Skip to content

fix(wrangler): reject secrets-store secret values larger than 64 KiB#14020

Merged
dario-piotrowicz merged 6 commits into
cloudflare:mainfrom
shiminshen:fix/secrets-store-length-validation
May 28, 2026
Merged

fix(wrangler): reject secrets-store secret values larger than 64 KiB#14020
dario-piotrowicz merged 6 commits into
cloudflare:mainfrom
shiminshen:fix/secrets-store-length-validation

Conversation

@shiminshen

@shiminshen shiminshen commented May 23, 2026

Copy link
Copy Markdown
Contributor

Fixes #14018

What this PR addresses

#14018wrangler secrets-store secret create lets users create secrets longer than 1024 characters even though the Cloudflare API silently discards anything over the cap. The CLI claims success, secret list even shows the secret, but any worker that binds to it then fails at deploy time with a misleading "secret doesn't exist" error. The dashboard already enforces the 1024-char cap and never shows these orphan secrets.

What changed

  • packages/wrangler/src/secrets-store/commands.ts
    • Add MAX_SECRET_VALUE_LENGTH = 1024 and a validateSecretValue helper sitting next to the existing validateSecretName. The error message names the cap, the actual length received, and why the API rejects it, so the user can fix it without round-tripping through the dashboard.
    • Call validateSecretValue from the create handler after the value is gathered (args.value or the interactive prompt).
    • Call validateSecretValue from the update handler only when a new value is being supplied — the command intentionally allows updating just scopes or comment without re-supplying the value.
  • packages/wrangler/src/__tests__/secrets-store.test.ts — new test under the existing secrets-store secret create describe block that sends a 1025-character value and asserts the new error message, mirroring the pattern of the existing missing-field error tests.
  • Changeset (patch to wrangler).

Notes

  • The cap is enforced client-side at the CLI surface, before any API call, so it doesn't change behaviour for users who are already under the limit.
  • I considered making the check happen inside the client.ts createSecret / updateSecret calls instead, but kept it at the handler so the error is symmetrical with the existing validateSecretName call (which also runs at handler / validateArgs time, not at the API call site).

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: this PR adds client-side validation matching an existing API-side constraint that the dashboard already enforces. It surfaces a clearer error for an already-failing case but does not change documented behaviour, add new flags, or modify any output that user-facing docs reference.

…aracters

The CLI was accepting overly long values, returning a successful response,
and listing the secret as if it were stored — but the Cloudflare API
discards anything over 1024 characters, so any worker binding to that
secret then fails at deploy time with a confusing "secret doesn't exist"
error. The dashboard already enforces the same 1024 cap and never shows
these orphaned secrets.

Add `validateSecretValue` next to the existing `validateSecretName` and
call it from both the `create` and `update` handlers (in the update case,
only when a new value is actually being supplied — the command allows
updating just scopes or comment). Cover the create path with a unit test
mirroring the existing missing-field error tests.

Fixes cloudflare#14018
@changeset-bot

changeset-bot Bot commented May 23, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 63c9210

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
wrangler Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk May 23, 2026
@workers-devprod workers-devprod requested review from a team and dario-piotrowicz and removed request for a team May 23, 2026 01:51
@workers-devprod

workers-devprod commented May 23, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • ✅ @cloudflare/wrangler
Show detailed file reviewers

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

@pkg-pr-new

pkg-pr-new Bot commented May 23, 2026

Copy link
Copy Markdown
create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@14020

@cloudflare/deploy-helpers

npm i https://pkg.pr.new/@cloudflare/deploy-helpers@14020

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@14020

miniflare

npm i https://pkg.pr.new/miniflare@14020

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@14020

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@14020

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@14020

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@14020

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@14020

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@14020

wrangler

npm i https://pkg.pr.new/wrangler@14020

commit: 63c9210

@dario-piotrowicz

Copy link
Copy Markdown
Member

Thank you very much for the PR @shiminshen 🙏

The API does not seem to actually enforce this cap, only the dashboard is, before reviewing your PR I need to check with the secret store team if that's intentional (besides that the changes here look good to me)

@dario-piotrowicz

Copy link
Copy Markdown
Member

Hi @shiminshen, I checked with the team and they did let me know that the limit has been increased to 64 KiB see: api docs

Could you update the PR to respect this new upper limit? 🙏

The API limit was 1024 characters when this PR was opened, but the
secrets-store team has since raised it to 64 KiB (65,536 bytes).
Validate by UTF-8 byte length to match the API doc exactly --
character-length would under-count multi-byte unicode and let
oversize values slip through.
@shiminshen shiminshen changed the title fix(wrangler): reject secrets-store secret values longer than 1024 characters fix(wrangler): reject secrets-store secret values larger than 64 KiB May 26, 2026
@shiminshen

Copy link
Copy Markdown
Contributor Author

Thanks for checking with the team @dario-piotrowicz! Updated in fe1e398:

  • Cap raised to 64 KiB (65,536 bytes) — matches the API doc.
  • Validation now uses Buffer.byteLength(value, "utf8") instead of value.length, since the API doc specifies the limit in bytes ("Maximum 64 KiB (65,536 bytes)"). Character-length would under-count multi-byte unicode and could let oversize values through.
  • Test, error message, changeset, and PR title all updated accordingly.

@dario-piotrowicz dario-piotrowicz left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great to me! Thank you very much @shiminshen! 🙏

I just left one last comment, everything else beside that is great for me!

Comment thread .changeset/fix-secrets-store-value-length-validation.md Outdated

@workers-devprod workers-devprod left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk May 27, 2026
@dario-piotrowicz dario-piotrowicz merged commit 9dee4cc into cloudflare:main May 28, 2026
58 of 59 checks passed
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

Secret store secrets longer than 1024 appear to work but don't

3 participants