From 27739da046fbf60e7c169e1bde185c2018edb28e Mon Sep 17 00:00:00 2001 From: user Date: Sun, 15 Mar 2026 11:18:01 -0700 Subject: [PATCH] test: add failing tests for removing suffix matching from whitelist Suffix matching (.example.com matching subdomains) should not be supported. Whitelist entries should be exact host matches only. Leading dots should be stripped and treated as exact matches. --- internal/imgcache/whitelist_test.go | 42 ++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/internal/imgcache/whitelist_test.go b/internal/imgcache/whitelist_test.go index 3e33b66..b72c33c 100644 --- a/internal/imgcache/whitelist_test.go +++ b/internal/imgcache/whitelist_test.go @@ -31,41 +31,47 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) { want: false, }, { - name: "suffix match", + name: "dot prefix does not enable suffix matching", patterns: []string{".example.com"}, testURL: "https://cdn.example.com/image.jpg", - want: true, + want: false, }, { - name: "suffix match deep subdomain", + name: "dot prefix does not match deep subdomain", patterns: []string{".example.com"}, testURL: "https://cdn.images.example.com/image.jpg", - want: true, + want: false, }, { - name: "suffix match apex domain", + name: "dot prefix stripped matches apex domain exactly", patterns: []string{".example.com"}, testURL: "https://example.com/image.jpg", want: true, }, { - name: "suffix match not found", + name: "dot prefix does not match unrelated domain", patterns: []string{".example.com"}, testURL: "https://notexample.com/image.jpg", want: false, }, { - name: "suffix match partial not allowed", + name: "dot prefix does not match partial domain", patterns: []string{".example.com"}, testURL: "https://fakeexample.com/image.jpg", want: false, }, { - name: "multiple patterns", - patterns: []string{"cdn.example.com", ".images.org", "static.test.net"}, + name: "multiple patterns exact only", + patterns: []string{"cdn.example.com", "photos.images.org", "static.test.net"}, testURL: "https://photos.images.org/image.jpg", want: true, }, + { + name: "multiple patterns no suffix match", + patterns: []string{"cdn.example.com", ".images.org", "static.test.net"}, + testURL: "https://photos.images.org/image.jpg", + want: false, + }, { name: "empty whitelist", patterns: []string{}, @@ -90,6 +96,12 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) { testURL: "https://cdn.example.com/image.jpg", want: true, }, + { + name: "whitespace dot prefix stripped matches exactly", + patterns: []string{" .other.com "}, + testURL: "https://other.com/image.jpg", + want: true, + }, } for _, tt := range tests { @@ -139,6 +151,11 @@ func TestHostWhitelist_IsEmpty(t *testing.T) { patterns: []string{"example.com"}, want: false, }, + { + name: "dot prefix entry still counts", + patterns: []string{".example.com"}, + want: false, + }, } for _, tt := range tests { @@ -168,7 +185,7 @@ func TestHostWhitelist_Count(t *testing.T) { want: 3, }, { - name: "suffix hosts only", + name: "dot prefix hosts treated as exact", patterns: []string{".a.com", ".b.com"}, want: 2, }, @@ -177,6 +194,11 @@ func TestHostWhitelist_Count(t *testing.T) { patterns: []string{"exact.com", ".suffix.com"}, want: 2, }, + { + name: "dot prefix deduplicates with exact", + patterns: []string{"example.com", ".example.com"}, + want: 1, + }, } for _, tt := range tests {