`checkRelayPattern` can output false positives
Firstly, severity: doesn't look like you can do much harm with it. Need to check the standalone Snowflake proxy as well.
-
str.endswith(pattern)
will allow"different-domain-torproject.net"
if the pattern is"torproject.net"
(currently it's "snowflake.torproject.net
" though). - I don't quite understand why we do
localeCompare
instead of regular===
. from my understanding, it can return different results depending on the user's locale.
Apparently the same goes for the standalone version: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/97dea533da7b6b3b2b1dfbffe7dca3a8350fab0b/common/namematcher/matcher.go#L7
Maybe check out the experimental URL Pattern API
Related: snowflake#40166
Edited by WofWca