fix: guard malformed domains before xray dns routing

x0sina · x0sina · commit c96860c7fd1a · 2026-05-28T01:45:34.000+03:30
diff --git a/backend/xray/config.go b/backend/xray/config.go
@@ -428,6 +428,9 @@ func filterRules(rules []json.RawMessage, apiTag string) ([]json.RawMessage, err
 		if outboundTagValue, ok := obj["outboundTag"].(string); ok && outboundTagValue == apiTag {
 			continue
 		}
+		if ruleTagValue, ok := obj["ruleTag"].(string); ok && ruleTagValue == malformedDomainGuardRuleTag {
+			continue
+		}
 
 		filtered = append(filtered, raw)
 	}
@@ -603,6 +606,48 @@ func (c *Config) outboundProtocolByTag() map[string]string {
 	return out
 }
 
+const malformedDomainGuardRuleTag = "PG_NODE_MALFORMED_DOMAIN_GUARD"
+
+func (c *Config) blackholeOutboundTag() string {
+	protocolByTag := c.outboundProtocolByTag()
+	if len(protocolByTag) == 0 {
+		return ""
+	}
+
+	tags := make([]string, 0, len(protocolByTag))
+	for tag := range protocolByTag {
+		tags = append(tags, tag)
+	}
+	sort.Strings(tags)
+
+	for _, tag := range tags {
+		if strings.EqualFold(protocolByTag[tag], "blackhole") {
+			return tag
+		}
+	}
+
+	return ""
+}
+
+func malformedDomainGuardRule(outboundTag string) (json.RawMessage, error) {
+	rule := map[string]any{
+		"domain": []string{
+			"regexp:^.{254,}$",
+			"regexp:(^|\\.)[^.]{64,}(\\.|$)",
+		},
+		"outboundTag": outboundTag,
+		"ruleTag":     malformedDomainGuardRuleTag,
+		"type":        "field",
+	}
+
+	rawBytes, err := json.Marshal(rule)
+	if err != nil {
+		return nil, err
+	}
+
+	return json.RawMessage(rawBytes), nil
+}
+
 var observatoryExcludedProtocols = map[string]struct{}{
 	"blackhole": {},
 	"dns":       {},
@@ -711,7 +756,16 @@ func (c *Config) ApplyAPI(apiPort, metricPort int) (err error) {
 
 	newRaw := json.RawMessage(rawBytes)
 
-	c.RouterConfig.RuleList = append([]json.RawMessage{newRaw}, c.RouterConfig.RuleList...)
+	prependRules := []json.RawMessage{newRaw}
+	if blockTag := c.blackholeOutboundTag(); blockTag != "" {
+		guardRaw, err := malformedDomainGuardRule(blockTag)
+		if err != nil {
+			return err
+		}
+		prependRules = append(prependRules, guardRaw)
+	}
+
+	c.RouterConfig.RuleList = append(prependRules, c.RouterConfig.RuleList...)
 
 	return nil
 }
diff --git a/backend/xray/latency_test.go b/backend/xray/latency_test.go
@@ -1,6 +1,12 @@
 package xray
 
-import "testing"
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/xtls/xray-core/infra/conf"
+)
 
 func TestShouldIncludeObservatoryOutbound(t *testing.T) {
 	protocolByTag := map[string]string{
@@ -58,3 +64,63 @@ func TestApplyAPISanitizesObservatorySelectors(t *testing.T) {
 		t.Fatalf("unexpected burst observatory selectors: %#v", burst)
 	}
 }
+
+func TestApplyAPIAddsMalformedDomainGuardWhenBlackholeExists(t *testing.T) {
+	cfg := &Config{
+		InboundConfigs: []*Inbound{},
+		OutboundConfigs: []any{
+			map[string]any{"tag": "direct", "protocol": "freedom"},
+			map[string]any{"tag": "Block", "protocol": "blackhole"},
+		},
+	}
+
+	if err := cfg.ApplyAPI(10001, 10002); err != nil {
+		t.Fatal(err)
+	}
+
+	if len(cfg.RouterConfig.RuleList) < 2 {
+		t.Fatalf("expected API and malformed-domain guard rules, got %d", len(cfg.RouterConfig.RuleList))
+	}
+
+	rule := string(cfg.RouterConfig.RuleList[1])
+	if !containsAll(rule, malformedDomainGuardRuleTag, `"outboundTag":"Block"`, `regexp:^.{254,}$`) {
+		t.Fatalf("unexpected malformed-domain guard rule: %s", rule)
+	}
+}
+
+func TestApplyAPIRemovesExistingMalformedDomainGuard(t *testing.T) {
+	cfg := &Config{
+		InboundConfigs: []*Inbound{},
+		OutboundConfigs: []any{
+			map[string]any{"tag": "Block", "protocol": "blackhole"},
+		},
+		RouterConfig: &conf.RouterConfig{
+			RuleList: []json.RawMessage{
+				json.RawMessage(`{"type":"field","ruleTag":"PG_NODE_MALFORMED_DOMAIN_GUARD","outboundTag":"old","domain":["regexp:^.{254,}$"]}`),
+			},
+		},
+	}
+
+	if err := cfg.ApplyAPI(10001, 10002); err != nil {
+		t.Fatal(err)
+	}
+
+	count := 0
+	for _, raw := range cfg.RouterConfig.RuleList {
+		if strings.Contains(string(raw), malformedDomainGuardRuleTag) {
+			count++
+		}
+	}
+	if count != 1 {
+		t.Fatalf("expected one malformed-domain guard rule, got %d", count)
+	}
+}
+
+func containsAll(s string, values ...string) bool {
+	for _, value := range values {
+		if !strings.Contains(s, value) {
+			return false
+		}
+	}
+	return true
+}
