From eae1b4fa6cfa2e5dd0ab2abe57b356206a2b643f Mon Sep 17 00:00:00 2001
From: Gus Brodman <gbrodman@google.com>
Date: Fri, 26 Dec 2025 12:00:19 -0500
Subject: [PATCH] Add more strict hostname validation on host:check flows

We do most of these on host create already so we should also do them on
host checks. The only added change is the character validation (our
existing hostnames all match these).
---
 .../flows/domain/DomainFlowUtils.java         |   2 +-
 .../registry/flows/host/HostCheckFlow.java    |   1 +
 .../registry/flows/host/HostFlowUtils.java    |  17 +++
 .../flows/host/HostCheckFlowTest.java         |  34 ++++++
 .../flows/host/HostCreateFlowTest.java        |   4 +-
 .../flows/host/HostUpdateFlowTest.java        |   4 +-
 .../rdap/RdapNameserverActionTest.java        |   4 +-
 .../registry/flows/host/host_check_50.xml     | 100 +++++++++---------
 .../flows/host/host_check_generic.xml         |  11 ++
 9 files changed, 121 insertions(+), 56 deletions(-)
 create mode 100644 core/src/test/resources/google/registry/flows/host/host_check_generic.xml

diff --git a/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java b/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
index 63edeb3f3d6..c945cdb4f14 100644
--- a/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/domain/DomainFlowUtils.java
@@ -218,7 +218,7 @@ public static InternetDomainName validateDomainName(String name) throws EppExcep
     return domainName;
   }
 
-  private static void validateFirstLabel(String firstLabel) throws EppException {
+  public static void validateFirstLabel(String firstLabel) throws EppException {
     if (firstLabel.length() > MAX_LABEL_SIZE) {
       throw new DomainLabelTooLongException();
     }
diff --git a/core/src/main/java/google/registry/flows/host/HostCheckFlow.java b/core/src/main/java/google/registry/flows/host/HostCheckFlow.java
index dc00a363b74..c11e47d5c33 100644
--- a/core/src/main/java/google/registry/flows/host/HostCheckFlow.java
+++ b/core/src/main/java/google/registry/flows/host/HostCheckFlow.java
@@ -65,6 +65,7 @@ public EppResponse run() throws EppException {
         ForeignKeyUtils.loadKeys(Host.class, hostnames, clock.nowUtc()).keySet();
     ImmutableList.Builder<HostCheck> checks = new ImmutableList.Builder<>();
     for (String hostname : hostnames) {
+      HostFlowUtils.validateHostName(hostname);
       boolean unused = !existingIds.contains(hostname);
       checks.add(HostCheck.create(unused, hostname, unused ? null : "In use"));
     }
diff --git a/core/src/main/java/google/registry/flows/host/HostFlowUtils.java b/core/src/main/java/google/registry/flows/host/HostFlowUtils.java
index 5652a9a60b1..1c1d32f8c39 100644
--- a/core/src/main/java/google/registry/flows/host/HostFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/host/HostFlowUtils.java
@@ -14,12 +14,14 @@
 
 package google.registry.flows.host;
 
+import static google.registry.flows.domain.DomainFlowUtils.validateFirstLabel;
 import static google.registry.model.EppResourceUtils.isActive;
 import static google.registry.model.tld.Tlds.findTldForName;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static java.util.stream.Collectors.joining;
 
 import com.google.common.base.Ascii;
+import com.google.common.base.CharMatcher;
 import com.google.common.net.InternetDomainName;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.AuthorizationErrorException;
@@ -38,6 +40,10 @@
 /** Static utility functions for host flows. */
 public class HostFlowUtils {
 
+  /** Validator for ASCII lowercase letters, digits, and "-_", allowing "." as a separator */
+  private static final CharMatcher HOST_NAME_ALLOWED_CHARS =
+      CharMatcher.inRange('a', 'z').or(CharMatcher.inRange('0', '9').or(CharMatcher.anyOf("-._")));
+
   /** Checks that a host name is valid. */
   public static InternetDomainName validateHostName(String name) throws EppException {
     checkArgumentNotNull(name, "Must specify host name to validate");
@@ -53,6 +59,9 @@ public static InternetDomainName validateHostName(String name) throws EppExcepti
       if (!name.equals(hostNamePunyCoded)) {
         throw new HostNameNotPunyCodedException(hostNamePunyCoded);
       }
+      if (!HOST_NAME_ALLOWED_CHARS.matchesAllOf(name)) {
+        throw new BadHostNameCharacterException();
+      }
       InternetDomainName hostName = InternetDomainName.from(name);
       if (!name.equals(hostName.toString())) {
         throw new HostNameNotNormalizedException(hostName.toString());
@@ -71,6 +80,7 @@ public static InternetDomainName validateHostName(String name) throws EppExcepti
       if (hostName.parts().size() < effectiveTld.parts().size() + 2) {
         throw new HostNameTooShallowException();
       }
+      validateFirstLabel(hostName.parts().getFirst());
       return hostName;
     } catch (IllegalArgumentException e) {
       throw new InvalidHostNameException();
@@ -180,4 +190,11 @@ public HostNameNotNormalizedException(String expectedHostName) {
           String.format("Host names must be in normalized format; expected %s", expectedHostName));
     }
   }
+
+  /** Host names can only contain a-z, 0-9, '.', '_', and '-'. */
+  static class BadHostNameCharacterException extends ParameterValueSyntaxErrorException {
+    public BadHostNameCharacterException() {
+      super("Host names can only contain a-z, 0-9, '.', '_', and '-'");
+    }
+  }
 }
diff --git a/core/src/test/java/google/registry/flows/host/HostCheckFlowTest.java b/core/src/test/java/google/registry/flows/host/HostCheckFlowTest.java
index ca1d69426fe..4d8bc24d07f 100644
--- a/core/src/test/java/google/registry/flows/host/HostCheckFlowTest.java
+++ b/core/src/test/java/google/registry/flows/host/HostCheckFlowTest.java
@@ -20,7 +20,9 @@
 import static google.registry.testing.EppExceptionSubject.assertAboutEppExceptions;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
+import com.google.common.collect.ImmutableMap;
 import google.registry.flows.EppException;
+import google.registry.flows.EppException.ParameterValueSyntaxErrorException;
 import google.registry.flows.FlowUtils.NotLoggedInException;
 import google.registry.flows.ResourceCheckFlowTestCase;
 import google.registry.flows.exceptions.TooManyResourceChecksException;
@@ -95,4 +97,36 @@ void testIcannActivityReportField_getsLogged() throws Exception {
     runFlow();
     assertIcannReportingActivityFieldLogged("srs-host-check");
   }
+
+  @Test
+  void testFailure_dotHost() throws Exception {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", ".host"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
+
+  @Test
+  void testFailure_dashHost() {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", "-host"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
+
+  @Test
+  void testFailure_underscoreHost() {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", "_host"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
+
+  @Test
+  void testFailure_hostDash() {
+    setEppInput("host_check_generic.xml", ImmutableMap.of("HOSTNAME", "host-"));
+    assertAboutEppExceptions()
+        .that(assertThrows(ParameterValueSyntaxErrorException.class, this::runFlow))
+        .marshalsToXml();
+  }
 }
diff --git a/core/src/test/java/google/registry/flows/host/HostCreateFlowTest.java b/core/src/test/java/google/registry/flows/host/HostCreateFlowTest.java
index 8297737e232..f466db2ec07 100644
--- a/core/src/test/java/google/registry/flows/host/HostCreateFlowTest.java
+++ b/core/src/test/java/google/registry/flows/host/HostCreateFlowTest.java
@@ -39,12 +39,12 @@
 import google.registry.flows.exceptions.ResourceCreateContentionException;
 import google.registry.flows.host.HostCreateFlow.SubordinateHostMustHaveIpException;
 import google.registry.flows.host.HostCreateFlow.UnexpectedExternalHostIpException;
+import google.registry.flows.host.HostFlowUtils.BadHostNameCharacterException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotLowerCaseException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotNormalizedException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotPunyCodedException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooLongException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooShallowException;
-import google.registry.flows.host.HostFlowUtils.InvalidHostNameException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainDoesNotExistException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainInPendingDeleteException;
 import google.registry.model.ForeignKeyUtils;
@@ -286,7 +286,7 @@ private void doFailingHostNameTest(String hostName, Class<? extends EppException
 
   @Test
   void testFailure_badCharacter() {
-    doFailingHostNameTest("foo bar", InvalidHostNameException.class);
+    doFailingHostNameTest("foo bar", BadHostNameCharacterException.class);
   }
 
   @Test
diff --git a/core/src/test/java/google/registry/flows/host/HostUpdateFlowTest.java b/core/src/test/java/google/registry/flows/host/HostUpdateFlowTest.java
index fba77b4bcfa..84b7bf8f466 100644
--- a/core/src/test/java/google/registry/flows/host/HostUpdateFlowTest.java
+++ b/core/src/test/java/google/registry/flows/host/HostUpdateFlowTest.java
@@ -54,13 +54,13 @@
 import google.registry.flows.ResourceFlowUtils.StatusNotClientSettableException;
 import google.registry.flows.exceptions.ResourceHasClientUpdateProhibitedException;
 import google.registry.flows.exceptions.ResourceStatusProhibitsOperationException;
+import google.registry.flows.host.HostFlowUtils.BadHostNameCharacterException;
 import google.registry.flows.host.HostFlowUtils.HostDomainNotOwnedException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotLowerCaseException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotNormalizedException;
 import google.registry.flows.host.HostFlowUtils.HostNameNotPunyCodedException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooLongException;
 import google.registry.flows.host.HostFlowUtils.HostNameTooShallowException;
-import google.registry.flows.host.HostFlowUtils.InvalidHostNameException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainDoesNotExistException;
 import google.registry.flows.host.HostFlowUtils.SuperordinateDomainInPendingDeleteException;
 import google.registry.flows.host.HostUpdateFlow.CannotAddIpToExternalHostException;
@@ -1259,7 +1259,7 @@ private void doFailingHostNameTest(String hostName, Class<? extends EppException
 
   @Test
   void testFailure_renameToBadCharacter() throws Exception {
-    doFailingHostNameTest("foo bar", InvalidHostNameException.class);
+    doFailingHostNameTest("foo bar", BadHostNameCharacterException.class);
   }
 
   @Test
diff --git a/core/src/test/java/google/registry/rdap/RdapNameserverActionTest.java b/core/src/test/java/google/registry/rdap/RdapNameserverActionTest.java
index 1a9a8e6e776..4c916313f26 100644
--- a/core/src/test/java/google/registry/rdap/RdapNameserverActionTest.java
+++ b/core/src/test/java/google/registry/rdap/RdapNameserverActionTest.java
@@ -74,7 +74,9 @@ void testInvalidNameserver_returns400() {
         .that(generateActualJson("invalid/host/name"))
         .isEqualTo(
             generateExpectedJsonError(
-                "invalid/host/name is not a valid nameserver: Invalid host name", 400));
+                "invalid/host/name is not a valid nameserver: Host names can only contain a-z, 0-9,"
+                    + " '.', '_', and '-'",
+                400));
     assertThat(response.getStatus()).isEqualTo(400);
   }
 
diff --git a/core/src/test/resources/google/registry/flows/host/host_check_50.xml b/core/src/test/resources/google/registry/flows/host/host_check_50.xml
index 8ddf873ad27..6e3d192a76d 100644
--- a/core/src/test/resources/google/registry/flows/host/host_check_50.xml
+++ b/core/src/test/resources/google/registry/flows/host/host_check_50.xml
@@ -3,56 +3,56 @@
     <check>
       <host:check
        xmlns:host="urn:ietf:params:xml:ns:host-1.0">
-        <host:name>www1.tld</host:name>
-        <host:name>www2.tld</host:name>
-        <host:name>www3.tld</host:name>
-        <host:name>www4.tld</host:name>
-        <host:name>www5.tld</host:name>
-        <host:name>www6.tld</host:name>
-        <host:name>www7.tld</host:name>
-        <host:name>www8.tld</host:name>
-        <host:name>www9.tld</host:name>
-        <host:name>www10.tld</host:name>
-        <host:name>www11.tld</host:name>
-        <host:name>www12.tld</host:name>
-        <host:name>www13.tld</host:name>
-        <host:name>www14.tld</host:name>
-        <host:name>www15.tld</host:name>
-        <host:name>www16.tld</host:name>
-        <host:name>www17.tld</host:name>
-        <host:name>www18.tld</host:name>
-        <host:name>www19.tld</host:name>
-        <host:name>www20.tld</host:name>
-        <host:name>www21.tld</host:name>
-        <host:name>www22.tld</host:name>
-        <host:name>www23.tld</host:name>
-        <host:name>www24.tld</host:name>
-        <host:name>www25.tld</host:name>
-        <host:name>www26.tld</host:name>
-        <host:name>www27.tld</host:name>
-        <host:name>www28.tld</host:name>
-        <host:name>www29.tld</host:name>
-        <host:name>www30.tld</host:name>
-        <host:name>www31.tld</host:name>
-        <host:name>www32.tld</host:name>
-        <host:name>www33.tld</host:name>
-        <host:name>www34.tld</host:name>
-        <host:name>www35.tld</host:name>
-        <host:name>www36.tld</host:name>
-        <host:name>www37.tld</host:name>
-        <host:name>www38.tld</host:name>
-        <host:name>www39.tld</host:name>
-        <host:name>www40.tld</host:name>
-        <host:name>www41.tld</host:name>
-        <host:name>www42.tld</host:name>
-        <host:name>www43.tld</host:name>
-        <host:name>www44.tld</host:name>
-        <host:name>www45.tld</host:name>
-        <host:name>www46.tld</host:name>
-        <host:name>www47.tld</host:name>
-        <host:name>www48.tld</host:name>
-        <host:name>www49.tld</host:name>
-        <host:name>www50.tld</host:name>
+        <host:name>ns1.www1.tld</host:name>
+        <host:name>ns1.www2.tld</host:name>
+        <host:name>ns1.www3.tld</host:name>
+        <host:name>ns1.www4.tld</host:name>
+        <host:name>ns1.www5.tld</host:name>
+        <host:name>ns1.www6.tld</host:name>
+        <host:name>ns1.www7.tld</host:name>
+        <host:name>ns1.www8.tld</host:name>
+        <host:name>ns1.www9.tld</host:name>
+        <host:name>ns1.www10.tld</host:name>
+        <host:name>ns1.www11.tld</host:name>
+        <host:name>ns1.www12.tld</host:name>
+        <host:name>ns1.www13.tld</host:name>
+        <host:name>ns1.www14.tld</host:name>
+        <host:name>ns1.www15.tld</host:name>
+        <host:name>ns1.www16.tld</host:name>
+        <host:name>ns1.www17.tld</host:name>
+        <host:name>ns1.www18.tld</host:name>
+        <host:name>ns1.www19.tld</host:name>
+        <host:name>ns1.www20.tld</host:name>
+        <host:name>ns1.www21.tld</host:name>
+        <host:name>ns1.www22.tld</host:name>
+        <host:name>ns1.www23.tld</host:name>
+        <host:name>ns1.www24.tld</host:name>
+        <host:name>ns1.www25.tld</host:name>
+        <host:name>ns1.www26.tld</host:name>
+        <host:name>ns1.www27.tld</host:name>
+        <host:name>ns1.www28.tld</host:name>
+        <host:name>ns1.www29.tld</host:name>
+        <host:name>ns1.www30.tld</host:name>
+        <host:name>ns1.www31.tld</host:name>
+        <host:name>ns1.www32.tld</host:name>
+        <host:name>ns1.www33.tld</host:name>
+        <host:name>ns1.www34.tld</host:name>
+        <host:name>ns1.www35.tld</host:name>
+        <host:name>ns1.www36.tld</host:name>
+        <host:name>ns1.www37.tld</host:name>
+        <host:name>ns1.www38.tld</host:name>
+        <host:name>ns1.www39.tld</host:name>
+        <host:name>ns1.www40.tld</host:name>
+        <host:name>ns1.www41.tld</host:name>
+        <host:name>ns1.www42.tld</host:name>
+        <host:name>ns1.www43.tld</host:name>
+        <host:name>ns1.www44.tld</host:name>
+        <host:name>ns1.www45.tld</host:name>
+        <host:name>ns1.www46.tld</host:name>
+        <host:name>ns1.www47.tld</host:name>
+        <host:name>ns1.www48.tld</host:name>
+        <host:name>ns1.www49.tld</host:name>
+        <host:name>ns1.www50.tld</host:name>
       </host:check>
     </check>
     <clTRID>ABC-12345</clTRID>
diff --git a/core/src/test/resources/google/registry/flows/host/host_check_generic.xml b/core/src/test/resources/google/registry/flows/host/host_check_generic.xml
new file mode 100644
index 00000000000..4418fd34315
--- /dev/null
+++ b/core/src/test/resources/google/registry/flows/host/host_check_generic.xml
@@ -0,0 +1,11 @@
+<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
+    <command>
+        <check>
+            <host:check
+                    xmlns:host="urn:ietf:params:xml:ns:host-1.0">
+                <host:name>%HOSTNAME%</host:name>
+            </host:check>
+        </check>
+        <clTRID>ABC-12345</clTRID>
+    </command>
+</epp>