refactor: hostname matching allows subdomain bypass via ends_with (#1468)

The url_match() function uses `host.ends_with(entry.host())` to match hostnames.
This allows an attacker to bypass the allowlist: if "example.com" is allowed,
then "notexample.com", "evilexample.com", or "notexample.com.evil.com" would ALL match
because "notexample.com".ends_with("example.com") is true. This is a critical
security flaw in a runtime designed for Lambda/serverless workloads.


Affected files: security.rs

Signed-off-by: hieuit095 <139037144+hieuit095@users.noreply.github.com>

Author: hieuit095

modules/llrt_fetch/src/security.rs

@@ -58,6 +58,9 @@ fn url_match(list: &[Uri], uri: &Uri) -> bool {
     let host = uri.host().unwrap_or_default();
     let port = uri.port_u16().unwrap_or(80);
     list.iter().any(|entry| {
-        host.ends_with(entry.host().unwrap_or_default()) && entry.port_u16().unwrap_or(80) == port
+        let entry_host = entry.host().unwrap_or_default();
+        let port_match = entry.port_u16().unwrap_or(80) == port;
+        let host_match = host == entry_host || host.ends_with(&format!(".{}", entry_host));
+        port_match && host_match
     })
 }