fix(api): properly refuse hostnames in special TLDs (MP-1287)

mdn · Jul 17, 2024 · ea315ba · ea315ba
1 parent e1d710d
commit ea315ba
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/src/api/v2/utils.js b/src/api/v2/utils.js
@@ -43,10 +43,26 @@ export function isIp(hostname) {
  * @throws {InvalidHostNameIpError | InvalidHostNameError}
  */
 export async function validHostname(hostname) {
-  // No hostnames lacking a dot or something like localhost
+  // remove any trailing dot
+  hostname = hostname.replace(/\.$/, "");
   if (
     !hostname.includes(".") ||
-    hostname.includes("localhost") ||
+    hostname === "localhost" ||
+    // RFC 2606
+    hostname.endsWith(".test") ||
+    hostname.endsWith(".example") ||
+    hostname.endsWith(".invalid") ||
+    hostname.endsWith(".localhost") ||
+    // RFC 6761
+    // We allow these as they are valid domains and may be useful.
+    // hostname === "example.com" ||
+    // hostname.endsWith(".example.com") ||
+    // hostname === "example.net" ||
+    // hostname.endsWith(".example.net") ||
+    // hostname === "example.org" ||
+    // hostname.endsWith(".example.org") ||
+    // RFC 6762
+    hostname.endsWith(".local") ||
     hostname === ""
   ) {
     throw new InvalidHostNameError();

diff --git a/test/apiv2.test.js b/test/apiv2.test.js
@@ -120,6 +120,33 @@ describeOrSkip("API V2", function () {
     assert.equal(responseJson.error, "invalid-hostname-lookup");
   });
 
+  it("refuses to analyze special domains", async function () {
+    const app = await createServer();
+    const hosts = [
+      "test",
+      "foo.test",
+      "example",
+      "foo.example",
+      "invalid",
+      "foo.invalid",
+      "localhost",
+      "foo.localhost",
+      "local",
+      "foo.local",
+      "foo.local.",
+    ];
+    for (const host of hosts) {
+      const response = await app.inject({
+        method: "POST",
+        url: `/api/v2/analyze?host=${encodeURIComponent(host)}`,
+      });
+      assert.equal(response.statusCode, 422);
+      assert(response.body);
+      const responseJson = JSON.parse(response.body);
+      assert.equal(responseJson.error, "invalid-hostname");
+    }
+  });
+
   it("responds to GET /analyze of a known host", async function () {
     const app = await createServer();
     // create a scan first