fix(proxy): normalize trailing-dot CONNECT hosts before policy evaluation#2248
fix(proxy): normalize trailing-dot CONNECT hosts before policy evaluation#2248letv1nnn wants to merge 1 commit into
Conversation
|
/ok to test 8384df5 |
8384df5 to
1544036
Compare
r3v5
left a comment
There was a problem hiding this comment.
PR: #2248
Author: letv1nnn (Artem Lytvyn)
Branch: 2201-normalize-trailing-dot-host -> main
Overview
Strips trailing dot from FQDN CONNECT hosts (e.g. api.example.com. → api.example.com) before policy evaluation, middleware selection, and credential matching. Fixes mismatches in K8s ndots:5 environments where dotted and undotted forms were treated as distinct hosts.
Key Design Decisions
- Normalize once, early (proxy.rs:613): Single normalize_connect_host() call right after parse_target(), so all downstream policy logic sees the clean hostname.
- Selective raw_host pass-through (proxy.rs:784, proxy.rs:837): resolve_and_check_trusted_gateway and resolve_and_check_allowed_ips still receive raw_host to preserve the ndots:5 DNS bypass
behavior.
Notable Code
crates/openshell-supervisor-network/src/proxy.rs:4546
fn normalize_connect_host(raw_host: &str) -> &str {
raw_host.strip_suffix('.').unwrap_or(raw_host)
}
Clean, zero-allocation — returns a sub-slice. Only strips one dot per RFC 1034.
1544036 to
0ae8014
Compare
|
/ok to test 0ae8014 |
|
Label |
|
Hosts need to be normalized in the forward-proxy path as well. Currently, non-CONNECT requests are dispatched prior to the normalization. I think if we duplicate the normalization for now that's ok. We're going to refactor the proxy and align CONNECT and non-CONNECT paths under the same code. But to merge this as-is we need to make sure we normalize for both pathways. |
|
Also need to normalize hostnames for hosts file ( |
…tion Signed-off-by: Artem Lytvyn <alytvyn@redhat.com>
0ae8014 to
6e09c21
Compare
Summary
Fixes inconsistent handling of trailing-dot hostnames (e.g. api.example.com.) in the sandbox supervisor's CONNECT proxy. Such hosts are valid RFC 1034 FQDNs used in Kubernetes
ndots:5environments to bypass search-domain expansion, but were treated as distinct from their undotted equivalents across policy evaluation, middleware selection, and credential matching.Related Issue
#2201
Changes
normalize_connect_host(raw_host: &str) -> &str {...}Testing
mise run pre-commitpassesChecklist