Skip to content

Improve Domain Pattern Matching with Flexible Wildcard Support #250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Improve Domain Pattern Matching with Flexible Wildcard Support #250

wants to merge 3 commits into from

Conversation

shubh-stripe
Copy link

@shubh-stripe shubh-stripe commented Jun 5, 2025
edited
Loading

Summary

This PR improves the security of domain pattern matching in Smokescreen by implementing more flexible wildcard validation rules. The changes allow multiple wildcards in domain patterns while maintaining strong security boundaries to prevent overly broad matches.

Core Logic Changes

1. Changed Domain Validation (pkg/smokescreen/acl/v1/acl.go)

  • Flexible multiple wildcard support: Allow multiple wildcards as long as there's at least one non-wildcard component before the TLD

2. Improved Pattern Matching (pkg/smokescreen/acl/v1/acl.go)

  • Backward compatibility maintained: Leading wildcard patterns like *.example.com continue to work exactly as before
  • Enhanced multiple wildcard handling: Patterns like *.*.example.com and api.*.service.*.com now work correctly

3. Comprehensive Test Coverage (pkg/smokescreen/acl/v1/acl_test.go)

  • Updated validation tests: Modified TestACLAddInvalidGlob to reflect new validation rules

4. Documentation Updates (README.md)

  • Clarified wildcard rules: Updated documentation to explain the new flexible wildcard support

Examples of New Supported Patterns

Now Allowed:

allowed_domains:
  - "*.*.example.com"           # Multiple wildcards with specific domain
  - "api.*.service.*.com"       # Multiple wildcards with specific components
  - "*.subdomain.*.example.org" # Mixed wildcard and specific components

Still Blocked (Security):

# These remain blocked for security reasons
- "*.*.com"        # No specific domain component before TLD
- "example.*"      # Wildcard TLD patterns
- "*.*"           # Matches everything
- "*.service.*"   # Wildcard TLD with service component

Downstream Impact

Backward Compatible Changes

  • Existing single wildcard patterns: All existing patterns like *.example.com continue to work unchanged
  • Existing exact matches: No impact on exact domain matches
  • Existing validation: Previously valid patterns remain valid

@shubh-stripe shubh-stripe requested a review from Copilot June 5, 2025 10:59
Copilot
Copilot AI reviewed Jun 5, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances domain glob support by allowing multiple wildcards under controlled rules, updates matching logic to handle these patterns, and brings tests and documentation in line with the new behavior.

  • Extend ValidateDomainGlob to permit multiple wildcards while enforcing at least one concrete component before the TLD.
  • Rewrite HostMatchesGlob with a component-based recursive matcher for flexible wildcards.
  • Update tests in acl_test.go and documentation in README.md to cover and describe the new wildcard rules.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
pkg/smokescreen/acl/v1/acl.go Adjusted ValidateDomainGlob rules and rewrote HostMatchesGlob to use matchComponents.
pkg/smokescreen/acl/v1/acl_test.go Updated invalid-glob tests, added valid-glob suite, and imported fmt.
README.md Expanded supported patterns section with examples and security restrictions.
Comments suppressed due to low confidence (3)

pkg/smokescreen/acl/v1/acl.go:259

  • The top-level comment still mentions a single restriction (‘Globs must include text after a wildcard’) that doesn’t fully describe the new flexible wildcard rules. Consider rewriting this section to list the new behavior: complete-component wildcards, multiple wildcards allowed with one concrete component before the TLD, and prohibition of TLD wildcards.
// Globs must include text after a wildcard.

pkg/smokescreen/acl/v1/acl.go:262

  • The empty-glob error is returned as fmt.Errorf("glob cannot be empty"), but other errors include the service and glob in their prefix. To keep error formats consistent, consider changing this to fmt.Errorf("%v: %v: glob cannot be empty", svc, glob).
if glob == "" {

pkg/smokescreen/acl/v1/acl_test.go:246

  • Add a test case for an empty glob ("") to verify that ValidateDomainGlob rejects it with the expected "glob cannot be empty" error.
"matches everything (*)": {

@coveralls
Copy link

coveralls commented Jun 5, 2025
edited
Loading

Pull Request Test Coverage Report for Build 15465478785

Details

  • 98 of 105 (93.33%) changed or added relevant lines in 1 file are covered.
  • 1 unchanged line in 1 file lost coverage.
  • Overall coverage increased (+1.3%) to 55.804%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pkg/smokescreen/acl/v1/acl.go 98 105 93.33%
Files with Coverage Reduction New Missed Lines %
pkg/smokescreen/acl/v1/acl.go 1 91.9%
Totals Coverage Status
Change from base Build 15140421631: 1.3%
Covered Lines: 1524
Relevant Lines: 2731
💛 - Coveralls

@shubh-stripe shubh-stripe marked this pull request as draft June 5, 2025 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shubh-stripe @coveralls