Fix no-proxy list: guard StringList event and validate entries

jandubois · jandubois · commit daefd328b0e9 · 2026-03-27T14:17:30.000-07:00
The StringList @change handler in WslProxy.vue lacked the Array.isArray guard added to ContainerEngineAllowedImages.vue during the Vue 3 update, causing non-array values to corrupt the noproxy setting. Also add validation that noproxy entries are IP addresses or CIDR subnets, since the iptables-based bypass mechanism cannot handle hostnames or wildcards. Fixes #9803 Signed-off-by: Jan Dubois <jan.dubois@suse.com>
diff --git a/pkg/rancher-desktop/components/Preferences/WslProxy.vue b/pkg/rancher-desktop/components/Preferences/WslProxy.vue
@@ -123,7 +123,7 @@ export default defineComponent({
             :items="preferences.experimental.virtualMachine.proxy.noproxy"
             :error-messages="noproxyErrorMessages"
             bulk-addition-delimiter=","
-            @change="onChange('experimental.virtualMachine.proxy.noproxy', $event)"
+            @change="Array.isArray($event) && onChange('experimental.virtualMachine.proxy.noproxy', $event)"
             @type:item="onType($event)"
             @errors="onDuplicate($event.duplicate)"
           />
diff --git a/pkg/rancher-desktop/main/commandServer/__tests__/settingsValidator.spec.ts b/pkg/rancher-desktop/main/commandServer/__tests__/settingsValidator.spec.ts
@@ -993,4 +993,113 @@ describe('SettingsValidator', () => {
       );
     });
   });
+
+  describe('noproxy', () => {
+    const fqname = 'experimental.virtualMachine.proxy.noproxy';
+
+    function noproxySetting(noproxy: string[]): RecursivePartial<settings.Settings> {
+      return { experimental: { virtualMachine: { proxy: { noproxy } } } };
+    }
+
+    beforeEach(() => {
+      modules.os.platform.mockReturnValue('win32');
+    });
+
+    it('should accept valid IPv4 addresses', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['192.168.1.1']));
+
+      expect({ needToUpdate, errors }).toEqual({ needToUpdate: true, errors: [] });
+    });
+
+    it('should accept valid IPv4 CIDR subnets', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['10.0.0.0/8', '172.16.0.0/12']));
+
+      expect({ needToUpdate, errors }).toEqual({ needToUpdate: true, errors: [] });
+    });
+
+    it('should accept valid IPv6 addresses', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['::1', 'fe80::1']));
+
+      expect({ needToUpdate, errors }).toEqual({ needToUpdate: true, errors: [] });
+    });
+
+    it('should accept valid IPv6 CIDR subnets', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['fd00::/8', '::1/128']));
+
+      expect({ needToUpdate, errors }).toEqual({ needToUpdate: true, errors: [] });
+    });
+
+    it('should accept the default noproxy list unchanged without errors', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(cfg.experimental.virtualMachine.proxy.noproxy));
+
+      expect({ needToUpdate, errors }).toEqual({ needToUpdate: false, errors: [] });
+    });
+
+    it('should reject hostnames', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['example.com']));
+
+      expect(needToUpdate).toBe(false);
+      expect(errors).toHaveLength(1);
+      expect(errors[0]).toContain('invalid entries');
+      expect(errors[0]).toContain('example.com');
+    });
+
+    it('should reject wildcard DNS entries', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['*.example.com']));
+
+      expect(needToUpdate).toBe(false);
+      expect(errors).toHaveLength(1);
+      expect(errors[0]).toContain('invalid entries');
+      expect(errors[0]).toContain('*.example.com');
+    });
+
+    it('should reject duplicate entries', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['10.0.0.1', '10.0.0.1']));
+
+      expect(needToUpdate).toBe(false);
+      expect(errors).toHaveLength(1);
+      expect(errors[0]).toContain('duplicate');
+    });
+
+    it('should reject non-array values', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, { experimental: { virtualMachine: { proxy: { noproxy: 'not-an-array' as any } } } });
+
+      expect(needToUpdate).toBe(false);
+      expect(errors).toHaveLength(1);
+    });
+
+    it('should reject CIDR with out-of-range prefix length', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['10.0.0.0/33']));
+
+      expect(needToUpdate).toBe(false);
+      expect(errors).toHaveLength(1);
+      expect(errors[0]).toContain('invalid entries');
+    });
+
+    it('should reject CIDR with non-numeric prefix', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['10.0.0.0/abc']));
+
+      expect(needToUpdate).toBe(false);
+      expect(errors).toHaveLength(1);
+      expect(errors[0]).toContain('invalid entries');
+    });
+
+    it('should report all invalid entries at once', () => {
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['foo.bar', '10.0.0.0/8', 'baz.qux']));
+
+      expect(needToUpdate).toBe(false);
+      expect(errors).toHaveLength(1);
+      expect(errors[0]).toContain('foo.bar');
+      expect(errors[0]).toContain('baz.qux');
+    });
+
+    it('should be gated to win32 platform', () => {
+      modules.os.platform.mockReturnValue('darwin');
+      const [needToUpdate, errors] = subject.validateSettings(cfg, noproxySetting(['10.0.0.1']));
+
+      expect(needToUpdate).toBe(false);
+      expect(errors).toHaveLength(1);
+      expect(errors[0]).toContain('isn\'t supported');
+    });
+  });
 });
diff --git a/pkg/rancher-desktop/main/commandServer/settingsValidator.ts b/pkg/rancher-desktop/main/commandServer/settingsValidator.ts
@@ -1,3 +1,4 @@
+import net from 'net';
 import os from 'os';
 
 import _ from 'lodash';
@@ -148,7 +149,7 @@ export default class SettingsValidator {
             password: this.checkPlatform('win32', this.checkString),
             port:     this.checkPlatform('win32', this.checkNumber(1, 65535)),
             username: this.checkPlatform('win32', this.checkString),
-            noproxy:  this.checkPlatform('win32', this.checkUniqueStringArray),
+            noproxy:  this.checkPlatform('win32', this.checkNoproxyList),
           },
           sshPortForwarder: this.checkLima(this.checkBoolean),
         },
@@ -663,6 +664,60 @@ export default class SettingsValidator {
     return Array.from(duplicates).concat(whiteSpaceMembers);
   }
 
+  /**
+   * Validate that a string is an IP address or CIDR subnet.
+   * Accepts IPv4 and IPv6 addresses with optional prefix length.
+   */
+  protected static isIPOrCIDR(entry: string): boolean {
+    const slashIndex = entry.indexOf('/');
+
+    if (slashIndex === -1) {
+      return net.isIP(entry) !== 0;
+    }
+    const address = entry.substring(0, slashIndex);
+    const prefixStr = entry.substring(slashIndex + 1);
+    const ipVersion = net.isIP(address);
+
+    if (ipVersion === 0) {
+      return false;
+    }
+    if (!/^\d+$/.test(prefixStr)) {
+      return false;
+    }
+    const prefix = parseInt(prefixStr, 10);
+    const maxPrefix = ipVersion === 4 ? 32 : 128;
+
+    return prefix >= 0 && prefix <= maxPrefix;
+  }
+
+  /**
+   * Validate the noproxy list: must be unique strings, each a valid IP or CIDR.
+   */
+  protected checkNoproxyList<S>(mergedSettings: S, currentValue: string[], desiredValue: string[], errors: string[], fqname: string): boolean {
+    if (!Array.isArray(desiredValue) || desiredValue.some(s => typeof (s) !== 'string')) {
+      errors.push(this.invalidSettingMessage(fqname, desiredValue));
+
+      return false;
+    }
+    const duplicateValues = this.findDuplicates(desiredValue);
+
+    if (duplicateValues.length > 0) {
+      duplicateValues.sort(Intl.Collator().compare);
+      errors.push(`field "${ fqname }" has duplicate entries: "${ duplicateValues.join('", "') }"`);
+
+      return false;
+    }
+    const invalidEntries = desiredValue.filter(entry => !SettingsValidator.isIPOrCIDR(entry));
+
+    if (invalidEntries.length > 0) {
+      errors.push(`field "${ fqname }" has invalid entries (must be IP addresses or CIDR subnets): "${ invalidEntries.join('", "') }"`);
+
+      return false;
+    }
+
+    return currentValue.length !== desiredValue.length || currentValue.some((v, i) => v !== desiredValue[i]);
+  }
+
   protected checkInstalledExtensions(
     mergedSettings: Settings,
     currentValue: Record<string, string>,
