Skip to content

Commit 977921c

Browse files
fix(security): strictly compare DNS TXT record in domain verification
Previously used txt.includes(record.txtRecord), which would accept any TXT record that contained the verification string as a substring. Switch to strict equality so domain verification cannot be spoofed by embedding the token inside another record. Refs #10
1 parent 0a94f99 commit 977921c

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

src/lib/server/services/dns-verification.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ export async function verifyDns(orgId: string): Promise<{
4040
try {
4141
const txtRecords = await resolve(record.domain, 'TXT');
4242
const flat = txtRecords.flat();
43-
const found = flat.some((txt) => txt.includes(record.txtRecord));
43+
const found = flat.some((txt) => txt === record.txtRecord);
4444

4545
if (found) {
4646
await db

0 commit comments

Comments
 (0)