fix: restrict domain names to alphanumeric characters (#4104)

* fix: restrict domain names to alphanumeric characters

* improve error message

internal/command/instance_domain.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+	"regexp"
 	"strings"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
@@ -14,6 +15,10 @@ import (
 	"github.com/zitadel/zitadel/internal/repository/project"
 )
 
+var (
+	allowDomainRunes = regexp.MustCompile("^[a-zA-Z0-9\\.\\-]+$")
+)
+
 func (c *Commands) AddInstanceDomain(ctx context.Context, instanceDomain string) (*domain.ObjectDetails, error) {
 	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
 	validation := c.addInstanceDomain(instanceAgg, instanceDomain, false)
@@ -84,6 +89,9 @@ func (c *Commands) addInstanceDomain(a *instance.Aggregate, instanceDomain strin
 		if instanceDomain = strings.TrimSpace(instanceDomain); instanceDomain == "" {
 			return nil, errors.ThrowInvalidArgument(nil, "INST-28nlD", "Errors.Invalid.Argument")
 		}
+		if !allowDomainRunes.MatchString(instanceDomain) {
+			return nil, errors.ThrowInvalidArgument(nil, "INST-S3v3w", "Errors.Instance.Domain.InvalidCharacter")
+		}
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 			domainWriteModel, err := getInstanceDomainWriteModel(ctx, filter, instanceDomain)
 			if err != nil {

internal/command/instance_domain_test.go

@@ -52,6 +52,51 @@ func TestCommandSide_AddInstanceDomain(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "invalid domain ', error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx:    context.Background(),
+				domain: "hodor's-org.localhost",
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "invalid domain umlaut, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx:    context.Background(),
+				domain: "bücher.ch",
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "invalid domain other unicode, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx:    context.Background(),
+				domain: "🦒.ch",
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
 		{
 			name: "domain already exists, precondition error",
 			fields: fields{

internal/static/i18n/de.yaml

@@ -172,6 +172,7 @@ Errors:
     IdpIsNotOIDC: IDP Konfiguration ist nicht vom Typ OIDC
     Domain:
       AlreadyExists: Domäne existiert bereits
+      InvalidCharacter: Nur alphanumerische Zeichen, . und - sind für eine Domäne erlaubt
     IDP:
       InvalidSearchQuery: Ungültiger Suchparameter
     LoginPolicy:

internal/static/i18n/en.yaml

@@ -172,6 +172,7 @@ Errors:
     IdpIsNotOIDC: IDP configuration is not of type oidc
     Domain:
       AlreadyExists: Domain already exists
+      InvalidCharacter: Only alphanumeric characters, . and - are allowed for a domain
     IDP:
       InvalidSearchQuery: Invalid search query
     LoginPolicy:

internal/static/i18n/fr.yaml

@@ -172,6 +172,7 @@ Errors:
     IdpIsNotOIDC: La configuration IDP n'est pas de type oidc
     Domain:
       AlreadyExists: Le domaine existe déjà
+      InvalidCharacter: Seuls les caractères alphanumériques, . et - sont autorisés pour un domaine
     IDP:
       InvalidSearchQuery: Paramètre de recherche non valide
     LoginPolicy:

internal/static/i18n/it.yaml

@@ -174,6 +174,7 @@ Errors:
       AlreadyExists: Il dominio già esistente
     IDP:
       InvalidSearchQuery: Parametro di ricerca non valido
+      InvalidCharacter: Per un dominio sono ammessi solo caratteri alfanumerici, . e -
     LoginPolicy:
       NotFound: Impostazioni di accesso non trovati
       Invalid: Impostazioni di accesso non sono validi