[wrangler] Add hostname validation for VPC services

Author: Ricardo Antunes

packages/wrangler/src/__tests__/vpc.test.ts

@@ -3,6 +3,8 @@ import { http, HttpResponse } from "msw";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 /* eslint-enable workers-sdk/no-vitest-import-expect */
 import { ServiceType } from "../vpc/index";
+import { validateHostname, validateRequest } from "../vpc/validation";
+import type { ServiceArgs } from "../vpc/validation";
 import { endEventLoop } from "./helpers/end-event-loop";
 import { mockAccountId, mockApiToken } from "./helpers/mock-account-id";
 import { mockConsoleMethods } from "./helpers/mock-console";
@@ -325,6 +327,150 @@ describe("vpc service commands", () => {
 	});
 });
 
+describe("hostname validation", () => {
+	it("should accept valid hostnames", ({ expect }) => {
+		expect(() => validateHostname("api.example.com")).not.toThrow();
+		expect(() => validateHostname("localhost")).not.toThrow();
+		expect(() => validateHostname("my-service.internal.local")).not.toThrow();
+		expect(() => validateHostname("sub.domain.example.co.uk")).not.toThrow();
+	});
+
+	it("should reject empty hostname", ({ expect }) => {
+		expect(() => validateHostname("")).toThrow("Hostname cannot be empty.");
+		expect(() => validateHostname("   ")).toThrow("Hostname cannot be empty.");
+	});
+
+	it("should reject hostname exceeding 253 characters", ({ expect }) => {
+		const longHostname = "a".repeat(254);
+		expect(() => validateHostname(longHostname)).toThrow(
+			"Hostname is too long. Maximum length is 253 characters."
+		);
+	});
+
+	it("should accept hostname at exactly 253 characters", ({ expect }) => {
+		const label = "a".repeat(63);
+		const hostname = `${label}.${label}.${label}.${label.slice(0, 61)}`;
+		expect(hostname.length).toBe(253);
+		expect(() => validateHostname(hostname)).not.toThrow();
+	});
+
+	it("should reject hostname with URL scheme", ({ expect }) => {
+		expect(() => validateHostname("https://example.com")).toThrow(
+			"Hostname must not include a URL scheme"
+		);
+		expect(() => validateHostname("http://example.com")).toThrow(
+			"Hostname must not include a URL scheme"
+		);
+	});
+
+	it("should reject hostname with path", ({ expect }) => {
+		expect(() => validateHostname("example.com/path")).toThrow(
+			"Hostname must not include a path"
+		);
+	});
+
+	it("should reject bare IPv4 address", ({ expect }) => {
+		expect(() => validateHostname("192.168.1.1")).toThrow(
+			"Hostname must not be an IP address. Use --ipv4 or --ipv6 instead."
+		);
+		expect(() => validateHostname("10.0.0.1")).toThrow(
+			"Hostname must not be an IP address"
+		);
+	});
+
+	it("should reject bare IPv6 address", ({ expect }) => {
+		expect(() => validateHostname("::1")).toThrow(
+			"Hostname must not be an IP address"
+		);
+		expect(() => validateHostname("2001:db8::1")).toThrow(
+			"Hostname must not be an IP address"
+		);
+		expect(() => validateHostname("[::1]")).toThrow(
+			"Hostname must not be an IP address"
+		);
+	});
+
+	it("should reject hostname with port", ({ expect }) => {
+		expect(() => validateHostname("example.com:8080")).toThrow(
+			"Hostname must not include a port number"
+		);
+	});
+
+	it("should reject hostname with whitespace", ({ expect }) => {
+		expect(() => validateHostname("bad host.com")).toThrow(
+			"Hostname must not contain whitespace"
+		);
+	});
+
+	it("should accept hostnames with underscores", ({ expect }) => {
+		expect(() => validateHostname("_dmarc.example.com")).not.toThrow();
+		expect(() => validateHostname("my_service.internal")).not.toThrow();
+	});
+
+	it("should reject invalid hostname via wrangler service create", async () => {
+		await expect(() =>
+			runWrangler(
+				"vpc service create test-bad-hostname --type http --hostname https://example.com --tunnel-id 550e8400-e29b-41d4-a716-446655440000"
+			)
+		).rejects.toThrow("Hostname must not include a URL scheme");
+	});
+
+	it("should reject IP address as hostname via wrangler service create", async () => {
+		await expect(() =>
+			runWrangler(
+				"vpc service create test-ip-hostname --type http --hostname 192.168.1.1 --tunnel-id 550e8400-e29b-41d4-a716-446655440000"
+			)
+		).rejects.toThrow("Hostname must not be an IP address");
+	});
+});
+
+describe("IP address validation", () => {
+	const baseArgs: ServiceArgs = {
+		name: "test",
+		type: ServiceType.Http,
+		tunnelId: "550e8400-e29b-41d4-a716-446655440000",
+	};
+
+	it("should accept valid IPv4 addresses", ({ expect }) => {
+		expect(() =>
+			validateRequest({ ...baseArgs, ipv4: "192.168.1.1" })
+		).not.toThrow();
+		expect(() =>
+			validateRequest({ ...baseArgs, ipv4: "10.0.0.1" })
+		).not.toThrow();
+	});
+
+	it("should reject invalid IPv4 addresses", ({ expect }) => {
+		expect(() =>
+			validateRequest({ ...baseArgs, ipv4: "not-an-ip" })
+		).toThrow("Invalid IPv4 address");
+		expect(() =>
+			validateRequest({ ...baseArgs, ipv4: "999.999.999.999" })
+		).toThrow("Invalid IPv4 address");
+		expect(() =>
+			validateRequest({ ...baseArgs, ipv4: "example.com" })
+		).toThrow("Invalid IPv4 address");
+	});
+
+	it("should accept valid IPv6 addresses", ({ expect }) => {
+		expect(() =>
+			validateRequest({ ...baseArgs, ipv6: "::1" })
+		).not.toThrow();
+		expect(() =>
+			validateRequest({ ...baseArgs, ipv6: "2001:db8::1" })
+		).not.toThrow();
+	});
+
+	it("should reject invalid IPv6 addresses", ({ expect }) => {
+		expect(() =>
+			validateRequest({ ...baseArgs, ipv6: "not-an-ip" })
+		).toThrow("Invalid IPv6 address");
+		expect(() =>
+			validateRequest({ ...baseArgs, ipv6: "192.168.1.1" })
+		).toThrow("Invalid IPv6 address");
+	});
+});
+
 const mockService: ConnectivityService = {
 	service_id: "service-uuid",
 	type: ServiceType.Http,

packages/wrangler/src/vpc/validation.ts

@@ -1,3 +1,4 @@
+import net from "node:net";
 import { UserError } from "@cloudflare/workers-utils";
 import { ServiceType } from "./index";
 import type { ConnectivityServiceRequest, ServiceHost } from "./index";
@@ -14,6 +15,50 @@ export interface ServiceArgs {
 	resolverIps?: string;
 }
 
+export function validateHostname(hostname: string): void {
+	const trimmed = hostname.trim();
+
+	if (trimmed.length === 0) {
+		throw new UserError("Hostname cannot be empty.");
+	}
+
+	if (trimmed.length > 253) {
+		throw new UserError(
+			"Hostname is too long. Maximum length is 253 characters."
+		);
+	}
+
+	if (trimmed.includes("://")) {
+		throw new UserError(
+			"Hostname must not include a URL scheme (e.g., remove 'https://')."
+		);
+	}
+
+	if (trimmed.includes("/")) {
+		throw new UserError(
+			"Hostname must not include a path. Provide only the hostname (e.g., 'api.example.com')."
+		);
+	}
+
+	// Check for bare IP addresses using Node.js built-in validation
+	const bareValue = trimmed.replace(/^\[|\]$/g, "");
+	if (net.isIPv4(trimmed) || net.isIPv6(bareValue)) {
+		throw new UserError(
+			"Hostname must not be an IP address. Use --ipv4 or --ipv6 instead."
+		);
+	}
+
+	if (trimmed.includes(":")) {
+		throw new UserError(
+			"Hostname must not include a port number. Provide only the hostname and use --http-port or --https-port for ports."
+		);
+	}
+
+	if (/\s/.test(trimmed)) {
+		throw new UserError("Hostname must not contain whitespace.");
+	}
+}
+
 export function validateRequest(args: ServiceArgs) {
 	// Validate host configuration - must have either IP addresses or hostname, not both
 	const hasIpAddresses = Boolean(args.ipv4 || args.ipv6);
@@ -24,6 +69,22 @@ export function validateRequest(args: ServiceArgs) {
 			"Must specify either IP addresses (--ipv4/--ipv6) or hostname (--hostname)"
 		);
 	}
+
+	if (args.ipv4 && !net.isIPv4(args.ipv4)) {
+		throw new UserError(
+			`Invalid IPv4 address: '${args.ipv4}'. Provide a valid IPv4 address (e.g., '192.168.1.1').`
+		);
+	}
+
+	if (args.ipv6 && !net.isIPv6(args.ipv6)) {
+		throw new UserError(
+			`Invalid IPv6 address: '${args.ipv6}'. Provide a valid IPv6 address (e.g., '2001:db8::1').`
+		);
+	}
+
+	if (hasHostname && args.hostname) {
+		validateHostname(args.hostname);
+	}
 }
 
 export function buildRequest(args: ServiceArgs): ConnectivityServiceRequest {