From e0eaf635cf3a18a426a6a7787531013c5723e540 Mon Sep 17 00:00:00 2001
From: Zach Chuba <zachary.chuba@fiserv.com>
Date: Thu, 12 Dec 2024 13:24:36 -0500
Subject: [PATCH] Ensure hostname is ascii

Ensure certificate from maliciously crafted domain is not accepted due to improper verifications
---
 .../io/grpc/okhttp/internal/OkHostnameVerifier.java  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/okhttp/third_party/okhttp/main/java/io/grpc/okhttp/internal/OkHostnameVerifier.java b/okhttp/third_party/okhttp/main/java/io/grpc/okhttp/internal/OkHostnameVerifier.java
index 34bb56ee2d6..2af8fe09b73 100644
--- a/okhttp/third_party/okhttp/main/java/io/grpc/okhttp/internal/OkHostnameVerifier.java
+++ b/okhttp/third_party/okhttp/main/java/io/grpc/okhttp/internal/OkHostnameVerifier.java
@@ -63,6 +63,9 @@ private OkHostnameVerifier() {
 
   @Override
   public boolean verify(String host, SSLSession session) {
+    if (!isAscii(host)) {
+      return false;
+    }
     try {
       Certificate[] certificates = session.getPeerCertificates();
       return verify(host, (X509Certificate) certificates[0]);
@@ -254,4 +257,13 @@ private boolean verifyHostName(String hostName, String pattern) {
     // hostName matches pattern
     return true;
   }
+
+  private static boolean isAscii(String input) {
+    try {
+      // All only ascii characters are 1 byte in utf8
+      return input.getBytes("UTF-8").length == input.length();
+    } catch (java.io.UnsupportedEncodingException e) {
+      return false;
+    }
+  }
 }