feat: make rulesengine stricter

Author: evgeniy-scherbina

rulesengine/engine.go

@@ -76,26 +76,80 @@ func (re *Engine) matches(r Rule, method, url string) bool {
 	}
 
 	if r.HostPattern != nil {
-		// For a host pattern to match, every label has to match or be an `*`.
-		// Subdomains also match automatically, meaning if the pattern is "example.com"
-		// and the real is "api.example.com", it should match. We check this by comparing
-		// from the end of the actual hostname with the pattern (which is in normal order).
+		// Host matching is now strict:
+		// - "github.com" matches ONLY "github.com" (exact match, no subdomains)
+		// - "*.github.com" matches ONLY subdomains like "api.github.com" (not the base domain)
+		// - To allow both, specify: "github.com, *.github.com"
 
 		labels := strings.Split(parsedUrl.Hostname(), ".")
 
-		// If the host pattern is longer than the actual host, it's definitely not a match
-		if len(r.HostPattern) > len(labels) {
-			re.logger.Debug("rule does not match", "reason", "host pattern too long", "rule", r.Raw, "method", method, "url", url, "pattern_length", len(r.HostPattern), "hostname_labels", len(labels))
-			return false
-		}
+		// Special case: single "*" matches everything
+		if len(r.HostPattern) == 1 && r.HostPattern[0] == "*" {
+			// Matches any host
+		} else {
+			// Check if pattern starts with wildcard (subdomain pattern)
+			startsWithWildcard := len(r.HostPattern) > 0 && r.HostPattern[0] == "*"
+
+			if startsWithWildcard {
+				// Wildcard pattern (e.g., "*.github.com", "*.com", or "*.*")
+				// Count how many leading wildcards we have
+				wildcardCount := 0
+				for i := 0; i < len(r.HostPattern) && r.HostPattern[i] == "*"; i++ {
+					wildcardCount++
+				}
+
+				if wildcardCount == len(r.HostPattern) {
+					// Pattern is all wildcards (e.g., "*.*") - matches any domain with at least that many labels
+					if len(labels) < len(r.HostPattern) {
+						re.logger.Debug("rule does not match", "reason", "all-wildcard pattern requires at least pattern length labels", "rule", r.Raw, "method", method, "url", url, "pattern_length", len(r.HostPattern), "hostname_labels", len(labels))
+						return false
+					}
+				} else if len(r.HostPattern) == 2 {
+					// Pattern like "*.com" - matches any single-label domain (same length)
+					if len(labels) != len(r.HostPattern) {
+						re.logger.Debug("rule does not match", "reason", "wildcard pattern requires same length for 2-label patterns", "rule", r.Raw, "method", method, "url", url, "pattern_length", len(r.HostPattern), "hostname_labels", len(labels))
+						return false
+					}
+				} else {
+					// Pattern like "*.github.com" (3+ labels) - requires subdomain
+					// Host must have >= pattern length, but not be the base domain
+					if len(labels) < len(r.HostPattern) {
+						re.logger.Debug("rule does not match", "reason", "wildcard pattern requires subdomain but host has fewer labels", "rule", r.Raw, "method", method, "url", url, "pattern_length", len(r.HostPattern), "hostname_labels", len(labels))
+						return false
+					}
+					// Also ensure it's not the base domain (which would have len(labels) == len(r.HostPattern) - 1)
+					if len(labels) == len(r.HostPattern)-1 {
+						re.logger.Debug("rule does not match", "reason", "wildcard pattern does not match base domain", "rule", r.Raw, "method", method, "url", url, "pattern_length", len(r.HostPattern), "hostname_labels", len(labels))
+						return false
+					}
+				}
 
-		// Since host patterns cannot end with asterisk, we only need to handle:
-		// "example.com" or "*.example.com" - match from the end (allowing subdomains)
-		for i, lp := range r.HostPattern {
-			labelIndex := len(labels) - len(r.HostPattern) + i
-			if string(lp) != labels[labelIndex] && lp != "*" {
-				re.logger.Debug("rule does not match", "reason", "host pattern label mismatch", "rule", r.Raw, "method", method, "url", url, "expected", string(lp), "actual", labels[labelIndex])
-				return false
+				// Match from the end (excluding the wildcard at the start)
+				// Pattern: ["*", "github", "com"]
+				// Host: ["api", "github", "com"] -> match "github" and "com"
+				for i := 1; i < len(r.HostPattern); i++ {
+					lp := r.HostPattern[i]
+					labelIndex := len(labels) - len(r.HostPattern) + i
+					if string(lp) != labels[labelIndex] && lp != "*" {
+						re.logger.Debug("rule does not match", "reason", "host pattern label mismatch", "rule", r.Raw, "method", method, "url", url, "expected", string(lp), "actual", labels[labelIndex])
+						return false
+					}
+				}
+			} else {
+				// Exact domain pattern (e.g., "github.com")
+				// Must match exactly - same length, all labels match
+				if len(r.HostPattern) != len(labels) {
+					re.logger.Debug("rule does not match", "reason", "exact domain pattern requires exact length match", "rule", r.Raw, "method", method, "url", url, "pattern_length", len(r.HostPattern), "hostname_labels", len(labels))
+					return false
+				}
+
+				// All labels must match exactly
+				for i, lp := range r.HostPattern {
+					if string(lp) != labels[i] && lp != "*" {
+						re.logger.Debug("rule does not match", "reason", "host pattern label mismatch", "rule", r.Raw, "method", method, "url", url, "expected", string(lp), "actual", labels[i])
+						return false
+					}
+				}
 			}
 		}
 	}

rulesengine/engine_test.go

@@ -74,14 +74,32 @@ func TestEngineMatches(t *testing.T) {
 			expected: false,
 		},
 		{
-			name: "subdomain matches",
+			name: "subdomain does not match exact domain pattern",
 			rule: Rule{
 				HostPattern: []string{"example", "com"},
 			},
 			method:   "GET",
 			url:      "https://api.example.com/users",
+			expected: false,
+		},
+		{
+			name: "wildcard subdomain pattern matches subdomain",
+			rule: Rule{
+				HostPattern: []string{"*", "example", "com"},
+			},
+			method:   "GET",
+			url:      "https://api.example.com/users",
 			expected: true,
 		},
+		{
+			name: "wildcard subdomain pattern does not match base domain",
+			rule: Rule{
+				HostPattern: []string{"*", "example", "com"},
+			},
+			method:   "GET",
+			url:      "https://example.com/users",
+			expected: false,
+		},
 		{
 			name: "host pattern too long",
 			rule: Rule{

rulesengine/parse_and_match_test.go

@@ -98,13 +98,37 @@ func TestRoundTrip(t *testing.T) {
 			expectMatch: true,
 		},
 		{
-			name:        "domain wildcard segment matches",
+			name:        "domain wildcard segment matches subdomain",
 			rules:       []string{"domain=*.github.com"},
 			url:         "https://api.github.com/repos",
 			method:      "GET",
 			expectParse: true,
 			expectMatch: true,
 		},
+		{
+			name:        "domain wildcard does not match base domain",
+			rules:       []string{"domain=*.github.com"},
+			url:         "https://github.com/repos",
+			method:      "GET",
+			expectParse: true,
+			expectMatch: false,
+		},
+		{
+			name:        "exact domain does not match subdomain",
+			rules:       []string{"domain=github.com"},
+			url:         "https://api.github.com/repos",
+			method:      "GET",
+			expectParse: true,
+			expectMatch: false,
+		},
+		{
+			name:        "exact domain matches only exact domain",
+			rules:       []string{"domain=github.com"},
+			url:         "https://github.com/repos",
+			method:      "GET",
+			expectParse: true,
+			expectMatch: true,
+		},
 		{
 			name:        "domain cannot end with asterisk",
 			rules:       []string{"domain=github.*"},
@@ -281,12 +305,12 @@ func TestRoundTripExtraRules(t *testing.T) {
 			expectMatch: false,
 		},
 		{
-			name:        "includes all subdomains by default",
+			name:        "exact domain does not match subdomains",
 			rules:       []string{"domain=github.com"},
 			url:         "https://x.users.api.github.com",
 			method:      "GET",
 			expectParse: true,
-			expectMatch: true,
+			expectMatch: false,
 		},
 		{
 			name:        "domain wildcard in the middle matches exactly one label",

rulesengine/rules.go

@@ -20,7 +20,8 @@ type Rule struct {
 	// The labels of the host, i.e. ["google", "com"].
 	// - nil means all hosts allowed
 	// - A label of `*` acts as a wild card.
-	// - subdomains automatically match
+	// - Exact domain patterns (e.g., "github.com") match ONLY the exact domain (no subdomains)
+	// - Wildcard patterns starting with "*" (e.g., "*.github.com") match ONLY subdomains (not the base domain)
 	HostPattern []string
 
 	// The allowed http methods.

rulesengine/rules_test.go

@@ -1103,7 +1103,7 @@ func TestReadmeExamples(t *testing.T) {
 			}{
 				{"GET", "https://github.com", true},
 				{"POST", "https://github.com/user/repo", true},
-				{"GET", "https://api.github.com", true}, // subdomain match
+				{"GET", "https://api.github.com", false}, // subdomain does not match exact domain
 				{"GET", "https://example.com", false},
 			},
 		},