From 95a4f61ae60aa586e7905028ed336aef448b712a Mon Sep 17 00:00:00 2001 From: kanywst Date: Thu, 18 Jun 2026 20:00:55 +0900 Subject: [PATCH] Fix name policy panic on empty or short domain --- policy/engine_test.go | 14 ++++++++++++++ policy/validate.go | 7 ++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/policy/engine_test.go b/policy/engine_test.go index 1280d14da..e79d2d7aa 100644 --- a/policy/engine_test.go +++ b/policy/engine_test.go @@ -54,6 +54,20 @@ func TestNamePolicyEngine_matchDomainConstraint(t *testing.T) { want: false, wantErr: false, }, + { + name: "fail/empty-domain", + domain: "", + constraint: "host.example.com", + want: false, + wantErr: false, + }, + { + name: "fail/single-asterisk-domain", + domain: "*", + constraint: "host.example.com", + want: false, + wantErr: false, + }, { name: "fail/period-domain", domain: ".host.example.com", diff --git a/policy/validate.go b/policy/validate.go index 3ea42cc2b..aa2174a94 100644 --- a/policy/validate.go +++ b/policy/validate.go @@ -480,13 +480,18 @@ func (e *NamePolicyEngine) matchDomainConstraint(domain, constraint string) (boo return false, nil } + // An empty domain never matches a constraint. + if domain == "" { + return false, nil + } + // Block domains that start with just a period if domain[0] == '.' { return false, nil } // Block wildcard domains that don't start with exactly "*." (i.e. double wildcards and such) - if domain[0] == '*' && domain[1] != '.' { + if domain[0] == '*' && (len(domain) < 2 || domain[1] != '.') { return false, nil }