Merge pull request #815 from smallstep/herman/fix-empty-dns-init

Add check for empty DNS value in ca init
2025-08-09 03:22:43 +03:00 · 2023-01-11 20:38:34 +01:00
parent 7babb90e53 226d80d9df
commit 37ace5e3a2
2 changed files with 35 additions and 1 deletions
--- a/command/ca/init.go
+++ b/command/ca/init.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/x509"
+	stderrors "errors"
 	"fmt"
 	"io"
 	"net"
@@ -823,8 +824,11 @@ func processDNSValue(dnsValue string) ([]string, error) {
 	)
 	dnsValue = strings.ReplaceAll(dnsValue, " ", ",")
 	parts := strings.Split(dnsValue, ",")
+	if allEmpty(parts) {
+		return nil, stderrors.New("dns must not be empty")
+	}
 	for _, name := range parts {
-		if name == "" {
+		if name == "" { // skip empty name
 			continue
 		}
 		if err := dnsValidator(name); err != nil {
@@ -845,3 +849,14 @@ func normalize(name string) string {
 	}
 	return name
 }
+
+// allEmpty loops through all strings in the slice and returns if
+// all are empty (length 0).
+func allEmpty(parts []string) bool {
+	for _, p := range parts {
+		if p != "" {
+			return false
+		}
+	}
+	return true
+}
--- a/command/ca/init_test.go
+++ b/command/ca/init_test.go
@@ -14,6 +14,19 @@ func Test_processDNSValue(t *testing.T) {
 		want     []string
 		wantErr  bool
 	}{
+
+		{
+			name:     "fail/empty",
+			dnsValue: "",
+			want:     nil,
+			wantErr:  true,
+		},
+		{
+			name:     "fail/empty-multiple",
+			dnsValue: ",,",
+			want:     nil,
+			wantErr:  true,
+		},
 		{
 			name:     "fail/dns",
 			dnsValue: "ca.smallstep.com:8443",
@@ -44,6 +57,12 @@ func Test_processDNSValue(t *testing.T) {
 			want:     []string{"ca.smallstep.com", "ca.localhost"},
 			wantErr:  false,
 		},
+		{
+			name:     "ok/multi-dns-with-skip",
+			dnsValue: "ca.smallstep.com,ca.localhost,,test.localhost",
+			want:     []string{"ca.smallstep.com", "ca.localhost", "test.localhost"},
+			wantErr:  false,
+		},
 		{
 			name:     "ok/multi-space-dns",
 			dnsValue: "ca.smallstep.com ca.localhost",