Skip to content

fix: Validate twingate.host and twingate.network against trusted domains#359

Open
minhtule wants to merge 2 commits into
feat/mt/parser-config-helpersfrom
feat/mt/validate-twingate-trust
Open

fix: Validate twingate.host and twingate.network against trusted domains#359
minhtule wants to merge 2 commits into
feat/mt/parser-config-helpersfrom
feat/mt/validate-twingate-trust

Conversation

@minhtule

Copy link
Copy Markdown
Contributor

Related Tickets & Documents

Changes

  • Validate twingate.network is a single DNS label, since it is interpolated into the JWKS URL authority.
  • Validate twingate.host against the trusted Twingate domains, matched case-insensitively, using the same allowlist as token issuer validation so an accepted host always has a known JWT issuer.
  • Re-validate the resolved host after redirect, keeping the configured host if the redirect target is not trusted.

@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.16%. Comparing base (5bd5661) to head (bc76588).
✅ All tests successful. No failed tests found.

Additional details and impacted files

Impacted file tree graph

@@                        Coverage Diff                        @@
##           feat/mt/parser-config-helpers     #359      +/-   ##
=================================================================
- Coverage                          86.19%   86.16%   -0.04%     
=================================================================
  Files                                 40       40              
  Lines                               2833     2848      +15     
=================================================================
+ Hits                                2442     2454      +12     
- Misses                               265      269       +4     
+ Partials                             126      125       -1     
Flag Coverage Δ
integration 54.68% <11.76%> (-0.37%) ⬇️
unit 78.68% <100.00%> (+0.11%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/config/config.go 89.71% <100.00%> (+0.57%) ⬆️
internal/connect/connect.go 97.72% <100.00%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds defensive validation around the Twingate controller trust anchor by constraining both twingate.network and twingate.host to safe DNS forms and to an explicit trusted-domain allowlist (aligned with issuer selection), including after controller redirects.

Changes:

  • Validate twingate.network as a single DNS label to prevent authority/host injection in the JWKS URL construction.
  • Validate twingate.host as a well-formed hostname and require it to match a trusted Twingate domain (case-insensitive).
  • When resolving the controller host via redirect, re-validate the resolved hostname and fall back to the configured host if the redirect target is untrusted.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
internal/config/config.go Adds network/host validation (regex + trusted-domain allowlist) and re-validates redirect-resolved hostnames before accepting them.
internal/config/config_test.go Extends tests to cover invalid network values, trusted/untrusted hosts (including case-insensitive suffix matching), and redirect fallback behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@minhtule minhtule force-pushed the feat/mt/parser-config-helpers branch from cc7da4d to 94bc480 Compare June 30, 2026 14:58
@minhtule minhtule force-pushed the feat/mt/validate-twingate-trust branch from 8b48cf7 to f9631bc Compare June 30, 2026 15:00
@minhtule minhtule marked this pull request as ready for review June 30, 2026 15:05
@minhtule minhtule requested a review from clement0010 June 30, 2026 15:05
@minhtule minhtule changed the title feat: Validate twingate.host and twingate.network against trusted domains fix: Validate twingate.host and twingate.network against trusted domains Jun 30, 2026
@minhtule minhtule force-pushed the feat/mt/parser-config-helpers branch 2 times, most recently from 409edde to 5bd5661 Compare June 30, 2026 15:17
…ains

- Validate twingate.network is a single DNS label and twingate.host is a well-formed
  hostname restricted to trusted Twingate domains; match case-insensitively.
- Re-validate the resolved host after redirect, keeping the configured host if untrusted.
@minhtule minhtule force-pushed the feat/mt/validate-twingate-trust branch from f9631bc to 26ecc25 Compare June 30, 2026 15:18

@clement0010 clement0010 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏻

Comment thread internal/config/config.go Outdated
@minhtule minhtule requested a review from sghiocel July 1, 2026 18:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants