Vulnerability: Domain whitelist/blacklist checking is done via regex, can be bypassed

safecurl/src/fin1te/SafeCurl/Options.php

Lines 210 to 216 in a7c3d70

    
           //For domains, a regex match is needed 
        
           if ($type == 'domain') { 
        
               foreach ($this->{$list}[$type] as $domain) { 
        
                   if (preg_match('/^' . $domain . '$/i', $value)) { 
        
                       return true; 
        
                   } 
        
               }

This is presumably to make the matching case-insensitive.

It introduces a bypass, in that each blacklisted/whitelisted domain name is treated as a regex. Domains almost always include the . character which is a regex metacharacter.

For example, a domain whitelist of ['accounts.google.com'] would allow requests to https://accountszgoogle.com

Ahh this is a duplicate of #7 :(

I see in #7 you wanted the ability for a developer to whitelist "company.com" and have it match "subdomain.company.com". My fix in #25 does not do this - but nor does the original code, so no harm done.

	//For domains, a regex match is needed
	if ($type == 'domain') {
	foreach ($this->{$list}[$type] as $domain) {
	if (preg_match('/^' . $domain . '$/i', $value)) {
	return true;
	}
	}