Guard Proxy Relay URL Acceptance with Pattern Check

proxy/lib/snowflake.go

@@ -30,6 +30,7 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"fmt"
+	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/namematcher"
 	"io"
 	"io/ioutil"
 	"log"
@@ -494,6 +495,12 @@ func (sf *SnowflakeProxy) runSession(sid string) {
 		tokens.ret()
 		return
 	}
+	matcher := namematcher.NewNameMatcher(sf.RelayDomainNamePattern)
+	if relayURL != "" && !matcher.IsMember(relayURL) {
+		log.Printf("bad offer from broker: rejected Relay URL")
+		tokens.ret()
+		return
+	}
 	dataChan := make(chan struct{})
 	dataChannelAdaptor := dataChannelHandlerWithRelayURL{RelayURL: relayURL, sf: sf}
 	pc, err := sf.makePeerConnectionFromOffer(offer, config, dataChan, dataChannelAdaptor.datachannelHandler)