Use regex for domain validation (#7)

* Use regex for domain validation

* Escape slashes

Author: maarcingebala

src/saleor_mcp/config.py

@@ -1,14 +1,24 @@
 import os
+import re
 from dataclasses import dataclass
-from fnmatch import fnmatch
 
 from fastmcp.exceptions import ToolError
 from fastmcp.server.dependencies import get_http_headers
 
 
 def validate_api_url(url, pattern):
-    """Validate if the given URL matches the allowed domain pattern."""
-    return fnmatch(url, pattern)
+    """Validate if the given URL matches the allowed domain pattern.
+
+    Pattern should be a properly escaped regular expression.
+    """
+    # Add anchors if not present
+    if not pattern.startswith("^"):
+        pattern = "^" + pattern
+
+    if not pattern.endswith("$"):
+        pattern = pattern + "$"
+
+    return bool(re.match(pattern, url))
 
 
 @dataclass

src/saleor_mcp/tests/test_config.py

@@ -7,11 +7,27 @@
 @pytest.mark.parametrize(
     ("url", "pattern", "expected"),
     [
-        ("https://exactmatch.saleor.cloud", "https://exactmatch.saleor.cloud", True),
-        ("https://example.saleor.cloud", "https://*.saleor.cloud", True),
-        ("https://sub.domain.saleor.cloud", "https://*.saleor.cloud", True),
-        ("https://other.saleor.cloud", "https://exact.saleor.cloud", False),
-        ("https://malicious-saleor.cloud", "https://*.saleor.cloud", False),
+        (
+            "https://exactmatch.saleor.cloud",
+            r"https:\/\/exactmatch\.saleor\.cloud",
+            True,
+        ),
+        ("https://exactmatch.example.com", r"https:\/\/exactmatch\.example\.com", True),
+        ("https://example-domain.saleor.cloud", r"https:\/\/.*\.saleor\.cloud", True),
+        ("https://example.saleor.cloud", r"https:\/\/.*\.saleor\.cloud", True),
+        (
+            "https://example.saleor.cloud/graphql/",
+            r"https:\/\/.*\.saleor\.cloud\/graphql\/",
+            True,
+        ),
+        ("https://sub.domain.saleor.cloud", r"https:\/\/.*\.saleor\.cloud", True),
+        ("https://other.saleor.cloud", r"https:\/\/exact\.saleor\.cloud", False),
+        ("https://malicious-saleor.cloud", r"https:\/\/.*\.saleor\.cloud", False),
+        (
+            "https://example.com?url=https://a.saleor.cloud/",
+            r"https:\/\/.*\.saleor\.cloud",
+            False,
+        ),
     ],
 )
 def test_validate_api_url(url, pattern, expected):
@@ -39,7 +55,7 @@ def mock_get_http_headers():
 
 
 def test_get_config_from_headers_with_allowed_domain_pattern(monkeypatch):
-    monkeypatch.setenv("ALLOWED_DOMAIN_PATTERN", "https://*.saleor.cloud")
+    monkeypatch.setenv("ALLOWED_DOMAIN_PATTERN", r"https://.*\.saleor\.cloud")
     headers = {
         "x-saleor-api-url": "https://my.saleor.cloud",
         "x-saleor-auth-token": "mytoken",
@@ -59,7 +75,7 @@ def mock_get_http_headers():
 
 
 def test_get_config_from_headers_invalid_domain_pattern(monkeypatch):
-    monkeypatch.setenv("ALLOWED_DOMAIN_PATTERN", "https://*.saleor.cloud")
+    monkeypatch.setenv("ALLOWED_DOMAIN_PATTERN", r"https://.*\.saleor\.cloud")
 
     from saleor_mcp.config import get_config_from_headers