Merge branch 'cloudflare:production' into production

Author: Thienlta

.github/CODEOWNERS

@@ -120,9 +120,9 @@
 /public/realtime/ @cloudflare/pcx-technical-writing @cloudflare/calls @roerohan @ravindra-dyte
 /src/content/docs/stream/ @tsmith512 @ToriLindsay @cloudflare/pcx-technical-writing @renandincer @third774
 /src/content/release-notes/stream.yaml @tsmith512 @ToriLindsay @cloudflare/pcx-technical-writing
-/src/content/docs/workers/ @cloudflare/workers-docs @GregBrimble @irvinebroque @mikenomitch @korinne @WalshyDev @cloudflare/deploy-config @cloudflare/pcx-technical-writing @kodster28 @cloudflare/wrangler @cloudflare/workers-runtime-1 @cloudflare/wrangler
-/src/content/partials/workers/ @cloudflare/workers-docs @GregBrimble @irvinebroque @mikenomitch @WalshyDev @cloudflare/deploy-config @cloudflare/pcx-technical-writing @kodster28 @cloudflare/wrangler @cloudflare/workers-runtime-1 @cloudflare/wrangler
-/src/assets/images/workers/ @cloudflare/workers-docs @GregBrimble @irvinebroque @WalshyDev @cloudflare/deploy-config @cloudflare/pcx-technical-writing @kodster28 @cloudflare/wrangler @cloudflare/workers-runtime-1 @cloudflare/wrangler
+/src/content/docs/workers/ @cloudflare/workers-docs @GregBrimble @irvinebroque @mikenomitch @korinne @WalshyDev @cloudflare/deploy-config @cloudflare/pcx-technical-writing @kodster28 @cloudflare/wrangler @cloudflare/workers-runtime-1
+/src/content/partials/workers/ @cloudflare/workers-docs @GregBrimble @irvinebroque @mikenomitch @WalshyDev @cloudflare/deploy-config @cloudflare/pcx-technical-writing @kodster28 @cloudflare/wrangler @cloudflare/workers-runtime-1
+/src/assets/images/workers/ @cloudflare/workers-docs @GregBrimble @irvinebroque @WalshyDev @cloudflare/deploy-config @cloudflare/pcx-technical-writing @kodster28 @cloudflare/wrangler @cloudflare/workers-runtime-1
 /src/content/release-notes/workers.yaml @cloudflare/workers-docs @GregBrimble @WalshyDev @aninibread @cloudflare/deploy-config @cloudflare/pcx-technical-writing @irvinebroque @mikenomitch
 /src/content/docs/zaraz/ @ToriLindsay @kathayl @bjesus @jonnyparris @simonabadoiu @cloudflare/pcx-technical-writing
 /src/content/release-notes/zaraz.yaml @bjesus @jonnyparris @simonabadoiu @cloudflare/pcx-technical-writing

src/components/WranglerCLI.astro

@@ -0,0 +1,105 @@
+---
+import { z } from "astro:schema";
+import { PackageManagers } from "starlight-package-managers";
+import { commands, getCommand } from "~/util/wrangler";
+import WranglerArg from "./WranglerArg.astro";
+import Details from "./Details.astro";
+
+function validateArg(value: any, expected: string): boolean {
+	if (Array.isArray(expected)) {
+		for (const choice of expected) {
+			if (value === choice) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	return typeof value === expected;
+}
+
+type Props = z.input<typeof props>;
+
+const props = z.object({
+	command: z.string(),
+	positionals: z.array(z.string()).optional(),
+	flags: z.record(z.string(), z.any()).optional(),
+	showArgs: z.boolean().default(false),
+});
+
+const { command, positionals, flags, showArgs } = props.parse(Astro.props);
+
+const definition = getCommand(command);
+
+const { globalFlags } = commands;
+
+let args = [];
+
+if (flags) {
+	for (const [key, value] of Object.entries(flags)) {
+		const flagDef = definition.args?.[key];
+
+		if (!flagDef) {
+			throw new Error(
+				`[WranglerCLI] Received "${key}" for "${command}" but no such arg exists`,
+			);
+		}
+
+		const type = flagDef.type ?? flagDef.choices;
+		const valid = validateArg(value, type);
+
+		if (!valid) {
+			throw new Error(
+				`[WranglerCLI] Expected "${type}" for "${key}" but got "${typeof value}"`,
+			);
+		}
+
+		args.push(...[`--${key}`, value]);
+	}
+}
+
+if (positionals) {
+	const positionalsDef = definition.positionalArgs ?? [];
+
+	if (positionalsDef.length === 0) {
+		throw new Error(
+			`[WranglerCLI] Expected 0 positional arguments for "${command}" but received ${positionals.length}`,
+		);
+	}
+
+	args.push(...positionals);
+}
+---
+
+<PackageManagers
+	pkg="wrangler"
+	type="exec"
+	args={`${command} ${args.join(" ")}`}
+/>
+
+{
+	showArgs && definition.args && (
+		<Details header="Arguments">
+			<p>
+				<strong>Command flags</strong>
+			</p>
+			<ul>
+				{Object.entries(definition.args)
+					.filter(([_, value]) => !value.hidden)
+					.map(([key, value]) => {
+						return <WranglerArg key={key} definition={value} />;
+					})}
+			</ul>
+
+			<p>
+				<strong>Global flags</strong>
+			</p>
+			<ul>
+				{Object.entries(globalFlags).map(([key, value]) => {
+					return <WranglerArg key={key} definition={value} />;
+				})}
+			</ul>
+		</Details>
+	)
+}

src/components/WranglerCLI.astro.test.ts

@@ -0,0 +1,82 @@
+import { experimental_AstroContainer as AstroContainer } from "astro/container";
+import { expect, test, describe } from "vitest";
+import WranglerCLI from "./WranglerCLI.astro";
+
+type Options = Parameters<(typeof container)["renderToString"]>[1];
+
+const container = await AstroContainer.create();
+
+const renderWithOptions = (options?: Options) => {
+	return container.renderToString(WranglerCLI, options);
+};
+
+describe("WranglerCLI", () => {
+	test("succeeds with valid input", async () => {
+		await expect(
+			renderWithOptions({
+				props: {
+					command: "deploy",
+				},
+			}),
+		).resolves.toContain("pnpm wrangler deploy");
+	});
+
+	test("errors with no props", async () => {
+		await expect(renderWithOptions()).rejects
+			.toThrowErrorMatchingInlineSnapshot(`
+			[ZodError: [
+			  {
+			    "code": "invalid_type",
+			    "expected": "string",
+			    "received": "undefined",
+			    "path": [
+			      "command"
+			    ],
+			    "message": "Required"
+			  }
+			]]
+		`);
+	});
+
+	test("errors with non-existent command", async () => {
+		await expect(
+			renderWithOptions({
+				props: {
+					command: "not-a-valid-command",
+				},
+			}),
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: [wrangler.ts] Command "not-a-valid-command" not found]`,
+		);
+	});
+
+	test("errors with bad flags for 'deploy'", async () => {
+		await expect(
+			renderWithOptions({
+				props: {
+					command: "deploy",
+					flags: {
+						foo: "bar",
+					},
+				},
+			}),
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: [WranglerCLI] Received "foo" for "deploy" but no such arg exists]`,
+		);
+	});
+
+	test("errors with bad value for 'container-rollout' flag", async () => {
+		await expect(
+			renderWithOptions({
+				props: {
+					command: "deploy",
+					flags: {
+						"containers-rollout": "not-a-valid-option",
+					},
+				},
+			}),
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: [WranglerCLI] Expected "immediate,gradual" for "containers-rollout" but got "string"]`,
+		);
+	});
+});

src/components/WranglerCommand.astro

@@ -1,32 +1,11 @@
 ---
 import { z } from "astro:schema";
-import { experimental_getWranglerCommands } from "wrangler";
 import AnchorHeading from "./AnchorHeading.astro";
 import { PackageManagers } from "starlight-package-managers";
 import WranglerArg from "./WranglerArg.astro";
 import Details from "./Details.astro";
 import { marked } from "marked";
-
-function getCommand(path: string) {
-	const segments = path.trim().split(/\s+/);
-
-	const { registry } = experimental_getWranglerCommands();
-
-	let node = registry.subtree;
-	for (const segment of segments) {
-		const next = node.get(segment);
-
-		if (!next) break;
-
-		if (next.subtree.size === 0 && next.definition?.type === "command") {
-			return next.definition;
-		}
-
-		node = next.subtree;
-	}
-
-	throw new Error(`[WranglerCommand] Command "${path}" not found`);
-}
+import { commands, getCommand } from "~/util/wrangler";
 
 const props = z.object({
 	command: z.string(),
@@ -44,7 +23,7 @@ if (!definition.args) {
 	throw new Error(`[WranglerCommand] "${command}" has no arguments`);
 }
 
-const { globalFlags } = experimental_getWranglerCommands();
+const { globalFlags } = commands;
 
 const positionals = definition.positionalArgs
 	?.map((p) => `[${p.toUpperCase()}]`)

src/components/index.ts

@@ -58,6 +58,7 @@ export { default as TagsUsage } from "./TagsUsage.astro";
 export { default as TunnelCalculator } from "./TunnelCalculator.astro";
 export { default as Type } from "./Type.astro";
 export { default as TypeScriptExample } from "./TypeScriptExample.astro";
+export { default as WranglerCLI } from "./WranglerCLI.astro";
 export { default as WranglerCommand } from "./WranglerCommand.astro";
 export { default as WranglerNamespace } from "./WranglerNamespace.astro";
 export { default as WranglerConfig } from "./WranglerConfig.astro";

src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx

@@ -0,0 +1,16 @@
+---
+title: DNS filtering for private network onramps
+description: Magic WAN and WARP Connector traffic can now privately route DNS queries to the Gateway resolver without public Internet exposure.
+products:
+  - gateway
+  - magic-wan
+  - cloudflare-tunnel
+date: "2025-09-11"
+---
+
+[Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/#dns-filtering) and [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/site-to-internet/#configure-dns-resolver-on-devices) users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet.
+
+Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](/cloudflare-one/policies/gateway/resolver-policies/#internal-dns) and [hostname-based policies](/cloudflare-one/policies/gateway/egress-policies/#selector-prerequisites).
+
+To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) for routing private DNS traffic to your [Internal DNS](/dns/internal-dns/).
+

src/content/changelog/waf/2025-09-15-waf-release.mdx

@@ -0,0 +1,74 @@
+---
+title: "WAF Release - 2025-09-15"
+description: Cloudflare WAF managed rulesets 2025-09-15 release
+date: 2025-09-15
+---
+
+import { RuleID } from "~/components";
+
+**This week's update**
+
+This week’s focus highlights newly disclosed vulnerabilities in DevOps tooling, data visualization platforms, and enterprise CMS solutions. These issues include sensitive information disclosure and remote code execution, putting organizations at risk of credential leakage, unauthorized access, and full system compromise.
+
+**Key Findings**
+
+* Argo CD (CVE-2025-55190): Exposure of sensitive information could allow attackers to access credential data stored in configurations, potentially leading to compromise of Kubernetes workloads and secrets.Next.js (CVE-2025-57822): Improper handling of redirects in custom middleware can lead to server-side request forgery (SSRF) when user-supplied headers are forwarded. Attackers could exploit this to access internal services or cloud metadata endpoints. The issue has been resolved in versions 14.2.32 and 15.4.7. Developers using custom middleware should upgrade and verify proper redirect handling in `next()` calls.
+
+* DataEase (CVE-2025-57773): Insufficient input validation enables JNDI injection and insecure deserialization, resulting in remote code execution (RCE). Successful exploitation grants attackers control over the application server.
+
+* Sitecore (CVE-2025-53694): A sensitive information disclosure flaw allows unauthorized access to confidential information stored in Sitecore deployments, raising the risk of data breaches and privilege escalation.
+
+**Impact**
+
+These vulnerabilities expose organizations to serious risks, including credential theft, unauthorized access, and full system compromise. Argo CD’s flaw may expose Kubernetes secrets, DataEase exploitation could give attackers remote execution capabilities, and Sitecore’s disclosure issue increases the likelihood of sensitive data leakage and business impact.
+
+Administrators are strongly advised to apply vendor patches immediately, rotate exposed credentials, and review access controls to mitigate these risks.
+
+<table style="width: 100%">
+  <thead>
+    <tr>
+      <th>Ruleset</th>
+      <th>Rule ID</th>
+      <th>Legacy Rule ID</th>
+      <th>Description</th>
+      <th>Previous Action</th>
+      <th>New Action</th>
+      <th>Comments</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="199cce9ab21e40bcb535f01b2ee2085f" />
+      </td>
+      <td>100646</td>
+      <td>Argo CD - Information Disclosure - CVE:CVE-2025-55190s</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="e513bb21b6a44f9cbfcd2462f5e20788" />
+      </td>
+      <td>100874</td>
+      <td>DataEase - JNDI injection - CVE:CVE-2025-57773</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="be097f5a71a04f27aa87b60d005a12fd" />
+      </td>
+      <td>100880</td>
+      <td>Sitecore - Information Disclosure - CVE:CVE-2025-53694</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+  </tbody>
+</table>