Skip to content

feat: check against urls with path #6416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 47 commits into
base: main
Choose a base branch
from
Open

feat: check against urls with path #6416

wants to merge 47 commits into from

Conversation

imblue-dabadee
Copy link
Contributor

@imblue-dabadee imblue-dabadee commented Aug 29, 2025
edited
Loading

Explanation

There has been an advent of sites such as sites.google.com being used maliciously that bypass the checks as they contain an allowlisted hostname. This PR aims to enable the Phishing Controller to block URL paths so that we can maintain the same allowlist but also block malicious websites that use allowlisted hostnames.

References

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary
  • I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

@imblue-dabadee imblue-dabadee requested a review from a team as a code owner August 29, 2025 04:15
@imblue-dabadee imblue-dabadee marked this pull request as draft August 29, 2025 04:15
@imblue-dabadee imblue-dabadee marked this pull request as ready for review August 29, 2025 21:33
cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

AugmentedMode
AugmentedMode reviewed Sep 15, 2025
View reviewed changes
eslint-warning-thresholds.json Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't be modifying this file should we ?

packages/phishing-controller/src/utils.ts Outdated
urlPaths: Record<string, Record<string, Record<string, string[]>>>,
) => {
const urlWithProtocol = url.startsWith('http') ? url : `https://${url}`;
const { hostname, pathname } = new URL(urlWithProtocol);
Copy link
Contributor

@AugmentedMode AugmentedMode Sep 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

new URL() throws on bad input. Should we wrap this with a try/catch?

AugmentedMode
AugmentedMode reviewed Sep 15, 2025
View reviewed changes
packages/phishing-controller/src/PhishingController.ts Outdated
@@ -132,6 +136,7 @@ export type PhishingStalelist = {
export type PhishingListState = {
allowlist: string[];
blocklist: string[];
blocklistPaths: Record<string, Record<string, Record<string, string[]>>>;
Copy link
Contributor

@AugmentedMode AugmentedMode Sep 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about a type like this instead for better readability

type PathBlockNode = {
  isBlocked: boolean;          
  blockAllSubpaths: boolean;    
  children: Record<string, PathBlockNode>;  
};

type BlocklistPaths = Record<string, PathBlockNode>;

imblue-dabadee and others added 24 commits September 17, 2025 09:52
@imblue-dabadee
chore: update types for blocklistPaths to Trie
ef1e114
@imblue-dabadee
chore: remove old insertion/deletion/exists methods
a6b535b
@imblue-dabadee
test: update to new structure
cbfa2a5
@imblue-dabadee
refactor: getHostnameAndPathComponents
a98edbb
@imblue-dabadee
fix: separate blocklist entries
80927ec
@imblue-dabadee
test: separateBlocklistEntries
be8202d
@imblue-dabadee
test: getHostnameAndPathComponents
f283e11
@imblue-dabadee
test(fix): updateStalelist unit test
22b1ad1
@imblue-dabadee
test: subdomain case getHostnameAndPathComponents
d337406
@imblue-dabadee
test(fix): update the structure of blocklistPaths
a593944
@imblue-dabadee
test: updateStalelist blocklist separation case
907dd00
@imblue-dabadee
test(fix): add mocks
8578fac
@imblue-dabadee
test(fix): add url to blocklistPaths before calling bypass
277ada7
@imblue-dabadee
fix: check that blocklistPaths is empty or undefined
6b4742a
@imblue-dabadee
refactor: remove old funcs
09fbe61
@imblue-dabadee
test: check tests path-based blocking version
598b78a
@imblue-dabadee
test: isPathBlocked
4f98f31
@imblue-dabadee
fix: update getDefaultPhishingDetectorConfig
f8eed59
@imblue-dabadee
fix: revert processConfigs
2cd8146
@imblue-dabadee
fix: remove blocklist separation in getDefaultPhishingDetectorConfig
03714bc 
- We can assume that whenever config is given to this function, that separateBlocklistEntries has already been called so this would be unnecessary to do.
@imblue-dabadee
chore: redundant return variable
80882f7
@imblue-dabadee
test: update tests
5de9179
@imblue-dabadee
fix: lint issues
ed9a836
@imblue-dabadee
Merge branch 'main' into feat/check-against-urls-with-path
9368c52
cursor[bot]
cursor bot reviewed Sep 18, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Phishing Detector Ignores C2 Domain Blocklists

Legacy PhishingDetector configurations no longer correctly handle c2DomainBlocklist. The c2DomainBlocklist property is no longer passed to getDefaultPhishingDetectorConfig in the legacy constructor path, causing C2 domain blocklists to be ignored. This is a regression for existing legacy configurations.

packages/phishing-controller/src/PhishingDetector.ts#L76-L92

core/packages/phishing-controller/src/PhishingDetector.ts

Lines 76 to 92 in 9368c52

constructor(opts: PhishingDetectorOptions) {
// recommended configuration
if (Array.isArray(opts)) {
this.#configs = processConfigs(opts);
this.#legacyConfig = false;
// legacy configuration
} else {
this.#configs = [
getDefaultPhishingDetectorConfig({
allowlist: opts.whitelist,
blocklist: opts.blacklist,
fuzzylist: opts.fuzzylist,
tolerance: opts.tolerance,
}),
];
this.#legacyConfig = true;
}

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AugmentedMode AugmentedMode AugmentedMode left review comments

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@imblue-dabadee @AugmentedMode