Skip to content

PYTHON-5814 Configurable DNS domain validation for SRV records#2903

Merged
sleepyStick merged 12 commits into
mongodb:PYTHON-5814from
sleepyStick:PYTHON-5814
Jun 30, 2026
Merged

PYTHON-5814 Configurable DNS domain validation for SRV records#2903
sleepyStick merged 12 commits into
mongodb:PYTHON-5814from
sleepyStick:PYTHON-5814

Conversation

@sleepyStick

@sleepyStick sleepyStick commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

PYTHON-5814

Changes in this PR

THIS IS THE SAME PR AS #2868 BUT THIS ONE MERGES TO A BRANCH OF MAIN AND NOT MAIN ITSELF!! THE OTHER PR IS FOR MAIN AND WILL BE ADDRESSED LATER

  • add srvAllowedHostsSuffix param

Test Plan

Checklist

Checklist for Author

  • Did you update the changelog (if necessary)?
  • Is there test coverage?
  • Is any followup work tracked in a JIRA ticket? If so, add link(s).

Checklist for Reviewer

  • Does the title of the PR reference a JIRA Ticket?
  • Do you fully understand the implementation? (Would you be comfortable explaining how this code works to someone else?)
  • Is all relevant documentation (README or docstring) updated?

@sleepyStick sleepyStick changed the title Python 5814 PYTHON-5814 Configurable DNS domain validation for SRV records Jun 29, 2026
@sleepyStick sleepyStick marked this pull request as ready for review June 29, 2026 22:59
@sleepyStick sleepyStick requested a review from a team as a code owner June 29, 2026 22:59
@sleepyStick sleepyStick requested review from NoahStapp and removed request for a team June 29, 2026 22:59
Comment thread .pre-commit-config.yaml
# - test/versioned-api/crud-api-version-1-strict.json:514: nin ==> inn, min, bin, nine
# - test/test_client.py:188: te ==> the, be, we, to
args: ["-L", "fle,fo,infinit,isnt,nin,te,aks"]
exclude: ^pymongo/public_suffix_list\.dat$

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

psl is full of mostly not words,,, checking it raises lots of "typos" but aren't actually typos lol

@sleepyStick sleepyStick requested review from aclark4life and removed request for NoahStapp June 29, 2026 23:05

@Jibola Jibola left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have a few comments, but things otherwise look good.

@@ -0,0 +1,6 @@
{
"uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=test.build.10gen.cc",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be a dumb question; what's the mismatch here?

@sleepyStick sleepyStick Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the comment on the equivalent yml file would say "# DNS record for test12.test.build.10gen.cc returns localhost.build.10gen.cc which would not match test.build.10gen.cc" (obv that's in review on the drivers PR but yeah)

Comment thread pymongo/_psl.py
from pathlib import Path


def _load_public_suffixes() -> tuple[set[str], set[str], set[str]]:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be a good idea to do a simple cache this information so that it doesn't do a full file read each time we check for a public suffix.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh good call, done in (7902127)

srv_allowed_hosts_suffix: Optional[str] = None,
):
self.__fqdn = fqdn
self.__fqdn = fqdn.lower()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this lower call necessary? I don't see anywhere that mutates or calls self.__fqdn that has been changed by the newly introduced logic.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

errr not necessary, i think my bot(s) noticed it an existing bug -- because I added a test case about case insensitivity for the new parameter i'm introducing -- for example if a user passed in a URI like "mongodb+srv://test1.TEST.BUILD.10GEN.CC/" instead of "mongodb+srv://test1.test.build.10gen.cc/" the current logic (without the lower) would have this not connect. (i can undo the change if we wanted to tackle this problem separately or add a test to solidify it if we're okay with doing it here -- sorry it slipped my mind to explain it when i was putting up the PR)

Comment thread pymongo/asynchronous/mongo_client.py Outdated
Comment on lines +453 to +464
- `srvAllowedHostsSuffix`: (string) Overrides the default requirement that
hosts returned by SRV DNS records share the same parent domain as the seed
hostname. When set, the driver accepts any returned host whose name ends
with this suffix (e.g. ``".atlas.mongodb.com"``). The value must contain
at least two labels and must not be a public suffix (per the Public Suffix
List). Only valid with ``mongodb+srv://`` URIs.

.. warning::

This option relaxes a built-in DNS spoofing safeguard. Use the most
specific suffix possible for your deployment rather than a broad
company-wide domain.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add an example of a good configuration just so the users can have an explicit understanding of what to do?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done in c8f8c9f!

@sleepyStick sleepyStick requested a review from Jibola June 30, 2026 05:05
@sleepyStick sleepyStick merged commit a9cf1de into mongodb:PYTHON-5814 Jun 30, 2026
116 of 117 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants