Reuse normalize_hostname helper in is_trusted_hostname; expand helper

bitterpanda63 · claude · bitterpanda63 · commit 5f241aa28149 · 2026-06-08T17:29:04.000+02:00
Expand normalize_hostname (sinks/socket) to also lowercase and strip
trailing dots so it is a proper canonical form for all hostname
comparisons. Use it in is_trusted_hostname instead of inline .lower()
.rstrip(".").

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/aikido_zen/sinks/socket/normalize_hostname.py b/aikido_zen/sinks/socket/normalize_hostname.py
@@ -2,13 +2,13 @@ def normalize_hostname(hostname):
     if not hostname or not isinstance(hostname, str):
         return hostname
 
-    result = hostname
-    try:
-        # Check if hostname contains punycode (starts with xn--)
-        if hostname.startswith("xn--"):
-            result = hostname.encode("ascii").decode("idna")
+    # Lowercase and strip trailing dot (DNS resolvers may return FQDNs like "example.com.")
+    result = hostname.lower().rstrip(".")
 
+    try:
+        # Decode Punycode if the hostname starts with xn--
+        if result.startswith("xn--"):
+            result = result.encode("ascii").decode("idna")
         return result
     except (UnicodeError, LookupError):
-        # If decoding fails, return original hostname
-        return hostname
+        return result
diff --git a/aikido_zen/sinks/socket/normalize_hostname_test.py b/aikido_zen/sinks/socket/normalize_hostname_test.py
@@ -55,10 +55,10 @@ def test_normalize_hostname_punycode_subdomain():
     assert result == "müller.example.com"
 
 
-def test_normalize_hostname_mixed_case():
-    """Test that case is preserved in non-punycode hostnames"""
-    assert normalize_hostname("Example.COM") == "Example.COM"
-    assert normalize_hostname("MixedCase.Example.com") == "MixedCase.Example.com"
+def test_normalize_hostname_lowercases():
+    """Test that hostnames are lowercased"""
+    assert normalize_hostname("Example.COM") == "example.com"
+    assert normalize_hostname("MixedCase.Example.com") == "mixedcase.example.com"
 
 
 def test_normalize_hostname_non_string_input():
@@ -94,7 +94,12 @@ def test_normalize_hostname_punycode_not_starting_with_xn():
 
 def test_normalize_hostname_punycode_error_handling():
     """Test error handling for malformed punycode"""
-    # This should return the original string if decoding fails
     result = normalize_hostname("xn--invalid-punycode")
-    # Should either return the original or a decoded version if valid
     assert isinstance(result, str)
+
+
+def test_normalize_hostname_trailing_dot():
+    """Test that trailing dots (FQDN form from DNS resolvers) are stripped"""
+    assert normalize_hostname("example.com.") == "example.com"
+    assert normalize_hostname("metadata.google.internal.") == "metadata.google.internal"
+    assert normalize_hostname("metadata.goog.") == "metadata.goog"
diff --git a/aikido_zen/vulnerabilities/ssrf/imds.py b/aikido_zen/vulnerabilities/ssrf/imds.py
@@ -4,6 +4,7 @@
 """
 
 from aikido_zen.helpers.ip_matcher import IPMatcher
+from aikido_zen.sinks.socket.normalize_hostname import normalize_hostname
 
 imds_addresses = IPMatcher(
     [
@@ -29,7 +30,7 @@ def is_trusted_hostname(hostname):
     """
     If the hostname is a trusted host (like metadata.goog), there was no spoofing of hostnames, so it's not an attack
     """
-    return hostname.lower().rstrip(".") in trusted_hosts
+    return normalize_hostname(hostname) in trusted_hosts
 
 
 def resolves_to_imds_ip(resolved_ip_addresses, hostname):
