GCLOUD: Bugfix: Incomplete regular expression for hostnames (#4111)

tlimoncelli · github-advanced-security[bot] · web-flow · commit faa7e4fa0995 · 2026-03-02T12:13:07.000-05:00
Potential fix for [https://github.com/StackExchange/dnscontrol/security/code-scanning/44](https://github.com/StackExchange/dnscontrol/security/code-scanning/44) To fix the problem, all literal dots in the hostname portion of the regex must be escaped so they are treated as literal periods instead of “any character”. Since the base URL is held in `selfLinkBasePath` and then concatenated into the regex, the best approach is to escape the dots in `selfLinkBasePath` at construction time (while keeping `/` and `:` unescaped), so that the resulting full regex behaves as intended and still clearly expresses the expected URL prefix. Concretely, in `providers/gcloud/gcloudProvider.go`, keep `selfLinkBasePath` as a normal string constant for use elsewhere, but when building `networkURLCheck`, wrap `selfLinkBasePath` with `regexp.QuoteMeta`. Then append the rest of the regex (project ID and network name parts) as before. `regexp.QuoteMeta(selfLinkBasePath)` will escape all regex metacharacters (including `.`), eliminating the over-permissive matching on the host, while preserving the intended matching of path structure and constraints on project/network names. No new imports are needed, since `regexp` is already imported. The only line to change is the definition of `networkURLCheck`. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
diff --git a/providers/gcloud/gcloudProvider.go b/providers/gcloud/gcloudProvider.go
@@ -44,7 +44,7 @@ var features = providers.DocumentationNotes{
 
 var (
 	visibilityCheck  = regexp.MustCompile("^(public|private)$")
-	networkURLCheck  = regexp.MustCompile("^" + selfLinkBasePath + "[a-z][-a-z0-9]{4,28}[a-z0-9]/global/networks/[a-z]([-a-z0-9]{0,61}[a-z0-9])?$")
+	networkURLCheck  = regexp.MustCompile("^" + regexp.QuoteMeta(selfLinkBasePath) + "[a-z][-a-z0-9]{4,28}[a-z0-9]/global/networks/[a-z]([-a-z0-9]{0,61}[a-z0-9])?$")
 	networkNameCheck = regexp.MustCompile("^[a-z]([-a-z0-9]{0,61}[a-z0-9])?$")
 )
 

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ var features = providers.DocumentationNotes{`
`44`	`44`
`45`	`45`	`var (`
`46`	`46`	`visibilityCheck = regexp.MustCompile("^(public\|private)$")`
`47`		`- networkURLCheck = regexp.MustCompile("^" + selfLinkBasePath + "[a-z][-a-z0-9]{4,28}[a-z0-9]/global/networks/[a-z]([-a-z0-9]{0,61}[a-z0-9])?$")`
	`47`	`+ networkURLCheck = regexp.MustCompile("^" + regexp.QuoteMeta(selfLinkBasePath) + "[a-z][-a-z0-9]{4,28}[a-z0-9]/global/networks/[a-z]([-a-z0-9]{0,61}[a-z0-9])?$")`
`48`	`48`	`networkNameCheck = regexp.MustCompile("^[a-z]([-a-z0-9]{0,61}[a-z0-9])?$")`
`49`	`49`	`)`
`50`	`50`