From e3d35570e6e5132650f4bb899f2fde57ab90ff49 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Oliveirinha?= <joliveirinha@cloudflare.com>
Date: Fri, 25 Nov 2022 16:29:34 +0000
Subject: [PATCH] CUSTESC-23757: Fix a bug where a wildcard ingress rule would
 match an host without starting with a dot

---
 ingress/ingress.go   |  2 +-
 ingress/rule_test.go | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/ingress/ingress.go b/ingress/ingress.go
index 8905fb6d..0d989110 100644
--- a/ingress/ingress.go
+++ b/ingress/ingress.go
@@ -58,7 +58,7 @@ func matchHost(ruleHost, reqHost string) bool {
 
 	// Validate hostnames that use wildcards at the start
 	if strings.HasPrefix(ruleHost, "*.") {
-		toMatch := strings.TrimPrefix(ruleHost, "*.")
+		toMatch := strings.TrimPrefix(ruleHost, "*")
 		return strings.HasSuffix(reqHost, toMatch)
 	}
 	return false
diff --git a/ingress/rule_test.go b/ingress/rule_test.go
index 1c051137..1a46f155 100644
--- a/ingress/rule_test.go
+++ b/ingress/rule_test.go
@@ -148,6 +148,16 @@ func Test_rule_matches(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "Hostname with wildcard should not match if no dot present",
+			rule: Rule{
+				Hostname: "*.api.abc.cloud",
+			},
+			args: args{
+				requestURL: MustParseURL(t, "https://testing-api.abc.cloud"),
+			},
+			want: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {