search

projectdiscovery / public-bugbounty-programs

Community curated list of public bug bounty and responsible disclosure programs.
https://chaos.projectdiscovery.io
MIT License
1.05k stars 360 forks source link

Bug in `ValidateFQDN` function #532

Closed ehsandeep closed 1 year ago

ehsandeep commented 1 year ago

from https://github.com/projectdiscovery/public-bugbounty-programs/blob/main/pkg/dns/dns.go#L27-L36

func ValidateFQDN(value string) bool {
    // check if domain can can be parsed
    tld, err := publicsuffix.EffectiveTLDPlusOne(value)
    if err != nil {
        return false
    }

    // check if top level domain is equal to original and it's a valid domain name
    return tld == value && govalidator.IsDNSName(tld)
}

flagging ngrok.io as invalid domain - https://github.com/projectdiscovery/public-bugbounty-programs/actions/runs/5364609119/jobs/9732904993

MattSilvaa commented 1 year ago

Hey! I can take this on

MattSilvaa commented 1 year ago

So it seems like the reason this is occurring is because ngrok.io is in the PSL. Do you want to change the fqdn logic to not consider the PSL when validating?

EDIT: Modified the logic to only look at the ICANN domains in the PSL