admin: reject slash-bearing table names at create time (Codex P2)

bootjp · bootjp · commit 3b0d05d4009a · 2026-04-25T23:20:16.000+09:00
handleDescribe and handleDelete already 404 on names containing '/',
so a user could create `foo/bar` and then never be able to manage
it through the admin surface — orphaned tables would only be
reachable via the SigV4 path, which is exactly the asymmetry Codex
flagged.

validateCreateTableRequest now rejects '/' before the request
reaches the source. Tests cover single-slash and multi-slash
names alongside the existing trailing-JSON / unknown-field cases.
diff --git a/internal/admin/dynamo_handler.go b/internal/admin/dynamo_handler.go
@@ -383,6 +383,16 @@ func validateCreateTableRequest(in *CreateTableRequest) error {
 	if strings.TrimSpace(in.TableName) == "" {
 		return errors.New("table_name is required")
 	}
+	// Reject slash-bearing names symmetrically with handleDescribe
+	// and handleDelete, which already 404 on `/`. Without this
+	// guard a user could create `foo/bar` and then never be able
+	// to describe or delete it through the same admin surface —
+	// the orphaned table would be reachable only through the SigV4
+	// path. Blocking the asymmetric edge case at create time is
+	// strictly better than discovering it later.
+	if strings.ContainsRune(in.TableName, '/') {
+		return errors.New("table_name must not contain '/'")
+	}
 	if err := validateAttribute(in.PartitionKey, "partition_key"); err != nil {
 		return err
 	}
diff --git a/internal/admin/dynamo_handler_test.go b/internal/admin/dynamo_handler_test.go
@@ -93,7 +93,6 @@ func (s *stubTablesSource) AdminDeleteTable(_ context.Context, principal AuthPri
 	return nil
 }
 
-
 func newDynamoHandlerForTest(src TablesSource) *DynamoHandler {
 	return NewDynamoHandler(src)
 }
@@ -440,6 +439,8 @@ func TestDynamoHandler_CreateTable_RejectsBadJSON(t *testing.T) {
 		`{"table_name":"u","partition_key":{"name":"id","type":"S"},"unknown_field":1}`,                 // strict decode
 		`{"table_name":"u","partition_key":{"name":"id","type":"S"}}{"second":"object"}`,                // trailing JSON
 		`{"table_name":"u","partition_key":{"name":"id","type":"S"}} 42`,                                // trailing scalar
+		`{"table_name":"foo/bar","partition_key":{"name":"id","type":"S"}}`,                             // slash in name
+		`{"table_name":"a/b/c","partition_key":{"name":"id","type":"S"}}`,                               // multiple slashes
 	}
 	for _, body := range cases {
 		t.Run(body, func(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,6 @@ func (s *stubTablesSource) AdminDeleteTable(_ context.Context, principal AuthPri`
`93`	`93`	`return nil`
`94`	`94`	`}`
`95`	`95`
`96`		`-`
`97`	`96`	`func newDynamoHandlerForTest(src TablesSource) *DynamoHandler {`
`98`	`97`	`return NewDynamoHandler(src)`
`99`	`98`	`}`
`@@ -440,6 +439,8 @@ func TestDynamoHandler_CreateTable_RejectsBadJSON(t *testing.T) {`
`440`	`439`	`{"table_name":"u","partition_key":{"name":"id","type":"S"},"unknown_field":1}`, // strict decode
`441`	`440`	`{"table_name":"u","partition_key":{"name":"id","type":"S"}}{"second":"object"}`, // trailing JSON
`442`	`441`	`{"table_name":"u","partition_key":{"name":"id","type":"S"}} 42`, // trailing scalar
	`442`	+ `{"table_name":"foo/bar","partition_key":{"name":"id","type":"S"}}`, // slash in name
	`443`	+ `{"table_name":"a/b/c","partition_key":{"name":"id","type":"S"}}`, // multiple slashes
`443`	`444`	`}`
`444`	`445`	`for _, body := range cases {`
`445`	`446`	`t.Run(body, func(t *testing.T) {`