didericis/bot-bottle
1
0
Fork 0
Code Issues 5 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

revert(egress-proxy): drop wildcard host support entirely
test / unit (pull_request) Successful in 17s
Details
test / integration (pull_request) Successful in 1m3s
Details

Browse Source 
The apex-vs-subdomain question, the cert/SNI mismatch when
pipelock-passthrough hosts have wildcard certs, and the
mirror-divergence corner cases stacked up faster than the feature
earned its keep. Going back to exact-host match only.

Addon (`match_route`): single pass, case-insensitive exact match.
`*.foo.com` in a route table is now a literal string that won't
match anything — operators that want subdomains declare them
individually.

Pipelock mirror (`_pipelock_safe_hosts`): silently drops hosts
that don't fit pipelock's `[A-Za-z0-9_.-]+` charset (wildcards,
IPv6 literals, stray chars). Previously normalised wildcards to
their suffix; now just drops them, which matches egress-proxy's
behavior of not matching them either.

8 wildcard test cases removed; 2 lightweight "wildcards are not
supported" assertions retained as documentation. 386 unit pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
didericis
2026-05-25 19:48:35 -04:00
parent 6177c0518e
commit 6c886200d9
4 changed files with 32 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files
claude_bottle/egress_proxy_addon_core.py
+8 -28
View File
@@ -169,38 +169,18 @@ def match_route(
routes: typing.Sequence[Route],
request_host: str,
) -> Route | None:
"""Return the route whose `host` matches `request_host`.
"""Return the first route whose `host` matches `request_host`
exactly (case-insensitive). DNS names are case-insensitive.
Match precedence:
1. Exact (case-insensitive) match on the literal hostname.
2. Wildcard match: a route whose host starts with `*.` is a
suffix pattern that covers the apex AND every subdomain.
`*.example.com` matches `example.com`, `foo.example.com`,
and `a.b.example.com`, but NOT `barexample.com` (the
label boundary `.` is required when matching a
subdomain). This is intentionally more permissive than
RFC 6125 TLS-wildcard semantics — an allowlist's natural
reading of `*.example.com` is "all of example.com",
apex included, and matches what the pipelock mirror does
(strips `*.example.com` → `example.com`).
Exact match wins over wildcard so an operator can declare a
specific route on top of a broader wildcard (e.g. a
`*.github.com` bare-pass + an `api.github.com` route with
auth). DNS names are case-insensitive."""
Wildcard hosts (`*.foo.com`) are NOT supported — they caused
too many edge cases (apex match? cert validation? pipelock
mirror mismatch?) for too little payoff. Operators that need
multiple subdomains declare them individually (or one common
parent host as a bare-pass route)."""
target = request_host.lower()
# Pass 1: exact, literal hostname match.
for r in routes:
host = r.host.lower()
if not host.startswith("*.") and host == target:
if r.host.lower() == target:
return r
# Pass 2: wildcard match — apex + every subdomain.
for r in routes:
host = r.host.lower()
if host.startswith("*."):
suffix = host[2:] # strip the `*.`
if target == suffix or target.endswith("." + suffix):
return r
return None