Skip to content

fix: validate HEROKU_HOST for container registry commands#3704

Merged
michaelmalave merged 5 commits into
mainfrom
mm/fix/validate-heroku-host-in-container-commands
May 13, 2026
Merged

fix: validate HEROKU_HOST for container registry commands#3704
michaelmalave merged 5 commits into
mainfrom
mm/fix/validate-heroku-host-in-container-commands

Conversation

@michaelmalave
Copy link
Copy Markdown
Contributor

@michaelmalave michaelmalave commented May 12, 2026
edited
Loading

Summary

This branch hardens container command registry host resolution by switching from raw HEROKU_HOST usage to validated host configuration, preventing invalid domains from being used in registry calls. It also adds regression coverage to ensure invalid host input falls back safely to registry.heroku.com with a user-visible warning.

  • Replace direct process.env.HEROKU_HOST registry host construction with vars.host in container:login, container:logout, container:pull, container:push, container:release, and container:run
  • Add unit tests for container:login and container:logout verifying invalid HEROKU_HOST is rejected and fallback registry is used
  • Add unit test coverage for container:release verifying registry manifest requests still target registry.heroku.com when HEROKU_HOST is invalid

Type of Change

  • fix: Bug fix or issue (patch semvar update)
  • feat: Introduces a new feature to the codebase (minor semvar update)
  • perf: Performance improvement
  • docs: Documentation only changes
  • tests: Adding missing tests or correcting existing tests
  • chore: Code cleanup tasks, dependency updates, or other changes

Verification

CI Passes

Additional Context

  • Breaking: none
  • Risk: low; changes are limited to registry hostname resolution and covered by unit tests

Related Issue

W-21981314

@michaelmalave michaelmalave requested a review from a team as a code owner May 12, 2026 18:08
@jdodson
Copy link
Copy Markdown

jdodson commented May 13, 2026

@michaelmalave Do you think it would be useful to add regression testing for container:pull, container:push and container:run? I think so.

jdodson
jdodson approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@jdodson jdodson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved w one comment.

@michaelmalave
Add regression tests for container:pull, container:push, and containe…
d7df84a 
…r:run to verify invalid HEROKU_HOST values are rejected and each command falls back to registry.heroku.com for image operations
@michaelmalave michaelmalave merged commit 04df827 into main May 13, 2026
17 checks passed
@michaelmalave michaelmalave deleted the mm/fix/validate-heroku-host-in-container-commands branch May 13, 2026 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdodson jdodson jdodson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michaelmalave @jdodson