Skip to content

fix(security): strict match on DNS TXT verification record#22

Merged
rubenhensen merged 1 commit into
mainfrom
fix/dns-txt-strict-match
Apr 25, 2026
Merged

fix(security): strict match on DNS TXT verification record#22
rubenhensen merged 1 commit into
mainfrom
fix/dns-txt-strict-match

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses sub-finding #2 from issue #10. src/lib/server/services/dns-verification.ts previously accepted any TXT record that contained the verification string as a substring:

const found = flat.some((txt) => txt.includes(record.txtRecord));

That means an attacker controlling a TXT record on the domain could embed the verification token inside a larger string and still pass verification. Switched to strict equality (txt === record.txtRecord).

One-line change. CI should cover it.

Verification

  • npm run check → clean
  • npm run test:unit -- --run → 26 passed (no dedicated DNS tests exist; nothing regressed)

Reviewer quickstart

git fetch origin && git checkout fix/dns-txt-strict-match && npm install && npm run test:unit -- --run

Refs #10

Previously used txt.includes(record.txtRecord), which would accept any
TXT record that contained the verification string as a substring. Switch
to strict equality so domain verification cannot be spoofed by embedding
the token inside another record.

Refs #10
@dobby-coder dobby-coder Bot marked this pull request as ready for review April 24, 2026 16:04
@dobby-coder dobby-coder Bot requested a review from rubenhensen April 24, 2026 22:04
@rubenhensen rubenhensen merged commit ed780dd into main Apr 25, 2026
7 checks passed
@rubenhensen rubenhensen deleted the fix/dns-txt-strict-match branch April 25, 2026 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant