[wrangler] Validate secret bulk JSON stdin values (#14196)

odiak · web-flow · commit b205fb7ff0a1 · 2026-06-05T11:33:25.000Z
diff --git a/.changeset/tall-secrets-sneeze.md b/.changeset/tall-secrets-sneeze.md
@@ -0,0 +1,7 @@
+---
+"wrangler": patch
+---
+
+Validate JSON stdin values for `wrangler secret bulk`
+
+JSON input piped through stdin now validates that secret values are strings or null before sending them to the API, matching the existing behavior for file input.
diff --git a/packages/wrangler/src/__tests__/secret.test.ts b/packages/wrangler/src/__tests__/secret.test.ts
@@ -1268,6 +1268,22 @@ describe("wrangler secret", () => {
 			);
 		});
 
+		it("should fail if JSON stdin contains a record with non-string values", async ({
+			expect,
+		}) => {
+			mockReadlineInput(
+				JSON.stringify({
+					"invalid-secret": 999,
+				})
+			);
+
+			await expect(
+				runWrangler("secret bulk --name script-name")
+			).rejects.toThrowErrorMatchingInlineSnapshot(
+				`[Error: The value for "invalid-secret" in "piped input" is not null or a "string" instead it is of type "number"]`
+			);
+		});
+
 		it("should count success and network failure on secret bulk", async ({
 			expect,
 		}) => {
diff --git a/packages/wrangler/src/__tests__/versions/secrets/bulk.test.ts b/packages/wrangler/src/__tests__/versions/secrets/bulk.test.ts
@@ -251,6 +251,22 @@ describe("versions secret bulk", () => {
 		`);
 	});
 
+	test("should error on json stdin with non-string values", async ({
+		expect,
+	}) => {
+		mockReadlineInput(
+			JSON.stringify({
+				SECRET_1: 1,
+			})
+		);
+
+		await expect(
+			runWrangler(`versions secret bulk --name script-name`)
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: The value for "SECRET_1" in "piped input" is not null or a "string" instead it is of type "number"]`
+		);
+	});
+
 	test("unsafe metadata is provided", async ({ expect }) => {
 		writeWranglerConfig({
 			name: "script-name",
diff --git a/packages/wrangler/src/secret/index.ts b/packages/wrangler/src/secret/index.ts
@@ -652,14 +652,6 @@ export async function parseBulkInputToObject(
 				});
 			}
 		}
-		validateFileSecrets(content, input);
-		if (!includeNull) {
-			content = Object.fromEntries(
-				Object.entries(content).filter(
-					(entry): entry is [string, string] => entry[1] != null
-				)
-			);
-		}
 	} else {
 		secretSource = "stdin";
 		try {
@@ -684,5 +676,13 @@ export async function parseBulkInputToObject(
 			return;
 		}
 	}
+	validateFileSecrets(content, input ?? "piped input");
+	if (!includeNull) {
+		content = Object.fromEntries(
+			Object.entries(content).filter(
+				(entry): entry is [string, string] => entry[1] != null
+			)
+		);
+	}
 	return { content, secretSource, secretFormat };
 }

Original file line number	Diff line number	Diff line change
`@@ -652,14 +652,6 @@ export async function parseBulkInputToObject(`
`652`	`652`	`});`
`653`	`653`	`}`
`654`	`654`	`}`
`655`		`- validateFileSecrets(content, input);`
`656`		`- if (!includeNull) {`
`657`		`- content = Object.fromEntries(`
`658`		`- Object.entries(content).filter(`
`659`		`- (entry): entry is [string, string] => entry[1] != null`
`660`		`- )`
`661`		`- );`
`662`		`- }`
`663`	`655`	`} else {`
`664`	`656`	`secretSource = "stdin";`
`665`	`657`	`try {`
`@@ -684,5 +676,13 @@ export async function parseBulkInputToObject(`
`684`	`676`	`return;`
`685`	`677`	`}`
`686`	`678`	`}`
	`679`	`+ validateFileSecrets(content, input ?? "piped input");`
	`680`	`+ if (!includeNull) {`
	`681`	`+ content = Object.fromEntries(`
	`682`	`+ Object.entries(content).filter(`
	`683`	`+ (entry): entry is [string, string] => entry[1] != null`
	`684`	`+ )`
	`685`	`+ );`
	`686`	`+ }`
`687`	`687`	`return { content, secretSource, secretFormat };`
`688`	`688`	`}`