fix(validation): reject reserved FQN characters in entity and column names

[jaya6400]

Describe your changes:

Fixes #23268

I updated the regex patterns in JSON schema definitions to block reserved
FQN separator characters (::, >, ") and newlines (\n) from being
used in entity and column names.

The backend was accepting entity names with special characters like double
quotes and newlines, which caused issues in FQN construction since these
are reserved separator characters in OpenMetadata's FQN system.

Changes made:

• openmetadata-spec/src/main/resources/json/schema/type/basic.json — updated pattern for entityName and testCaseEntityName
• openmetadata-spec/src/main/resources/json/schema/entity/data/table.json — updated pattern for columnName

Pattern changed from ^((?!::).)*$ to ^((?!::)[^><\"|\\x00-\\x1f])*$

Unit Test: #27521 (comment)

Type of change:

• Bug fix

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes #23268: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

Migration scripts are not needed for this change as it only tightens input validation at the schema level. Existing data is not affected — only new entity creation requests will be validated against the updated pattern.

---

Summary by Gitar

• Testing and Infrastructure:
  • Added PipelineValidation.spec.ts to verify entity name restriction behavior via Playwright E2E tests.
  • Enhanced TestSuiteBootstrap.java to enforce UTC timezone and improve robustness of projectRoot path resolution.
• Test Improvements:
  • Added integration test cases in PipelineResourceIT.java to assert 400 errors when creating pipelines with invalid task names.
  • Expanded regex.constants.test.ts to cover additional reserved symbols and control characters.
• Schema Enhancements:
  • Extended regex validation to pipeline.json task names and schema.json field names to ensure consistency across entity definitions.

_{This will update automatically on new commits.}

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[jaya6400]

Local pattern validation test:
Tested the updated regex ^((?!::)[^>"\x00-\x1f])*$ against the exact payload from the issue and other edge cases.

Bash command used: test-regex.txt
All reserved FQN characters and control characters are correctly rejected. Valid entity names pass through without issue.

Full CI will run once safe to test label is applied.

[jaya6400]

@shah-harshit @ShaileshParmar11 @harshach @shrabantipaul-collate @pmbrull requesting to add safe to test label for further workflow tests to proceed. @ayush-shah

[jaya6400]

The CI failures appear to be infrastructure-related (timeout during test environment setup), unrelated to the schema change. Could a maintainer please re-run the failed checks?
Also, as a first-time contributor to this repo, I'm not sure whether SonarQube analysis is triggered automatically or needs to be initiated by a maintainer - would appreciate any guidance on that.
Happy to make any code changes if needed. Thanks!

@pmbrull @ulixius9 @aniketkatkar97

[aniketkatkar97]

Hi @jaya6400, Thanks for your contribution. I see that you have modified the regex pattern in a common place and in table.json to cover columns. Similar to this, we have many other asset children like tasks for pipelines, schema fields for topics, etc. Can you please verify if those are covered as well?
Also, can you please add integration and e2e tests for the same?

[Copilot]

Pull request overview

This PR tightens OpenMetadata JSON Schema validation to prevent reserved characters and control characters from being used in entity names and table column names, addressing FQN construction/parsing issues reported in #23268.

Changes:

• Updated entityName and testCaseEntityName regex patterns in basic.json.
• Updated columnName regex pattern in table.json to reject reserved characters/control chars.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
openmetadata-spec/src/main/resources/json/schema/type/basic.json	Tightens entity name regex to block reserved FQN/entity-link breaking characters.
openmetadata-spec/src/main/resources/json/schema/entity/data/table.json	Tightens column name regex to block reserved FQN/entity-link breaking characters.

[github-actions]

🔴 Playwright Results — 58 failure(s), 7 flaky

✅ 3482 passed · ❌ 58 failed · 🟡 7 flaky · ⏭️ 539 skipped

Shard	Passed	Failed	Flaky	Skipped
🔴 Shard 1	297	2	0	4
🔴 Shard 2	731	15	2	14
🔴 Shard 3	677	15	1	60
🔴 Shard 4	368	19	0	406
🟡 Shard 5	686	0	1	41
🔴 Shard 6	723	7	3	14

Genuine Failures (failed on all attempts)

❌ Features/Pagination.spec.ts › should test pagination on Table version page columns (shard 1)

�[31mTest timeout of 60000ms exceeded.�[39m

❌ Features/Pagination.spec.ts › should test search on Table version page columns (shard 1)

�[31mTest timeout of 60000ms exceeded.�[39m

❌ Features/AdvancedSearch.spec.ts › Verify All conditions for Chart field (shard 2)

Error: �[2mexpect(�[22m�[31mreceived�[39m�[2m).�[22mnot�[2m.�[22mtoContain�[2m(�[22m�[32mexpected�[39m�[2m) // indexOf�[22m

Expected substring: not �[32m"PW Chart 9b5b9887"�[39m
Received string:        �[31m"[{\"_id\":\"22596c3a-e4ef-4669-9937-ab3fd6aa844b\",\"_index\":\"openmetadata_api_collection_search_index_rebuild_1777538854082\",\"sort\":[0],\"_source\":{\"serviceType\":\"Rest\",\"displayName\":\"pw-api-collection-d9de18e5\",\"description\":\"Description for pw-api-collection-d9de18e5\",\"owners\":[],\"tierSources\":{},\"fqnHash\":\"c840b8ba1749bf3346971e98ec597b06.8973e21f17e41e92a01363cd2fbe9ac5\",\"glossaryTags\":[],\"descriptionStatus\":\"COMPLETE\",\"ownerName\":[],\"ownerDisplayName\":[],\"totalVotes\":0,\"classificationTags\":[],\"id\":\"22596c3a-e4ef-4669-9937-ab3fd6aa844b\",\"updatedAt\":1777539032641,\"customPropertiesTyped\":[],\"descriptionSources\":{\"Ingested\":1},\"updatedBy\":\"admin\",\"entityType\":\"apiCollection\",\"domains\":[],\"fullyQualifiedName\":\"pw-ap

❌ Features/BulkEditEntity.spec.ts › Database service (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoContainText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected substring: �[32m"Name must not contain '::'."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toContainText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m

❌ Features/BulkEditEntity.spec.ts › Database (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoContainText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected substring: �[32m"Name must not contain '::'."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toContainText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m

❌ Features/BulkEditEntity.spec.ts › Database Schema (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoContainText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected substring: �[32m"Name must not contain '::'."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toContainText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m

❌ Features/BulkEditEntity.spec.ts › Glossary (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoContainText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected substring: �[32m"Name must not contain '::'."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toContainText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m

❌ Features/BulkEditEntity.spec.ts › Glossary Term (Nested) (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoContainText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected substring: �[32m"Name must not contain '::'."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toContainText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m

❌ Features/BulkImport.spec.ts › Database service (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoContainText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected substring: �[32m"Name must not contain '::'."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toContainText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m

❌ Features/BulkImport.spec.ts › Database (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoContainText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected substring: �[32m"Name must not contain '::'."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toContainText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m

❌ Features/BulkImport.spec.ts › Database Schema (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoContainText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected substring: �[32m"Name must not contain '::'."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toContainText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m

❌ Features/ColumnSorting.spec.ts › Sort dropdown should be visible on table schema tab (shard 2)

�[31mTest timeout of 60000ms exceeded while running "beforeEach" hook.�[39m

❌ Features/CustomMetric.spec.ts › Table custom metric (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoHaveText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected: �[32m"Name must contain only letters, numbers, underscores, hyphens, periods, parenthesis, and ampersands."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toHaveText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m
�[2m    2 × locator resolved to <div role="alert" id="name_help" class="ant-form-item-explain ant-form-item-explain-connected">…</div>�[22m
�[2m      - unexpected value "Name size must be between 1 and 128"�[22m
�[2m    - locator resolved to <div role="alert" id="name_help" class="ant-form-item-explain ant-show-help-leave ant-show-help-leave-active ant-show-help ant-form-item-explain-connected">…</div>�[22m
�[2m    - unexpected value "Name size must be between 1 and 128"�[22m

❌ Features/CustomMetric.spec.ts › Column custom metric (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoHaveText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator: locator('#name_help')
Expected: �[32m"Name must contain only letters, numbers, underscores, hyphens, periods, parenthesis, and ampersands."�[39m
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toHaveText" with timeout 15000ms�[22m
�[2m  - waiting for locator('#name_help')�[22m
�[2m    2 × locator resolved to <div role="alert" id="name_help" class="ant-form-item-explain ant-form-item-explain-connected">…</div>�[22m
�[2m      - unexpected value "Name size must be between 1 and 128"�[22m
�[2m    - locator resolved to <div role="alert" id="name_help" class="ant-form-item-explain ant-show-help-leave ant-show-help-leave-active ant-show-help ant-form-item-explain-connected">…</div>�[22m
�[2m    - unexpected value "Name size must be between 1 and 128"�[22m

❌ Features/Dashboards.spec.ts › expand / collapse should not appear after updating nested fields for dashboardDataModels (shard 2)

�[31mTest timeout of 60000ms exceeded.�[39m

❌ Features/DataQuality/TestCaseImportExportBasic.spec.ts › should upload and validate CSV file (shard 2)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoHaveText�[2m(�[22m�[32mexpected�[39m�[2m)�[22m failed

Locator:  getByTestId('passed-row')
Expected: �[32m"3"�[39m
Received: �[31m"0"�[39m
Timeout:  15000ms

Call log:
�[2m  - Expect "toHaveText" with timeout 15000ms�[22m
�[2m  - waiting for getByTestId('passed-row')�[22m
�[2m    18 × locator resolved to <span data-testid="passed-row" class="font-semibold passed-row">0</span>�[22m
�[2m       - unexpected value "0"�[22m

❌ Features/GlobalPageSize.spec.ts › Page size should persist across different pages (shard 2)

�[31mTest timeout of 60000ms exceeded.�[39m

❌ Features/SchemaDefinition.spec.ts › Verify schema definition (views) of table entity (shard 3)

�[31mTest timeout of 60000ms exceeded.�[39m

❌ Features/SearchExport.spec.ts › Search mode visible export downloads CSV with tab-specific row count (shard 3)

�[31mTest timeout of 180000ms exceeded.�[39m

❌ Features/SearchExport.spec.ts › Search mode visible export count matches the first result tab count (shard 3)

Error: �[2mexpect(�[22m�[31mreceived�[39m�[2m).�[22mtoBe�[2m(�[22m�[32mexpected�[39m�[2m) // Object.is equality�[22m

Expected: �[32m4�[39m
Received: �[31m0�[39m

❌ Features/SearchExport.spec.ts › Filtered search visible export downloads CSV with the filtered record count (shard 3)

�[31mTest timeout of 180000ms exceeded.�[39m

❌ Features/Table.spec.ts › should persist current page (shard 3)

�[31mTest timeout of 60000ms exceeded.�[39m

❌ Features/Table.spec.ts › should persist page size (shard 3)

�[31mTest timeout of 60000ms exceeded.�[39m

❌ Features/Table.spec.ts › expand collapse should only visible for nested columns (shard 3)

Error: �[2mexpect(�[22m�[31mlocator�[39m�[2m).�[22mtoBeVisible�[2m(�[22m�[2m)�[22m failed

Locator: locator('[data-row-key="sample_data.ecommerce_db.shopify.dim_customer.shipping_address"]').getByTestId('expand-icon')
Expected: visible
Timeout: 15000ms
Error: element(s) not found

Call log:
�[2m  - Expect "toBeVisible" with timeout 15000ms�[22m
�[2m  - waiting for locator('[data-row-key="sample_data.ecommerce_db.shopify.dim_customer.shipping_address"]').getByTestId('expand-icon')�[22m

❌ Features/Table.spec.ts › expand / collapse should not appear after updating nested fields table (shard 3)

�[31mTest timeout of 60000ms exceeded.�[39m

❌ Features/Table.spec.ts › Glossary term should be consistent for search (shard 3)

Error: �[2mexpect(�[22m�[31mreceived�[39m�[2m).�[22mtoBeGreaterThan�[2m(�[22m�[32mexpected�[39m�[2m)�[22m

Expected: > �[32m0�[39m
Received:   �[31m0�[39m

Call Log:
- Test timeout of 60000ms exceeded

❌ Features/Table.spec.ts › Tags term should be consistent for search (shard 3)

�[31mTest timeout of 60000ms exceeded.�[39m

❌ Flow/FrequentlyJoined.spec.ts › should display frequently joined columns (shard 3)

�[31mTest timeout of 60000ms exceeded while running "beforeEach" hook.�[39m

❌ Flow/FrequentlyJoined.spec.ts › should display frequently joined table (shard 3)

�[31mTest timeout of 60000ms exceeded while running "beforeEach" hook.�[39m

❌ Flow/GlobalSearch.spec.ts › searching for longer description should work (shard 3)

�[31mTest timeout of 60000ms exceeded.�[39m

... and 28 more failures

🟡 7 flaky test(s) (passed on retry)

• Features/ActivityAPI.spec.ts › Activity event is created when description is updated (shard 2, 1 retry)
• Features/ActivityAPI.spec.ts › Activity event is created when tags are added (shard 2, 1 retry)
• Features/RTL.spec.ts › Verify Following widget functionality (shard 3, 1 retry)
• Pages/Entity.spec.ts › User as Owner with unsorted list (shard 5, 1 retry)
• Pages/Glossary.spec.ts › Column dropdown drag-and-drop functionality for Glossary Terms table (shard 6, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/Lineage/LineageRightPanel.spec.ts › Verify custom properties tab IS visible for supported type: searchIndex (shard 6, 1 retry)

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gitar-bot]

Code Review ✅ Approved 8 resolved / 8 findings

Enforces reserved FQN character restrictions for entity and column names, while addressing regex inconsistencies, license headers, and missing test cases. Ensure constraint and partition column names are updated to reject empty strings.

✅ 8 resolved

✅ Edge Case: Pattern does not block \r or other control characters

📄 openmetadata-spec/src/main/resources/json/schema/type/basic.json:127 📄 openmetadata-spec/src/main/resources/json/schema/type/basic.json:133 📄 openmetadata-spec/src/main/resources/json/schema/entity/data/table.json:238
The new pattern ^((?!::)[^>" ])*$ explicitly blocks (newline) but doesn't block \r (carriage return) or other control characters (e.g., , \0). A carriage return \r in an entity name could cause similar FQN construction/parsing issues as , and control characters in names are almost certainly unintentional.

Note that the original . metacharacter already excluded by default in most regex engines (including Java's without DOTALL), so the explicit in the character class is redundant but documents intent. However, \r was also excluded by . in the original pattern but is not excluded by the new [^>" ] character class — so this change actually loosens the restriction for \r.

This is because . matches everything except (and sometimes \r), but [^>" ] matches everything except >, ", and — including \r and other control characters.

✅ Bug: Inconsistent regex: columnName definition missing < and |

📄 openmetadata-spec/src/main/resources/json/schema/entity/data/table.json:278 📄 openmetadata-spec/src/main/resources/json/schema/entity/data/table.json:212
The columnName definition pattern is ^((?!::)[^>"\x00-\x1f])*$, which blocks > but not < or |. Meanwhile, the inline patterns added in this PR for partitionColumnDetails.columnName and columnConstraint.columns items use ^((?!::)[^><"|\x00-\x1f])*$, which additionally blocks < and |. The entityName and testCaseEntityName in basic.json also block < and |.

This means column names created via the main column definition can contain < and |, but the same names would be rejected in partition and constraint contexts. This inconsistency will lead to confusing validation errors where a column is successfully created but can't be used in a partition or constraint.

✅ Edge Case: Pipeline task name and schema fieldName lack minLength guard

📄 openmetadata-spec/src/main/resources/json/schema/entity/data/pipeline.json:108-112
The new pattern ^((?!::)[^><"|\x00-\x1f])*$ uses * (zero or more), so an empty string passes validation. In schema.json, the fieldName field already has minLength: 1 so it's protected, but in pipeline.json the task name field has no minLength constraint. While the field is required (so null is rejected), an empty string "" would pass both the required check and the new pattern. Since you're already modifying this field definition, consider adding "minLength": 1 to prevent empty task names.

✅ Bug: Apache 2.0 license header URL is truncated/corrupted

📄 openmetadata-ui/src/main/resources/ui/playwright/e2e/Pages/PipelineValidation.spec.ts:5-6
The license header URL was changed from http://www.apache.org/licenses/LICENSE-2.0 to just http://apache.org, and the blank separator line (*) between the URL and the disclaimer was removed. This is not a valid Apache 2.0 license header — CI style checks that enforce the standard Apache header will likely fail, and the license notice no longer points to the actual license text.

✅ Bug: Single colon blocked but is NOT a reserved FQN character

📄 openmetadata-spec/src/main/resources/json/schema/type/basic.json:127 📄 openmetadata-spec/src/main/resources/json/schema/type/basic.json:133 📄 openmetadata-spec/src/main/resources/json/schema/entity/data/table.json:212 📄 openmetadata-spec/src/main/resources/json/schema/entity/data/table.json:239 📄 openmetadata-spec/src/main/resources/json/schema/entity/data/table.json:278 📄 openmetadata-spec/src/main/resources/json/schema/entity/data/pipeline.json:112 📄 openmetadata-spec/src/main/resources/json/schema/entity/data/searchIndex.json:100 📄 openmetadata-spec/src/main/resources/json/schema/type/schema.json:70 📄 openmetadata-ui/src/main/resources/ui/src/constants/regex.constants.ts:24
The new regex ^[^><":|\x00-\x1f]*$ blocks single : in entity/column names, but : is not a reserved FQN separator in OpenMetadata. The FQN system uses . (dot) as its sole separator, as defined in Entity.java (SEPARATOR = ".") and the ANTLR grammar Fqn.g4 (where only . is RESERVED). The original issue #23268 was about :: (double colon), >, ", and newlines — not single colons.

Blocking : will reject legitimate entity names containing colons (e.g., Kafka topics, URN-style identifiers, timestamps). This is a breaking change for any user whose existing entity names contain a single colon — new ingestion runs or entity updates would fail validation even though the data was previously accepted.

The old pattern ^((?!::)[^><"|\x00-\x1f])*$ correctly blocked only :: (double colon) while allowing single :. The new simplified pattern loses that distinction.

To fix, revert to a character-class approach that still blocks :: without blocking single ::

^(?!.*::)[^><"|\x00-\x1f]*$

Or, since the commit message says the lookahead was removed for Python/Rust compatibility, use an alternative that avoids lookaheads while preserving the single-colon allowance.

...and 3 more resolved from earlier reviews

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ui'

Issues
1060 New issues
0 Accepted issues

Measures
17 Security Hotspots
0.0% Coverage on New Code
3.8% Duplication on New Code

See analysis details on SonarQube Cloud