Impossible to validate host (domain name or IP)

[kachkaev]

Hi folks,

Just came across your library this morning and was quite surprised with the richness of it. Super nice!

Here's one one observation from a newbie: I've been trying to validate a host and have noticed that the combination of isFQDN and isIP does match my expectations in a couple of edge cases.

Check this out:

const validateHost = (input) => {
  if (!isFQDN(input, { require_tld: false }) && !isIP(input)) {
    throw new EnvError(`Invalid host (domain or ip): "${input}"`)
  }
}
validateHost('example.com')     // no exception, as expected
validateHost('localhost')       // no exception, as expected
validateHost('localhost.')      // exception, as expected

validateHost('192.168.0.1')     // no exception, as expected
validateHost('192.168.0')       // no exception, despite expected (isFQDN returned true!)
validateHost('192.168.0.9999')  // no exception, despite expected (isFQDN returned true!)

The function I've written is supposed to check environment variables in a microservice, so it's important to accept both domain names and IP addresses. It is also necessary to make sure there are no typos in the IP address (ideally both for ipv4 and ipv6).

How about making isFQDN a bit more strict? Or what about isHost() that would work slightly better than a combination of two validators?

[chriso]

I'd be ok with making isFQDN more strict and would be happy to accept a PR. Ideally the validator would check TLDs against a list of known values, however the addition of gTLDs mean that the list would be long and ever-growing. I'm not interested in bloating the library or keeping the list up to date.

An alternative might be to disallow numeric TLDs? I'm not aware of any numeric gTLDs, and in fact this may not be allowed by ICANN. It'd be safest to control the behavior with a new option: allow_numeric_tld

Something like this @ isFQDN.js:31 would work:

if (!options.allow_numeric_tld && i == parts.length - 1 && /^\d+$/.test(part)) {
   return false; // reject numeric TLDs
}

[mika-s]

I guess you could do a check for IP address in isFQDN and return false if it is one. Not as an option but more as a guard clause.

The proposed isHost is pretty much the same as isURL I think, when you set require_valid_protocol = false and require_tld = false.

[maikelmclauflin]

this also fails. is this expected?

validator.isURL('http://docker-continer-web')

[chriso]

@maikelmclauflin try require_tld:

> validator.isURL('http://docker-continer-web')
false
> validator.isURL('http://docker-continer-web', { require_tld: false })
true

[Jassi10000-zz]

Can someone close this issue as the PR is merged already

[kachkaev]

Closing as resolved in #1474