fix(egress-proxy-addon): wildcard hosts also match the apex
`*.example.com` now matches `example.com` itself in addition to
every subdomain. RFC 6125 TLS-wildcard semantics excluded the
apex; an allowlist's natural reading of `*.example.com` is "all
of example.com" — and the pipelock mirror already strips
`*.example.com` to `example.com`, so without the apex match the
two layers disagreed (pipelock allowed the apex, egress-proxy
blocked it).
Behavior:
- `*.example.com` matches `example.com` (apex)
- `*.example.com` matches `foo.example.com` (subdomain)
- `*.example.com` matches `a.b.example.com` (nested)
- `*.example.com` does NOT match `barexample.com` (label
boundary required)
Test renamed: `test_wildcard_does_not_match_apex` →
`test_wildcard_matches_apex`. 395 tests pass.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -162,9 +162,13 @@ class TestMatchRouteWildcards(unittest.TestCase):
|
||||
routes = (Route(host="*.example.com"),)
|
||||
self.assertIsNotNone(match_route(routes, "a.b.example.com"))
|
||||
|
||||
def test_wildcard_does_not_match_apex(self):
|
||||
def test_wildcard_matches_apex(self):
|
||||
# Allowlist semantics: `*.example.com` covers
|
||||
# `example.com` itself + every subdomain. Matches what
|
||||
# the pipelock mirror does (strips `*.example.com` →
|
||||
# `example.com`) so the two layers agree.
|
||||
routes = (Route(host="*.example.com"),)
|
||||
self.assertIsNone(match_route(routes, "example.com"))
|
||||
self.assertIsNotNone(match_route(routes, "example.com"))
|
||||
|
||||
def test_wildcard_does_not_match_overlapping_suffix(self):
|
||||
# `*.example.com` shouldn't match `barexample.com` — the
|
||||
|
||||
Reference in New Issue
Block a user