fix: reject invalid dotted-decimal in hostname_rfc1123 validation

[Herrtian]

Summary

Fixes #1561

hostname_rfc1123 validation accepted strings like 277.168.0.1 which are neither valid IPv4 addresses nor valid hostnames per RFC 1123.

RFC 1123 §2.1 states:

"a valid host name can never have the dotted-decimal form #.#.#.#, since at least the highest-level component label will be alphabetic."

Change

Added a check in isHostnameRFC1123: after the regex match, if the input looks like a dotted-decimal string (digits and dots only, with at least one dot), it must also be a valid IP address via net.ParseIP. Otherwise it's rejected.

Input	Before	After
277.168.0.1	pass	fail (invalid IP, looks like dotted-decimal)
192.168.0.1	pass	pass (valid IPv4)
123.456.789.0	pass	fail (invalid IP)
example.com	pass	pass (not dotted-decimal)
1	pass	pass (single label, not dotted-decimal)

Test plan

• go build ./... passes
• TestHostnameRFC1123Validation passes
• TestHostnameRFC1123AliasValidation passes
• Full test suite passes (all packages including translations)

[Copilot]

Pull request overview

This PR updates the hostname_rfc1123 validator to reject “dotted-decimal-looking” hostnames that aren’t valid IP addresses, addressing cases like 277.168.0.1 that previously passed the RFC1123 hostname regex.

Changes:

• Added a looksLikeDottedDecimal helper to detect digit-and-dot-only inputs.
• Updated isHostnameRFC1123 to run an additional dotted-decimal/IP parse check after the existing RFC1123 regex match.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

looksLikeDottedDecimal returns true for any string containing only digits and dots with at least one dot (e.g. "1.2" or "1.2.3"). That means isHostnameRFC1123 will now reject these values even though hostnameRegexRFC1123 allows them, and the RFC 1123 quote/comment here specifically refers to the IPv4-like form #.#.#.#. Consider tightening the check to only treat the input as “dotted-decimal” when it has exactly 4 numeric labels (3 dots, no empty labels), so you only gate IPv4-shaped inputs behind net.ParseIP.

Suggested change

	// looksLikeDottedDecimal returns true if s looks like a dotted-decimal address
	// (e.g. "277.168.0.1") — composed entirely of digits and dots, with at least one dot.
	func looksLikeDottedDecimal(s string) bool {
	hasDot := false
	for _, c := range s {
	if c == '.' {
	hasDot = true
	} else if c < '0' || c > '9' {
	return false
	}
	}
	return hasDot
	// looksLikeDottedDecimal returns true if s looks like a dotted-decimal IPv4
	// address shape (e.g. "277.168.0.1"): exactly 4 numeric labels separated by
	// 3 dots, with no empty labels.
	func looksLikeDottedDecimal(s string) bool {
	parts := strings.Split(s, ".")
	if len(parts) != 4 {
	return false
	}
	for _, part := range parts {
	if part == "" {
	return false
	}
	for _, c := range part {
	if c < '0' || c > '9' {
	return false
	}
	}
	}
	return true

[Copilot]

In isHostnameRFC1123, net.ParseIP(val) is evaluated for every value that matches the hostname regex, including typical hostnames like "example.com". To avoid unnecessary parsing work, check looksLikeDottedDecimal(val) first and only call net.ParseIP when the string is actually numeric/dotted.

Suggested change

	if net.ParseIP(val) == nil && looksLikeDottedDecimal(val) {
	if looksLikeDottedDecimal(val) && net.ParseIP(val) == nil {

[zemzale]

Thanks for the PR.

As Copilot points out:

• the looksLikeDottedDecimal has a huge bug
• net.ParseIP gets called every time which is not needed for a LOT of cases

Also I would require some tests before accepting this change, that would cover all the cases that have been pointed out.