Skip to content

[draft] add npx wrangler containers registry put command #10605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[draft] add npx wrangler containers registry put command #10605

wants to merge 2 commits into from

Conversation

emily-shen
Copy link
Contributor

wip
CC-5835

this is to support configuring credentials for external (non cloudflare) registries.

  • Tests
    • Tests included
    • Tests not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because:
  • Wrangler V3 Backport
    • Wrangler PR:
    • Not necessary because:

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 10, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 8a5ab65

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
@cloudflare/containers-shared Patch
wrangler Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation bot moved this to Untriaged in workers-sdk Sep 10, 2025
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Sep 10, 2025
edited
Loading

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@10605

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@10605

miniflare

npm i https://pkg.pr.new/miniflare@10605

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@10605

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@10605

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@10605

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@10605

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@10605

wrangler

npm i https://pkg.pr.new/wrangler@10605

commit: 8a5ab65

@emily-shen emily-shen changed the title [draft] add npx wrangler containers registry configure command [draft] add npx wrangler containers registry put command Sep 11, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 11, 2025
View reviewed changes
packages/containers-shared/src/images.ts
{
type: "cloudflare",
pattern: new RegExp(
`^${getCloudflareContainerRegistry().replace(/\./g, "\\.")}$`

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Copilot Autofix

AI about 13 hours ago

The problem should be fixed by robustly escaping all characters in the registry string that have special meaning in regular expressions before interpolation into a regex pattern. JavaScript does not have a built-in escapeRegExp function, but its standard implementation is well understood. The best fix is to introduce a utility—either implement a local escapeRegExp function, or (preferably) use a library like lodash.escapeRegExp. Since editing outside the given file is not allowed and no such utility is imported, we should define a local escapeRegExp within this file, and use it in the RegExp construction in line 169. This avoids partial/manual escaping and future-proofs the code. This function should escape backslashes before other meta-characters to avoid double-escape errors. Place the helper near the usage (e.g., just above getRegistryType).

Suggested changeset 1
packages/containers-shared/src/images.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/containers-shared/src/images.ts b/packages/containers-shared/src/images.ts
--- a/packages/containers-shared/src/images.ts
+++ b/packages/containers-shared/src/images.ts
@@ -166,7 +166,7 @@
 		{
 			type: "cloudflare",
 			pattern: new RegExp(
-				`^${getCloudflareContainerRegistry().replace(/\./g, "\\.")}$`
+				`^${escapeRegExp(getCloudflareContainerRegistry())}$`
 			),
 			name: "Cloudflare Containers Managed Registry",
 		},
@@ -189,6 +189,11 @@
 	return match;
 };
 
+// Escapes special characters for use in a RegExp constructor
+function escapeRegExp(str: string): string {
+	return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 interface RegistryPattern {
 	type: "aws-ecr" | "cloudflare";
 	pattern: RegExp;
EOF
@@ -166,7 +166,7 @@
{
type: "cloudflare",
pattern: new RegExp(
`^${getCloudflareContainerRegistry().replace(/\./g, "\\.")}$`
`^${escapeRegExp(getCloudflareContainerRegistry())}$`
),
name: "Cloudflare Containers Managed Registry",
},
@@ -189,6 +189,11 @@
return match;
};

// Escapes special characters for use in a RegExp constructor
function escapeRegExp(str: string): string {
return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}

interface RegistryPattern {
type: "aws-ecr" | "cloudflare";
pattern: RegExp;
Copilot is powered by AI and may make mistakes. Always verify output.
packages/wrangler/src/containers/config.ts
Comment on lines +186 to +188
const isContainerManagedRegistry = container.image.startsWith(
"registry.cloudflare.com"
);

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
registry.cloudflare.com
Loading
' may be followed by an arbitrary host name.

Copilot Autofix

AI about 13 hours ago

To securely check whether container.image refers to an image from the managed registry (registry.cloudflare.com), we must parse the registry host portion from the URI and compare it to a whitelist of allowed hosts. This means:

  • Parse the host portion of the image URI using a robust image parsing method.
  • Check for explicit equality to "registry.cloudflare.com", not simple substring or prefix matches.
  • If there are valid subdomains to allow, include those in the whitelist, but typically only the exact root registry is allowed for managed images.
  • The edit is in packages/wrangler/src/containers/config.ts, on line 186 where the prefix check occurs.
  • We'll need a reliable way to extract the host from Docker image references. Since Docker image references have a non-URL format, the registry host is typically everything before the first /, defaulting to Docker Hub if not present. We can safely split the string at the / and check explicitly that the host matches.
  • If an external library (such as docker-registry-host or similar) is not available, implement the registry host extraction inline in a well-known, robust manner.
  • Change the check at line 186 to compare the extracted registry host to "registry.cloudflare.com".
Suggested changeset 1
packages/wrangler/src/containers/config.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/wrangler/src/containers/config.ts b/packages/wrangler/src/containers/config.ts
--- a/packages/wrangler/src/containers/config.ts
+++ b/packages/wrangler/src/containers/config.ts
@@ -183,9 +183,11 @@
 					}
 				);
 			}
-			const isContainerManagedRegistry = container.image.startsWith(
-				"registry.cloudflare.com"
-			);
+			// Extract registry host (everything before first '/'), then check for exact match
+			const imageRegistryHost = container.image.includes("/")
+				? container.image.split("/")[0]
+				: "";
+			const isContainerManagedRegistry = imageRegistryHost === "registry.cloudflare.com";
 			normalizedContainers.push({
 				...shared,
 				...instanceTypeOrLimits,
EOF
@@ -183,9 +183,11 @@
}
);
}
const isContainerManagedRegistry = container.image.startsWith(
"registry.cloudflare.com"
);
// Extract registry host (everything before first '/'), then check for exact match
const imageRegistryHost = container.image.includes("/")
? container.image.split("/")[0]
: "";
const isContainerManagedRegistry = imageRegistryHost === "registry.cloudflare.com";
normalizedContainers.push({
...shared,
...instanceTypeOrLimits,
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
workers-sdk
Status: Untriaged
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@emily-shen