Return True for safe host patterns: exact hostnames or ``*.suffix`` only. Rejects patterns like ``*github.com`` (which would match ``github.com.evil.com``) or multi-wildcard forms. Only these two forms are accepted: * ``example.com`` — exact hostname * ``*.example.co
(pattern: str)
| 37 | |
| 38 | |
| 39 | def _is_valid_host_pattern(pattern: str) -> bool: |
| 40 | """Return True for safe host patterns: exact hostnames or ``*.suffix`` only. |
| 41 | |
| 42 | Rejects patterns like ``*github.com`` (which would match |
| 43 | ``github.com.evil.com``) or multi-wildcard forms. Only these two |
| 44 | forms are accepted: |
| 45 | |
| 46 | * ``example.com`` — exact hostname |
| 47 | * ``*.example.com`` — leading ``*.`` wildcard; matches subdomains |
| 48 | such as ``myorg.example.com`` but not ``example.com`` itself |
| 49 | """ |
| 50 | if "*" not in pattern: |
| 51 | return True # exact hostname — already validated as non-empty |
| 52 | # Only *.suffix is allowed; no other wildcard positions |
| 53 | return pattern.startswith("*.") and "*" not in pattern[2:] |
| 54 | |
| 55 | |
| 56 | def load_auth_config( |