Potential fix for code scanning alert no. 3: Incomplete URL substring sanitization

[jonathansantilli]

Potential fix for https://github.com/jonathansantilli/codegate/security/code-scanning/3

In general, to fix this kind of issue, avoid treating the full hostname as an arbitrary string and matching trusted domains with includes or endsWith. Instead, parse the URL (which is already done here) and then either (a) require an exact match for the hostname, or (b) if subdomains should be allowed, explicitly permit either exact match or a hostname that ends with . + trusted domain (e.g., sub.example.com ends with .example.com) rather than just any string ending in example.com.

For this code, the lowest-risk change is to replace the three .endsWith("<domain>") checks with a helper that checks for either exact matches or proper subdomains. This preserves the intention of treating github.com, gitlab.com, and bitbucket.org (and their subdomains like gist.github.com or api.bitbucket.org) as “likely Git sources”, but prevents hostnames such as github.com.evil.com from being accepted. We can introduce a small local helper, e.g. isHostOrSubdomain(hostname, baseDomain), and use it inside isLikelyGitSource. All changes stay within src/layer2-static/detectors/plugin-manifest.ts, near the existing function, and no external libraries are needed because hostname string matching is straightforward.

Concretely:

• Add a helper function isHostOrSubdomain(hostname: string, baseDomain: string): boolean just above isLikelyGitSource.
• Implement it to:
  • Normalize both hostname and baseDomain to lowercase.
  • Return true if they are equal.
  • Return true if hostname ends with . + baseDomain.
• Update the return statement in isLikelyGitSource to use this helper for "github.com", "gitlab.com", and "bitbucket.org" instead of .endsWith(...).

Suggested fixes powered by Copilot Autofix. Review carefully before merging.