Fix wildcard hostname matching to reject hostnames without dots (#14787)

matthewp · florian-lefebvre · web-flow · commit 0f75f6bc637d · 2025-11-17T10:18:27.000-05:00
* Fix wildcard hostname matching to reject hostnames without dots

* Update .changeset/fix-wildcard-hostname-matching.md

Co-authored-by: Florian Lefebvre &lt;contact@florian-lefebvre.dev&gt;

---------

Co-authored-by: Florian Lefebvre &lt;contact@florian-lefebvre.dev&gt;
diff --git a/.changeset/fix-wildcard-hostname-matching.md b/.changeset/fix-wildcard-hostname-matching.md
@@ -0,0 +1,8 @@
+---
+"astro": patch
+"@astrojs/internal-helpers": patch
+---
+
+Fixes wildcard hostname pattern matching to correctly reject hostnames without dots
+
+Previously, hostnames like `localhost` or other single-part names would incorrectly match patterns like `*.example.com`. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.
diff --git a/packages/astro/test/units/app/node.test.js b/packages/astro/test/units/app/node.test.js
@@ -119,6 +119,21 @@ describe('NodeApp', () => {
 				assert.equal(result.url, 'https://legitimate.example.com/');
 			});
 
+			it('rejects x-forwarded-host with no dots (e.g. localhost) against single wildcard pattern', () => {
+				const result = NodeApp.createRequest(
+					{
+						...mockNodeRequest,
+						headers: {
+							host: 'example.com',
+							'x-forwarded-host': 'localhost',
+						},
+					},
+					{ allowedDomains: [{ hostname: '*.victim.com' }] },
+				);
+				// localhost should not match *.victim.com, fallback to host header
+				assert.equal(result.url, 'https://example.com/');
+			});
+
 			it('rejects x-forwarded-host with path separator (path injection attempt)', () => {
 				const result = NodeApp.createRequest(
 					{
diff --git a/packages/astro/test/units/remote-pattern.test.js b/packages/astro/test/units/remote-pattern.test.js
@@ -58,6 +58,18 @@ describe('remote-pattern', () => {
 			assert.equal(matchHostname(url3, '**.astro.build', true), false);
 		});
 
+		it('rejects hostname without dots when using single wildcard (*.domain.com)', async () => {
+			// hostnames without dots (like localhost) should not match *.astro.build
+			const localhostUrl = new URL('http://localhost/');
+			assert.equal(matchHostname(localhostUrl, '*.astro.build', true), false);
+
+			const bareHostnameUrl = new URL('http://example/');
+			assert.equal(matchHostname(bareHostnameUrl, '*.victim.com', true), false);
+
+			const internalUrl = new URL('http://internal/');
+			assert.equal(matchHostname(internalUrl, '*.astro.build', true), false);
+		});
+
 		it('matches pathname (no wildcards)', async () => {
 			// undefined
 			assert.equal(matchPathname(url1), true);
diff --git a/packages/internal-helpers/src/remote.ts b/packages/internal-helpers/src/remote.ts
@@ -61,11 +61,14 @@ export function matchHostname(url: URL, hostname?: string, allowWildcard = false
 		return slicedHostname !== url.hostname && url.hostname.endsWith(slicedHostname);
 	} else if (hostname.startsWith('*.')) {
 		const slicedHostname = hostname.slice(1); // * length
-		const additionalSubdomains = url.hostname
-			.replace(slicedHostname, '')
-			.split('.')
-			.filter(Boolean);
-		return additionalSubdomains.length === 1;
+		// Check if url hostname ends with the base domain
+		if (!url.hostname.endsWith(slicedHostname)) {
+			return false;
+		}
+		// Extract the subdomain part (before the base domain, excluding the dot)
+		const subdomainWithDot = url.hostname.slice(0, -(slicedHostname.length - 1));
+		// Should be exactly one subdomain part followed by a dot
+		return subdomainWithDot.endsWith('.') && !subdomainWithDot.slice(0, -1).includes('.');
 	}
 
 	return false;
