Reject non-FQDN SNI values (#129)

Fixes #128 this is generated by copilot. needs manual review --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/mosajjal/sniproxy/issues/128?shareId=XXXX-XXXX-XXXX-XXXX).
mosajjal · Sep 18, 2024 · ff2e1f2 · ff2e1f2
1 parent 733a094
commit ff2e1f2
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/pkg/https.go b/pkg/https.go
@@ -50,6 +50,11 @@ func handleTLS(c *Config, conn net.Conn, httpslog zerolog.Logger) error {
 		httpslog.Err(err)
 		return err
 	}
+	if !isValidFQDN(sni) {
+		httpslog.Warn().Msgf("Invalid SNI: %s", sni)
+		conn.Close()
+		return nil
+	}
 	connInfo := acl.ConnInfo{
 		SrcIP:  conn.RemoteAddr(),
 		Domain: sni,

diff --git a/pkg/https_sni.go b/pkg/https_sni.go
@@ -14,7 +14,10 @@
 
 package sniproxy
 
-import "fmt"
+import (
+	"fmt"
+	"regexp"
+)
 
 var tlsHeaderLength = 5
 
@@ -147,4 +150,11 @@ func getExtensionBlock(data []byte) ([]byte, error) {
 	return data[index:], nil
 }
 
+// isValidFQDN validates if the given hostname is a valid FQDN
+func isValidFQDN(hostname string) bool {
+	// Regular expression to match a valid FQDN
+	var fqdnRegex = regexp.MustCompile(`^(?i:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{2,})$`)
+	return fqdnRegex.MatchString(hostname)
+}
+
 // vim: foldmethod=marker