Don't allow wildcard suffix domain rules that look like an address range rule

2022-02-03 15:49:49 +01:00
parent becbe5033f
commit 2f7e7d8e18
1 changed files with 13 additions and 1 deletions
--- a/profile/endpoints/endpoint-domain.go
+++ b/profile/endpoints/endpoint-domain.go
@@ -2,6 +2,7 @@ package endpoints

 import (
 	"context"
+	"errors"
 	"regexp"
 	"strings"

@@ -17,7 +18,12 @@ const (
 	domainMatchTypeContains
 )

-var allowedDomainChars = regexp.MustCompile(`^[a-z0-9\.-]+$`)
+var (
+	allowedDomainChars = regexp.MustCompile(`^[a-z0-9\.-]+$`)
+
+	// looksLikeAnIP matches domains that look like an IP address.
+	looksLikeAnIP = regexp.MustCompile(`^[0-9\.:]+$`)
+)

 // EndpointDomain matches domains.
 type EndpointDomain struct {
@@ -122,6 +128,12 @@ func parseTypeDomain(fields []string) (Endpoint, error) {
 			return nil, nil
 		}

+		// Do not accept domains that look like an IP address and have a suffix wildcard.
+		// This is confusing, because it looks like an IP Netmask matching rule.
+		if looksLikeAnIP.MatchString(ep.Domain) {
+			return nil, errors.New("use CIDR notation (eg. 10.0.0.0/24) for matching ip address ranges")
+		}
+
 	case strings.HasPrefix(domain, "*"):
 		ep.MatchType = domainMatchTypeSuffix
 		ep.Domain = strings.TrimPrefix(domain, "*")