fix: harden IPv6 host/port URL handling for remote builder and tunnel paths (#4792)

* fix: format remote builder API URLs with JoinHostPort

* fix: harden host:port formatting for IPv6 endpoints

Author: dangra

internal/build/imgsrc/daemon_url.go

@@ -0,0 +1,25 @@
+package imgsrc
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+)
+
+func builderAPIURL(daemonHost, path string) (string, error) {
+	parsed, err := url.Parse(daemonHost)
+	if err != nil {
+		return "", err
+	}
+
+	hostname := parsed.Hostname()
+	if hostname == "" {
+		return "", fmt.Errorf("failed to parse daemon host %q: missing hostname", daemonHost)
+	}
+
+	parsed.Host = net.JoinHostPort(hostname, "8080")
+	parsed.Scheme = "http"
+	parsed.Path = path
+
+	return parsed.String(), nil
+}

internal/build/imgsrc/daemon_url_test.go

@@ -0,0 +1,67 @@
+package imgsrc
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuilderAPIURL(t *testing.T) {
+	tests := []struct {
+		name       string
+		daemonHost string
+		path       string
+		want       string
+	}{
+		{
+			name:       "ipv4",
+			daemonHost: "tcp://192.168.1.10:2375",
+			path:       "/flyio/v1/extendDeadline",
+			want:       "http://192.168.1.10:8080/flyio/v1/extendDeadline",
+		},
+		{
+			name:       "ipv6",
+			daemonHost: "tcp://[fdaa:49:2bd7::2]:2375",
+			path:       "/flyio/v1/extendDeadline",
+			want:       "http://[fdaa:49:2bd7::2]:8080/flyio/v1/extendDeadline",
+		},
+		{
+			name:       "overlaybd path",
+			daemonHost: "tcp://[fdaa:49:2bd7::2]:2375",
+			path:       "/flyio/v1/buildOverlaybdImage",
+			want:       "http://[fdaa:49:2bd7::2]:8080/flyio/v1/buildOverlaybdImage",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got, err := builderAPIURL(tc.daemonHost, tc.path)
+			require.NoError(t, err)
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}
+
+func TestBuilderAPIURLError(t *testing.T) {
+	tests := []struct {
+		name       string
+		daemonHost string
+	}{
+		{
+			name:       "missing host",
+			daemonHost: "unix:///var/run/docker.sock",
+		},
+		{
+			name:       "invalid url",
+			daemonHost: "://bad-url",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := builderAPIURL(tc.daemonHost, "/flyio/v1/extendDeadline")
+			require.Error(t, err)
+		})
+	}
+}

internal/build/imgsrc/docker.go

@@ -576,7 +576,7 @@ func buildWireguardlessClientOpts(ctx context.Context, host, appName string) ([]
 			"Authorization": "Basic " + basicAuth(appName, config.Tokens(ctx).Docker()),
 		}),
 		dockerclient.WithDialContext(func(ctx context.Context, network, addr string) (net.Conn, error) {
-			return tls.Dial("tcp", parsedHostUrl.Host+":443", &tls.Config{})
+			return tls.Dial("tcp", net.JoinHostPort(parsedHostUrl.Hostname(), "443"), &tls.Config{})
 		}),
 	}
 

internal/build/imgsrc/dockerfile_builder.go

@@ -8,7 +8,6 @@ import (
 	"io"
 	"net"
 	"net/http"
-	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -328,17 +327,10 @@ func buildOverlaybdImage(ctx context.Context, appName string, docker *dockerclie
 
 	terminal.Info("Building lazy-loading image, please wait...")
 
-	daemonHost := docker.DaemonHost()
-	parsed, err := url.Parse(daemonHost)
+	rchabUrl, err := builderAPIURL(docker.DaemonHost(), "/flyio/v1/buildOverlaybdImage")
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse daemon host: %w", err)
 	}
-	hostPort := parsed.Host
-	host, _, _ := net.SplitHostPort(hostPort)
-	parsed.Host = host + ":8080"
-	parsed.Scheme = "http"
-	parsed.Path = "/flyio/v1/buildOverlaybdImage"
-	rchabUrl := parsed.String()
 
 	terminal.Debugf("rchab url: %s", rchabUrl)
 

internal/build/imgsrc/resolver.go

@@ -5,9 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"net"
 	"net/http"
-	"net/url"
 	"strings"
 	"sync"
 	"time"
@@ -791,18 +789,7 @@ func (r *Resolver) StartHeartbeat(ctx context.Context) (*StopSignal, error) {
 }
 
 func getHeartbeatUrl(dockerClient *dockerclient.Client) (string, error) {
-	daemonHost := dockerClient.DaemonHost()
-	parsed, err := url.Parse(daemonHost)
-	if err != nil {
-		return "", err
-	}
-	hostPort := parsed.Host
-	host, _, _ := net.SplitHostPort(hostPort)
-	parsed.Host = host + ":8080"
-	parsed.Scheme = "http"
-	parsed.Path = "/flyio/v1/extendDeadline"
-
-	return parsed.String(), nil
+	return builderAPIURL(dockerClient.DaemonHost(), "/flyio/v1/extendDeadline")
 }
 
 func (s *StopSignal) Stop() {

internal/build/imgsrc/resolver_test.go

@@ -26,7 +26,7 @@ func TestDeploymentImage(t *testing.T) {
 }
 
 func TestHeartbeat(t *testing.T) {
-	dc, err := client.NewClientWithOpts()
+	dc, err := client.NewClientWithOpts(client.WithHost("tcp://127.0.0.1:2375"))
 	assert.NoError(t, err)
 
 	ctx := context.Background()
@@ -43,7 +43,7 @@ func TestStartHeartbeat(t *testing.T) {
 		Tokens: &tokens.Tokens{},
 	})
 
-	dc, err := client.NewClientWithOpts()
+	dc, err := client.NewClientWithOpts(client.WithHost("tcp://127.0.0.1:2375"))
 	assert.NoError(t, err)
 
 	resolver := Resolver{
@@ -72,7 +72,7 @@ func TestStartHeartbeatFirstRetry(t *testing.T) {
 		Tokens: &tokens.Tokens{},
 	})
 
-	dc, err := client.NewClientWithOpts()
+	dc, err := client.NewClientWithOpts(client.WithHost("tcp://127.0.0.1:2375"))
 	assert.NoError(t, err)
 
 	numCalls := 0
@@ -109,7 +109,7 @@ func TestStartHeartbeatNoEndpoint(t *testing.T) {
 		Tokens: &tokens.Tokens{},
 	})
 
-	dc, err := client.NewClientWithOpts()
+	dc, err := client.NewClientWithOpts(client.WithHost("tcp://127.0.0.1:2375"))
 	assert.NoError(t, err)
 
 	resolver := Resolver{

internal/command/doctor/app_checks.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -160,7 +161,7 @@ func (ac *AppChecker) checkDnsRecords(ipAddresses []fly.IPAddress) {
 
 		return
 	}
-	nsAddr := fmt.Sprintf("%s:53", strings.TrimSuffix(ns, "."))
+	nsAddr := net.JoinHostPort(strings.TrimSuffix(ns, "."), "53")
 
 	if len(v4s) > 0 {
 		ac.lprint(nil, "Checking A record for %s... ", appHostname)

internal/command/mcp/proxy.go

@@ -354,7 +354,7 @@ func resolveProxy(ctx context.Context, originalUrl string) (string, *exec.Cmd, e
 
 	bindAddr := flag.GetBindAddr(ctx)
 
-	parsedURL.Host = fmt.Sprintf("%s:%d", bindAddr, localPort)
+	parsedURL.Host = net.JoinHostPort(bindAddr, fmt.Sprintf("%d", localPort))
 
 	return parsedURL.String(), cmd, nil
 }

internal/command/mcp/server.go

@@ -3,6 +3,7 @@ package mcp
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/http"
 	"os"
 	"os/exec"
@@ -470,7 +471,7 @@ func runServer(ctx context.Context) error {
 			start = sseServer.Start
 		}
 
-		if err = start(fmt.Sprintf("%s:%d", flag.GetString(ctx, flagnames.BindAddr), port)); err != nil {
+		if err = start(net.JoinHostPort(flag.GetString(ctx, flagnames.BindAddr), fmt.Sprintf("%d", port))); err != nil {
 			return fmt.Errorf("Server error: %v", err)
 		}
 	} else {

wg/state.go

@@ -74,7 +74,7 @@ func (s *WireGuardState) TunnelConfig() *Config {
 		LocalNetwork:    &wgl,
 		RemotePublicKey: pkey,
 		RemoteNetwork:   &wgr,
-		Endpoint:        s.Peer.Endpointip + ":51820",
+		Endpoint:        net.JoinHostPort(s.Peer.Endpointip, "51820"),
 		DNS:             dns,
 		LogLevel:        wgLogLevel,
 	}