Feat: Improved hostname validator #52
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eldadfux
reviewed
Apr 14, 2022
| @@ -124,7 +120,7 @@ public function isValid(mixed $value): bool | |||
| } | |||
|
|
|||
| // If every section matched; allow | |||
| if($matchesAmount === \count($allowedSections)) { | |||
| if ($matchesAmount === \count($allowedSections)) { | |||
| return true; | |||
| } | |||
| } | |||
There was a problem hiding this comment.
I think the last line with return true might be risky, maybe we can use this PR to change it. If it return false, we can avoid the last return false; statement and minimize the code.
There was a problem hiding this comment.
The last return true is not regarding foreach, but regarding if. If no allowList is provided, return true. As soon as you go inside the if, it ends with a return false.
Anyway, I rewrote the method a little. The logic is still exactly the same, but instead of having scarry return true at the end, it is now under if statement to make the code cleaner. Please let me know if it looks better now.
There was a problem hiding this comment.
eldadfux
approved these changes
Apr 14, 2022
eldadfux
approved these changes
Apr 14, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Now we also allow
*orvercel.*as hostnames.Issue: appwrite/appwrite#2939
Inside Appwrite,
*is not actually returned as a header, instead, a specific domain is found and passed in the header. No need to worry about the security part, Apwrite handles it. Regarding "Secure by default", we can show noticeable alert saying*shouldn't be used for reasons of being lazy, instead, only if your project requires this configuration (for instance Wordpress plugin).Regarding
vercel.*, I don't think anyone would use it.. But that doesn't really matter we shouldn't support it if we can. I would say same as previous, could be insecure, but people are aware because they type it in.