Skip to content

fix(NODE-7478): OIDC host allowlist fix#4905

Merged
PavelSafronov merged 1 commit intomainfrom
NODE-7478
Mar 30, 2026
Merged

fix(NODE-7478): OIDC host allowlist fix#4905
PavelSafronov merged 1 commit intomainfrom
NODE-7478

Conversation

@PavelSafronov
Copy link
Copy Markdown
Contributor

@PavelSafronov PavelSafronov commented Mar 23, 2026

Description

Summary of Changes

Notes for Reviewers

What is the motivation for this change?

Release Highlight

Tighten OIDC ALLOWED_HOSTS wildcard matching

The OIDC ALLOWED_HOSTS wildcard handling has been fixed to require full subdomain/path matches for *. and */ entries, preventing partial suffix matches from being incorrectly accepted.

Double check the following

  • Lint is passing (npm run check:lint)
  • Self-review completed using the steps outlined here
  • PR title follows the correct format: type(NODE-xxxx)[!]: description
    • Example: feat(NODE-1234)!: rewriting everything in coffeescript
  • Changes are covered by tests
  • New TODOs have a related JIRA ticket

@PavelSafronov PavelSafronov marked this pull request as ready for review March 23, 2026 22:04
@PavelSafronov PavelSafronov requested a review from a team as a code owner March 23, 2026 22:04
Copilot AI review requested due to automatic review settings March 23, 2026 22:04
Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens OIDC ALLOWED_HOSTS wildcard matching to prevent accidental acceptance of partial suffix/path matches, improving the correctness of the OIDC host allowlist validation used during client connection.

Changes:

  • Updated hostMatchesWildcards to require boundary-aware matches for *. (subdomain) and */ (subpath) wildcards.
  • Added unit tests to cover the newly-disallowed partial matches, including coverage against DEFAULT_ALLOWED_HOSTS.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/utils.ts Implements stricter wildcard matching rules for domain and unix-socket patterns.
test/unit/utils.test.ts Adds regression tests ensuring partial suffix/path matches are rejected, including default OIDC allowlist patterns.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tadjik1 tadjik1 self-assigned this Mar 26, 2026
@tadjik1 tadjik1 added the Primary Review In Review with primary reviewer, not yet ready for team's eyes label Mar 26, 2026
tadjik1
tadjik1 approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@tadjik1 tadjik1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @PavelSafronov! I will merge this PR after npm fix

@tadjik1 tadjik1 added the Blocked Blocked on other work label Mar 27, 2026
@PavelSafronov PavelSafronov merged commit f36b754 into main Mar 30, 2026
34 checks passed
@PavelSafronov PavelSafronov deleted the NODE-7478 branch March 30, 2026 21:16
@github-actions github-actions bot mentioned this pull request Mar 30, 2026
Open
@dariakp dariakp removed the Blocked Blocked on other work label Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tadjik1 tadjik1 tadjik1 approved these changes

Assignees

@tadjik1 tadjik1

Labels

Primary Review In Review with primary reviewer, not yet ready for team's eyes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@PavelSafronov @tadjik1 @dariakp