Skip to content

Fix domain validation regex rejecting consecutive hyphenated subdomain labels#221

Merged
ssl merged 2 commits into
masterfrom
copilot/fix-double-hyphen-denylist
Jul 8, 2026
Merged

Fix domain validation regex rejecting consecutive hyphenated subdomain labels#221
ssl merged 2 commits into
masterfrom
copilot/fix-double-hyphen-denylist

Conversation

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

The denylist/allowlist domain validator incorrectly rejects domains where hyphens appear in two different subdomain labels (e.g. something-one.something-two.sub.root.com), while accepting hyphens within a single label (e.g. something.something-one-two.sub.root.com).

Root cause

The regex in Payload::setList() had a flawed structure that interleaved "hyphenated label" and "non-hyphenated label" matchers:

(hyphenated-label.)? non-hyphenated-label (. (hyphenated-label.)? non-hyphenated-label)*

After consuming something-one. as the leading hyphenated label, the next segment required a hyphen-free label — causing something-two to fail at its hyphen.

Fix

Replace the complex regex with a straightforward per-label pattern that uniformly handles all labels regardless of position:

// Before
'/^(?:(?:(?!\*)[a-zA-Z\d][a-zA-Z\d\-*]{0,61})?[a-zA-Z\d]\.){0,1}(?!\d+)(?!.*\*\*)[a-zA-Z\d*]{1,63}(?:\.(?:(?:(?!\*)[a-zA-Z\d][a-zA-Z\d\-*]{0,61})?[a-zA-Z\d]\.){0,1}(?!\d+)(?!.*\*\*)[a-zA-Z\d*]{1,63})*$/'

// After
'/^(?!.*\*\*)(?:[a-zA-Z\d*](?:[a-zA-Z\d\-*]{0,61}[a-zA-Z\d*])?\.)*[a-zA-Z\d*](?:[a-zA-Z\d\-*]{0,61}[a-zA-Z\d*])?$/'

Each label must start and end with an alphanumeric or * (no leading/trailing hyphens), with hyphens and wildcards permitted in the middle. Double wildcards (**) remain prohibited.

Copilot AI assigned Copilot and ssl Jul 8, 2026
Copilot AI linked an issue Jul 8, 2026 that may be closed by this pull request
Copilot AI changed the title [WIP] Fix double-hyphen issue in subdomain denylist Fix domain validation regex rejecting consecutive hyphenated subdomain labels Jul 8, 2026
Copilot AI requested a review from ssl July 8, 2026 08:37
Copilot finished work on behalf of ssl July 8, 2026 08:37
@ssl ssl marked this pull request as ready for review July 8, 2026 08:40
@ssl ssl requested a review from Copilot July 8, 2026 08:40

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the allowlist/denylist domain validation in Payload::setList() to stop rejecting domains that contain hyphens in multiple different subdomain labels (e.g., something-one.something-two.sub.root.com) by replacing the previous complex, position-dependent regex with a simpler per-label pattern.

Changes:

  • Replaced the domain-validation regex used when adding allowlisted/denylisted domains.
  • Normalized validation to apply the same label rules at every dot-separated label position (including hyphen handling) while still disallowing **.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.


// Validate domain string
if (!preg_match('/^(?:(?:(?!\*)[a-zA-Z\d][a-zA-Z\d\-*]{0,61})?[a-zA-Z\d]\.){0,1}(?!\d+)(?!.*\*\*)[a-zA-Z\d*]{1,63}(?:\.(?:(?:(?!\*)[a-zA-Z\d][a-zA-Z\d\-*]{0,61})?[a-zA-Z\d]\.){0,1}(?!\d+)(?!.*\*\*)[a-zA-Z\d*]{1,63})*$/', $domain)) {
if (!preg_match('/^(?!.*\*\*)(?:[a-zA-Z\d*](?:[a-zA-Z\d\-*]{0,61}[a-zA-Z\d*])?\.)*[a-zA-Z\d*](?:[a-zA-Z\d\-*]{0,61}[a-zA-Z\d*])?$/', $domain)) {
@ssl ssl merged commit 0a56f7a into master Jul 8, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

double-hypen in subdomain disallowed for denylist

3 participants