diff --git a/policy/engine_test.go b/policy/engine_test.go index 1280d14da..e79d2d7aa 100644 --- a/policy/engine_test.go +++ b/policy/engine_test.go @@ -54,6 +54,20 @@ func TestNamePolicyEngine_matchDomainConstraint(t *testing.T) { want: false, wantErr: false, }, + { + name: "fail/empty-domain", + domain: "", + constraint: "host.example.com", + want: false, + wantErr: false, + }, + { + name: "fail/single-asterisk-domain", + domain: "*", + constraint: "host.example.com", + want: false, + wantErr: false, + }, { name: "fail/period-domain", domain: ".host.example.com", diff --git a/policy/validate.go b/policy/validate.go index 3ea42cc2b..aa2174a94 100644 --- a/policy/validate.go +++ b/policy/validate.go @@ -480,13 +480,18 @@ func (e *NamePolicyEngine) matchDomainConstraint(domain, constraint string) (boo return false, nil } + // An empty domain never matches a constraint. + if domain == "" { + return false, nil + } + // Block domains that start with just a period if domain[0] == '.' { return false, nil } // Block wildcard domains that don't start with exactly "*." (i.e. double wildcards and such) - if domain[0] == '*' && domain[1] != '.' { + if domain[0] == '*' && (len(domain) < 2 || domain[1] != '.') { return false, nil }