fix(dns): validate nameserver addresses are valid IP addresses

cluster2600 · cluster2600 · commit fc269d0e1922 · 2026-03-05T09:11:49.000+01:00
Resolves #467. Previously, any arbitrary string could be passed as a nameserver in DNS configuration, which would silently result in an invalid /etc/resolv.conf inside the container. This change adds a DNS.validate() method that ensures every nameserver string is a valid IPv4 or IPv6 address (using the existing ContainerizationExtras parsers). The method is called from Vminitd.configureDNS() before applying the configuration. Tests added to DNSTests.swift covering valid IPv4, IPv6, mixed, empty nameserver lists, and invalid hostname/address rejection. Signed-off-by: Maxime Grenu <maxime.grenu@gmail.com>
diff --git a/Sources/Containerization/DNSConfiguration.swift b/Sources/Containerization/DNSConfiguration.swift
@@ -14,6 +14,8 @@
 // limitations under the License.
 //===----------------------------------------------------------------------===//
 
+import ContainerizationExtras
+
 /// DNS configuration for a container. The values will be used to
 /// construct /etc/resolv.conf for a given container.
 public struct DNS: Sendable {
@@ -41,6 +43,26 @@ public struct DNS: Sendable {
         self.searchDomains = searchDomains
         self.options = options
     }
+
+    /// Validates the DNS configuration.
+    ///
+    /// Ensures that all nameserver entries are valid IPv4 or IPv6 addresses.
+    /// Arbitrary hostnames are not permitted as nameservers.
+    ///
+    /// - Throws: ``ContainerizationError`` with code `.invalidArgument` if
+    ///   any nameserver is not a valid IP address.
+    public func validate() throws {
+        for nameserver in nameservers {
+            let isValidIPv4 = (try? IPv4Address(nameserver)) != nil
+            let isValidIPv6 = (try? IPv6Address(nameserver)) != nil
+            if !isValidIPv4 && !isValidIPv6 {
+                throw ContainerizationError(
+                    .invalidArgument,
+                    message: "nameserver '\(nameserver)' is not a valid IPv4 or IPv6 address"
+                )
+            }
+        }
+    }
 }
 
 extension DNS {
diff --git a/Sources/Containerization/Vminitd.swift b/Sources/Containerization/Vminitd.swift
@@ -408,6 +408,7 @@ extension Vminitd {
 
     /// Configure DNS within the sandbox's environment.
     public func configureDNS(config: DNS, location: String) async throws {
+        try config.validate()
         _ = try await client.configureDns(
             .with {
                 $0.location = location
diff --git a/Tests/ContainerizationTests/DNSTests.swift b/Tests/ContainerizationTests/DNSTests.swift
@@ -51,4 +51,34 @@ struct DNSTests {
         let expected = "nameserver 8.8.8.8\n"
         #expect(dns.resolvConf == expected)
     }
+
+    @Test func dnsValidateAcceptsValidIPv4Nameservers() throws {
+        let dns = DNS(nameservers: ["8.8.8.8", "1.1.1.1"])
+        #expect(throws: Never.self) { try dns.validate() }
+    }
+
+    @Test func dnsValidateAcceptsValidIPv6Nameservers() throws {
+        let dns = DNS(nameservers: ["2001:4860:4860::8888", "::1"])
+        #expect(throws: Never.self) { try dns.validate() }
+    }
+
+    @Test func dnsValidateAcceptsMixedIPv4AndIPv6Nameservers() throws {
+        let dns = DNS(nameservers: ["8.8.8.8", "2001:4860:4860::8844"])
+        #expect(throws: Never.self) { try dns.validate() }
+    }
+
+    @Test func dnsValidateAcceptsEmptyNameservers() throws {
+        let dns = DNS(nameservers: [])
+        #expect(throws: Never.self) { try dns.validate() }
+    }
+
+    @Test func dnsValidateRejectsHostname() {
+        let dns = DNS(nameservers: ["dns.example.com"])
+        #expect(throws: (any Error).self) { try dns.validate() }
+    }
+
+    @Test func dnsValidateRejectsInvalidAddress() {
+        let dns = DNS(nameservers: ["not-an-ip"])
+        #expect(throws: (any Error).self) { try dns.validate() }
+    }
 }
