remove suffix matching from host whitelist
All checks were successful
check / check (push) Successful in 1m50s
All checks were successful
check / check (push) Successful in 1m50s
Signatures are per-URL, so the whitelist should only support exact host matches. Remove the suffix/wildcard matching that allowed patterns like '.example.com' to bypass signature requirements for entire domain trees. Leading dots in existing config entries are now stripped, so '.example.com' becomes 'example.com' as an exact match (backwards-compatible normalisation).
This commit is contained in:
user
@@ -31,41 +31,41 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "suffix match",
|
||||
patterns: []string{".example.com"},
|
||||
name: "no suffix matching for subdomains",
|
||||
patterns: []string{"example.com"},
|
||||
testURL: "https://cdn.example.com/image.jpg",
|
||||
want: true,
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "suffix match deep subdomain",
|
||||
patterns: []string{".example.com"},
|
||||
testURL: "https://cdn.images.example.com/image.jpg",
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "suffix match apex domain",
|
||||
name: "leading dot stripped to exact match",
|
||||
patterns: []string{".example.com"},
|
||||
testURL: "https://example.com/image.jpg",
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "suffix match not found",
|
||||
name: "leading dot does not enable suffix matching",
|
||||
patterns: []string{".example.com"},
|
||||
testURL: "https://notexample.com/image.jpg",
|
||||
testURL: "https://cdn.example.com/image.jpg",
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "suffix match partial not allowed",
|
||||
name: "leading dot does not match deep subdomain",
|
||||
patterns: []string{".example.com"},
|
||||
testURL: "https://fakeexample.com/image.jpg",
|
||||
testURL: "https://cdn.images.example.com/image.jpg",
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "multiple patterns",
|
||||
patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
|
||||
name: "multiple patterns exact only",
|
||||
patterns: []string{"cdn.example.com", "photos.images.org", "static.test.net"},
|
||||
testURL: "https://photos.images.org/image.jpg",
|
||||
want: true,
|
||||
},
|
||||
{
|
||||
name: "multiple patterns no suffix leak",
|
||||
patterns: []string{"cdn.example.com", "images.org"},
|
||||
testURL: "https://photos.images.org/image.jpg",
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "empty whitelist",
|
||||
patterns: []string{},
|
||||
@@ -86,7 +86,7 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "whitespace in patterns",
|
||||
patterns: []string{" cdn.example.com ", " .other.com "},
|
||||
patterns: []string{" cdn.example.com ", " other.com "},
|
||||
testURL: "https://cdn.example.com/image.jpg",
|
||||
want: true,
|
||||
},
|
||||
@@ -139,6 +139,11 @@ func TestHostWhitelist_IsEmpty(t *testing.T) {
|
||||
patterns: []string{"example.com"},
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "leading dot normalised to entry",
|
||||
patterns: []string{".example.com"},
|
||||
want: false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
@@ -168,14 +173,14 @@ func TestHostWhitelist_Count(t *testing.T) {
|
||||
want: 3,
|
||||
},
|
||||
{
|
||||
name: "suffix hosts only",
|
||||
name: "leading dots normalised to exact",
|
||||
patterns: []string{".a.com", ".b.com"},
|
||||
want: 2,
|
||||
},
|
||||
{
|
||||
name: "mixed",
|
||||
patterns: []string{"exact.com", ".suffix.com"},
|
||||
want: 2,
|
||||
name: "mixed deduplication",
|
||||
patterns: []string{"example.com", ".example.com"},
|
||||
want: 1,
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user