fix(deps): bump publicsuffix to 2.3 to drop vulnerable idna 0.2.3

AlfioEmanueleFresta · AlfioEmanueleFresta · commit 8556676020fa · 2026-05-14T19:29:19.000+01:00
publicsuffix 1.5 transitively pulls idna 0.2.3, which is affected by CVE-2024-12224 (GHSA-h97m-ww89-6jmq). publicsuffix 2.3 depends on idna 1.0+, which is patched. Closes Dependabot alert #25. The 2.x API replaces List::from_str / parse_domain / Domain::root with str::parse and the Psl trait's suffix() / domain() methods. The new algorithm also applies an implicit wildcard so unlisted TLDs (like "localhost") report themselves as a suffix; filter on Suffix::is_known() to preserve v1 semantics and keep bare "localhost" valid as an rp.id.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/libwebauthn/Cargo.toml b/libwebauthn/Cargo.toml
@@ -32,7 +32,7 @@ base64-url = "3.0.0"
 dbus = "0.9.5"
 tracing = "0.1.29"
 idna = "1.0.3"
-publicsuffix = { version = "1.5", default-features = false }
+publicsuffix = "2.3"
 url = "2.5"
 maplit = "1.0.2"
 sha2 = "0.10.2"
diff --git a/libwebauthn/src/ops/webauthn/psl.rs b/libwebauthn/src/ops/webauthn/psl.rs
@@ -14,6 +14,8 @@
 
 use std::path::{Path, PathBuf};
 
+use publicsuffix::{List, Psl};
+
 /// Public Suffix List lookup interface.
 ///
 /// Implementations decide where the PSL data lives (system file, embedded
@@ -42,7 +44,7 @@ pub const SYSTEM_PSL_PATH: &str = "/usr/share/publicsuffix/public_suffix_list.da
 /// `PublicSuffixList` implementation backed by a Public Suffix List `.dat`
 /// file loaded from disk at construction time.
 pub struct DatFilePublicSuffixList {
-    list: publicsuffix::List,
+    list: List,
     source: PathBuf,
 }
 
@@ -59,8 +61,9 @@ impl DatFilePublicSuffixList {
     pub fn from_path(path: impl AsRef<Path>) -> Result<Self, DatFileLoadError> {
         let path = path.as_ref();
         let data = std::fs::read_to_string(path)?;
-        let list = publicsuffix::List::from_str(&data)
-            .map_err(|e| DatFileLoadError::Parse(e.to_string()))?;
+        let list: List = data
+            .parse()
+            .map_err(|e: publicsuffix::Error| DatFileLoadError::Parse(e.to_string()))?;
         Ok(Self {
             list,
             source: path.to_path_buf(),
@@ -74,14 +77,27 @@ impl DatFilePublicSuffixList {
 }
 
 impl PublicSuffixList for DatFilePublicSuffixList {
+    // `is_known()` filter drops `publicsuffix`'s implicit-wildcard match for
+    // unlisted TLDs (e.g. `localhost`), so bare `localhost` stays a valid rp.id.
     fn registrable_domain(&self, host: &str) -> Option<String> {
-        let domain = self.list.parse_domain(host).ok()?;
-        domain.root().map(|s| s.to_string())
+        let suffix = self.list.suffix(host.as_bytes())?;
+        if !suffix.is_known() {
+            return None;
+        }
+        let domain = self.list.domain(host.as_bytes())?;
+        std::str::from_utf8(domain.as_bytes())
+            .ok()
+            .map(String::from)
     }
 
     fn public_suffix(&self, host: &str) -> Option<String> {
-        let domain = self.list.parse_domain(host).ok()?;
-        domain.suffix().map(|s| s.to_string())
+        let suffix = self.list.suffix(host.as_bytes())?;
+        if !suffix.is_known() {
+            return None;
+        }
+        std::str::from_utf8(suffix.as_bytes())
+            .ok()
+            .map(String::from)
     }
 }
 
