add new domain validation api

nahsra · nahsra · commit b9c3f78233e1 · 2023-10-04T10:06:55.000-04:00
diff --git a/src/main/java/io/github/pixee/security/HostValidator.java b/src/main/java/io/github/pixee/security/HostValidator.java
@@ -47,4 +47,16 @@ public boolean isAllowed(final String host) {
   static HostValidator fromAllowedHostPattern(final Pattern allowPattern) {
     return new PatternBasedHostValidator(allowPattern);
   }
+
+    /**
+     * Return a {@link HostValidator} that will assure a given domain is within the allowed domain. For example, given
+     * a domain of "good.com", this validator will allow "good.com", "www.good.com", "internal.good.com", etc.
+     *
+     * @param domainName the domain to allow, e.g., "good.com", or "internal-host"
+     * @return a validator that will only allow hosts within the given domain space
+     */
+    static HostValidator fromAllowedHostDomain(final String domainName) {
+        Pattern p = Pattern.compile("(.*\\." + Pattern.quote(domainName) + "|" + Pattern.quote(domainName) +")");
+        return new PatternBasedHostValidator(p);
+    }
 }
diff --git a/src/test/java/io/github/pixee/security/UrlsTest.java b/src/test/java/io/github/pixee/security/UrlsTest.java
@@ -7,6 +7,7 @@
 
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.List;
 import java.util.regex.Pattern;
 import java.util.stream.Stream;
 import org.junit.jupiter.api.Test;
@@ -138,6 +139,21 @@ void it_disallows_bad_domains() throws MalformedURLException {
         () -> {
           Urls.create("https://evil.com/", setOf(UrlProtocol.HTTPS), allowsOnlyGoodDotCom);
         });
+
+    HostValidator allowsOnlyGoodDotComByDomainString = HostValidator.fromAllowedHostDomain("good.com");
+    Urls.create("https://good.com/", setOf(UrlProtocol.HTTPS), allowsOnlyGoodDotComByDomainString);
+    Urls.create("https://sub.good.com/", setOf(UrlProtocol.HTTPS), allowsOnlyGoodDotComByDomainString);
+    Urls.create("https://different-sub-123.good.com/", setOf(UrlProtocol.HTTPS), allowsOnlyGoodDotComByDomainString);
+    Urls.create("https://.good.com/", setOf(UrlProtocol.HTTPS), allowsOnlyGoodDotComByDomainString);
+
+    List.of("https://goodAcom/", "https://evil.com", "https://good.com.evil", "https://good.com.").stream().forEach(badDomain -> {
+      assertThrows(
+              SecurityException.class,
+              () -> {
+                Urls.create(badDomain, setOf(UrlProtocol.HTTPS), allowsOnlyGoodDotComByDomainString);
+              });
+    });
+
   }
 
   @Test
