From 2f7e7d8e187fe9c6377e304e1c09dde31007a08b Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Thu, 3 Feb 2022 15:49:49 +0100
Subject: [PATCH] Don't allow wildcard suffix domain rules that look like an
 address range rule

---
 profile/endpoints/endpoint-domain.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/profile/endpoints/endpoint-domain.go b/profile/endpoints/endpoint-domain.go
index 0a8b00b6..d23a02e6 100644
--- a/profile/endpoints/endpoint-domain.go
+++ b/profile/endpoints/endpoint-domain.go
@@ -2,6 +2,7 @@ package endpoints
 
 import (
 	"context"
+	"errors"
 	"regexp"
 	"strings"
 
@@ -17,7 +18,12 @@ const (
 	domainMatchTypeContains
 )
 
-var allowedDomainChars = regexp.MustCompile(`^[a-z0-9\.-]+$`)
+var (
+	allowedDomainChars = regexp.MustCompile(`^[a-z0-9\.-]+$`)
+
+	// looksLikeAnIP matches domains that look like an IP address.
+	looksLikeAnIP = regexp.MustCompile(`^[0-9\.:]+$`)
+)
 
 // EndpointDomain matches domains.
 type EndpointDomain struct {
@@ -122,6 +128,12 @@ func parseTypeDomain(fields []string) (Endpoint, error) {
 			return nil, nil
 		}
 
+		// Do not accept domains that look like an IP address and have a suffix wildcard.
+		// This is confusing, because it looks like an IP Netmask matching rule.
+		if looksLikeAnIP.MatchString(ep.Domain) {
+			return nil, errors.New("use CIDR notation (eg. 10.0.0.0/24) for matching ip address ranges")
+		}
+
 	case strings.HasPrefix(domain, "*"):
 		ep.MatchType = domainMatchTypeSuffix
 		ep.Domain = strings.TrimPrefix(domain, "*")