2$`,                  // invalid backref: group 2 doesn't exist
+		`/users/\k<nonexistent>`,    // invalid named backreference
+		`^(([a-z])+)+$`,             // nested quantifiers not allowed
 	)
 }