diff options
-rw-r--r-- | src/common/Policy.js | 27 | ||||
-rw-r--r-- | src/test/Policy_test.js | 8 |
2 files changed, 27 insertions, 8 deletions
diff --git a/src/common/Policy.js b/src/common/Policy.js index 674263a..71e6ff9 100644 --- a/src/common/Policy.js +++ b/src/common/Policy.js @@ -3,6 +3,7 @@ var {Permissions, Policy, Sites} = (() => { const SECURE_DOMAIN_PREFIX = "§:"; const SECURE_DOMAIN_RX = new RegExp(`^${SECURE_DOMAIN_PREFIX}`); const DOMAIN_RX = new RegExp(`(?:^\\w+://|${SECURE_DOMAIN_PREFIX})?([^/]*)`, "i"); + const IPV4_RX = /^(?:\d+\.){1,3}\d+/; const INTERNAL_SITE_RX = /^(?:(?:about|chrome|resource|(?:moz|chrome)-.*):|\[System)/; const VALID_SITE_RX = /^(?:(?:(?:(?:http|ftp|ws)s?|file):)(?:(?:\/\/)[\w\u0100-\uf000][\w\u0100-\uf000.-]*[\w\u0100-\uf000.](?:$|\/))?|[\w\u0100-\uf000][\w\u0100-\uf000.-]*[\w\u0100-\uf000]$)/; @@ -158,6 +159,7 @@ var {Permissions, Policy, Sites} = (() => { if (!hostname) return null; if (!tld.preserveFQDNs) hostname = tld.normalize(hostname); let secure = protocol === "https:"; + let isIPv4 = IPV4_RX.test(hostname); for (let domain = hostname;;) { if (this.has(domain)) { return domain; @@ -168,13 +170,24 @@ var {Permissions, Policy, Sites} = (() => { return ssDomain; } } - let dotPos = domain.indexOf("."); - if (dotPos === -1) { - break; - } - domain = domain.substring(dotPos + 1); // sub - if (!domain) { - break; + + if (isIPv4) { + // subnet shortcuts + let dotPos = domain.lastIndexOf("."); + if (!(dotPos > 3 || domain.indexOf(".") < dotPos)) { + break; // we want at least the 2 most significant bytes + } + domain = domain.substring(0, dotPos); + } else { + // (sub)domain matching + let dotPos = domain.indexOf("."); + if (dotPos === -1) { + break; + } + domain = domain.substring(dotPos + 1); // upper level + if (!domain) { + break; + } } } return null; diff --git a/src/test/Policy_test.js b/src/test/Policy_test.js index f658379..a0f92f3 100644 --- a/src/test/Policy_test.js +++ b/src/test/Policy_test.js @@ -7,6 +7,9 @@ p1.set("https://flashgot.net", p1.TRUSTED); p1.set("http://flashgot.net", p1.UNTRUSTED); p1.set("perchè.com", p1.TRUSTED); + p1.set("10", p1.TRUSTED); + p1.set("192.168", p1.TRUSTED); + p1.set("192.168.69", p1.UNTRUSTED) let p2 = new Policy(p1.dry()); debug("p1", JSON.stringify(p1.dry())); debug("p2", JSON.stringify(p2.dry())); @@ -23,7 +26,10 @@ () => !p1.can("http://secure.informaction.com"), () => p1.can("https://secure.informaction.com"), () => p1.can("https://www.secure.informaction.com"), + () => !p1.can("https://192.168.69.1"), + () => !p1.can("https://10.0.0.1"), + () => p1.can("http://192.168.1.2"), ]) Test.run(t); - + Test.report(); } |