Problem
The DNS validation in generate_allowed_domains allows * anywhere in a domain (ex*ample.com, *.*.com), not just as a leading prefix. While * cannot break shell quoting (so this is not a security issue), the documented intent is for patterns like *.mycompany.com.
Tightening to host.starts_with("*.") || !host.contains('*') would match the documented convention and avoid surprising behavior if a user types example.* or *.*.com.
Context
Found during review of #175 (security audit fixes). Not a security issue — purely a correctness/UX improvement.
Problem
The DNS validation in
generate_allowed_domainsallows*anywhere in a domain (ex*ample.com,*.*.com), not just as a leading prefix. While*cannot break shell quoting (so this is not a security issue), the documented intent is for patterns like*.mycompany.com.Tightening to
host.starts_with("*.") || !host.contains('*')would match the documented convention and avoid surprising behavior if a user typesexample.*or*.*.com.Context
Found during review of #175 (security audit fixes). Not a security issue — purely a correctness/UX improvement.