Skip to content

Commit 675d6b0

Browse files
chris-rockclaude
chris-rock
and
claude
committed
Add 256-character length limit for annotation keys and values
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent fd3d222 commit 675d6b0

2 files changed

Lines changed: 36 additions & 2 deletions

File tree

pkg/annotations/annotations.go

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,12 @@ func AnnotationArgs(annotations map[string]string) []string {
2929
return args
3030
}
3131

32+
const maxAnnotationLength = 256
33+
3234
// Validate checks that annotation keys and values are well-formed for use as
33-
// cnspec --annotation key=value CLI arguments. Keys must be non-empty and must
34-
// not contain '='. Values must be non-empty.
35+
// cnspec --annotation key=value CLI arguments. Keys must be non-empty, must
36+
// not contain '=', and both keys and values must not exceed 256 characters.
37+
// Values must be non-empty.
3538
func Validate(annotations map[string]string) error {
3639
for k, v := range annotations {
3740
if k == "" {
@@ -40,9 +43,15 @@ func Validate(annotations map[string]string) error {
4043
if strings.Contains(k, "=") {
4144
return fmt.Errorf("annotation key %q must not contain '='", k)
4245
}
46+
if len(k) > maxAnnotationLength {
47+
return fmt.Errorf("annotation key %q exceeds maximum length of %d characters", k, maxAnnotationLength)
48+
}
4349
if v == "" {
4450
return fmt.Errorf("annotation value for key %q must not be empty", k)
4551
}
52+
if len(v) > maxAnnotationLength {
53+
return fmt.Errorf("annotation value for key %q exceeds maximum length of %d characters", k, maxAnnotationLength)
54+
}
4655
}
4756
return nil
4857
}

pkg/annotations/annotations_test.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
package annotations
55

66
import (
7+
"strings"
78
"testing"
89

910
"github.com/stretchr/testify/assert"
@@ -72,4 +73,28 @@ func TestValidate(t *testing.T) {
7273
require.Error(t, err)
7374
assert.Contains(t, err.Error(), "must not be empty")
7475
})
76+
77+
t.Run("key at max length is valid", func(t *testing.T) {
78+
longKey := strings.Repeat("k", 256)
79+
assert.NoError(t, Validate(map[string]string{longKey: "value"}))
80+
})
81+
82+
t.Run("key exceeding max length is rejected", func(t *testing.T) {
83+
longKey := strings.Repeat("k", 257)
84+
err := Validate(map[string]string{longKey: "value"})
85+
require.Error(t, err)
86+
assert.Contains(t, err.Error(), "exceeds maximum length of 256")
87+
})
88+
89+
t.Run("value at max length is valid", func(t *testing.T) {
90+
longVal := strings.Repeat("v", 256)
91+
assert.NoError(t, Validate(map[string]string{"key": longVal}))
92+
})
93+
94+
t.Run("value exceeding max length is rejected", func(t *testing.T) {
95+
longVal := strings.Repeat("v", 257)
96+
err := Validate(map[string]string{"key": longVal})
97+
require.Error(t, err)
98+
assert.Contains(t, err.Error(), "exceeds maximum length of 256")
99+
})
75100
}

0 commit comments

Comments
 (0)