Skip to content

Commit a19d5e6

Browse files
PavelSafronovPavelSafronov
committed
fix(7477): OIDC host allowlist fix
1 parent c2263a0 commit a19d5e6

File tree

2 files changed

+34
-5
lines changed

2 files changed

+34
-5
lines changed

src/utils.ts

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -83,13 +83,27 @@ export function isUint8Array(value: unknown): value is Uint8Array {
8383
*/
8484
export function hostMatchesWildcards(host: string, wildcards: string[]): boolean {
8585
for (const wildcard of wildcards) {
86-
if (
87-
host === wildcard ||
88-
(wildcard.startsWith('*.') && host?.endsWith(wildcard.substring(2, wildcard.length))) ||
89-
(wildcard.startsWith('*/') && host?.endsWith(wildcard.substring(2, wildcard.length)))
90-
) {
86+
// Exact match always wins
87+
if (host === wildcard) {
9188
return true;
9289
}
90+
91+
// Wildcard match with leading *.
92+
if (wildcard.startsWith('*.')) {
93+
const suffix = wildcard.substring(2);
94+
// Exact match or strict subdomain match
95+
if (host === suffix || host.endsWith(`.${suffix}`)) {
96+
return true;
97+
}
98+
}
99+
// Wildcard match with leading */
100+
if (wildcard.startsWith('*/')) {
101+
const suffix = wildcard.substring(2);
102+
// Exact match or strict subpath match
103+
if (host === suffix || host.endsWith(`/${suffix}`)) {
104+
return true;
105+
}
106+
}
93107
}
94108
return false;
95109
}

test/unit/utils.test.ts

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,6 +148,13 @@ describe('driver utils', function () {
148148
});
149149
});
150150

151+
context('when the wildcard starts with *.', function () {
152+
it('returns false', function () {
153+
expect(hostMatchesWildcards('test-mongodb.com', ['*.mongodb.com', 'test2'])).to.be
154+
.false;
155+
});
156+
});
157+
151158
context('when the host matches a FQDN', function () {
152159
it('returns true', function () {
153160
expect(hostMatchesWildcards('mongodb.net', ['*.mongodb.net', 'other'])).to.be.true;
@@ -221,6 +228,14 @@ describe('driver utils', function () {
221228
.to.be.false;
222229
});
223230
});
231+
232+
context('when the host does not match partial matches', function () {
233+
it('returns false', function () {
234+
expect(
235+
hostMatchesWildcards('/tmp/test-mongodb-27017.sock', ['*/mongodb-27017.sock', 'test2'])
236+
).to.be.false;
237+
});
238+
});
224239
});
225240
});
226241

0 commit comments

Comments
 (0)