From 17987e39908d8771b844142d62fcbfa795562815 Mon Sep 17 00:00:00 2001
From: Mark Felder <feld@feld.me>
Date: Thu, 3 Jul 2025 12:08:36 -0700
Subject: [PATCH] Enforce an exact domain match for WebFinger resolution

The regex was not being terminated with an $
---
 changelog.d/webfinger-resolution.fix |  1 +
 lib/pleroma/web/web_finger.ex        |  4 ++--
 test/pleroma/web/web_finger_test.exs | 17 +++++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 changelog.d/webfinger-resolution.fix

diff --git a/changelog.d/webfinger-resolution.fix b/changelog.d/webfinger-resolution.fix
new file mode 100644
index 000000000..71b927bb0
--- /dev/null
+++ b/changelog.d/webfinger-resolution.fix
@@ -0,0 +1 @@
+Enforce an exact domain match for WebFinger resolution
diff --git a/lib/pleroma/web/web_finger.ex b/lib/pleroma/web/web_finger.ex
index e653b3338..a53d58caa 100644
--- a/lib/pleroma/web/web_finger.ex
+++ b/lib/pleroma/web/web_finger.ex
@@ -35,9 +35,9 @@ defmodule Pleroma.Web.WebFinger do
 
     regex =
       if webfinger_domain = Pleroma.Config.get([__MODULE__, :domain]) do
-        ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@(#{host}|#{webfinger_domain})/
+        ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@(#{host}|#{webfinger_domain})$/
       else
-        ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@#{host}/
+        ~r/(acct:)?(?<username>[a-z0-9A-Z_\.-]+)@#{host}$/
       end
 
     with %{"username" => username} <- Regex.named_captures(regex, resource),
diff --git a/test/pleroma/web/web_finger_test.exs b/test/pleroma/web/web_finger_test.exs
index aefe7b0c2..923074ed5 100644
--- a/test/pleroma/web/web_finger_test.exs
+++ b/test/pleroma/web/web_finger_test.exs
@@ -39,6 +39,23 @@ defmodule Pleroma.Web.WebFingerTest do
     end
   end
 
+  test "requires exact match for Endpoint host or WebFinger domain" do
+    clear_config([Pleroma.Web.WebFinger, :domain], "pleroma.dev")
+    user = insert(:user)
+
+    assert {:error, "Couldn't find user"} ==
+             WebFinger.webfinger("#{user.nickname}@#{Pleroma.Web.Endpoint.host()}xxxx", "JSON")
+
+    assert {:error, "Couldn't find user"} ==
+             WebFinger.webfinger("#{user.nickname}@pleroma.devxxxx", "JSON")
+
+    assert {:ok, _} =
+             WebFinger.webfinger("#{user.nickname}@#{Pleroma.Web.Endpoint.host()}", "JSON")
+
+    assert {:ok, _} =
+             WebFinger.webfinger("#{user.nickname}@pleroma.dev", "JSON")
+  end
+
   describe "fingering" do
     test "returns error for nonsensical input" do
       assert {:error, _} = WebFinger.finger("bliblablu")