fix: allowlist parent domain unblocks subdomains #74

Merged

razvandimescu merged 5 commits from fix/allowlist-parent-unblocks into main 2026-04-11 02:43:41 +08:00

Conversation 0 Commits 5 Files Changed 1 +134 -39

razvandimescu commented 2026-04-11 02:23:59 +08:00 (Migrated from github.com)

Copy Link

Summary

• Allowing example.com now unblocks www.example.com even when www.example.com appears individually in the blocklist
• is_blocked restored to zero-allocation hot path (calls find_in_set directly instead of constructing BlockCheckResult)
• Extract normalize() helper for domain lowercasing + trailing dot stripping (4 call sites)
• Trailing dots normalized consistently in check, is_blocked, add_to_allowlist, and remove_from_allowlist
• Deduplicates is_blocked/check via shared find_in_set helper
• 10 new blocklist tests (181 total)

Root cause: is_blocked checked allowlist exact → blocklist exact → then interleaved allowlist/blocklist walk-up. The blocklist exact match on www.example.com returned true before reaching example.com in the allowlist. Fix: check allowlist at all parent levels first, then blocklist.

Test plan

• cargo test --lib blocklist — 11 tests pass
• make all — 181 tests, clippy, fmt, audit all green
• Add example.com to allowlist, verify www.example.com is unblocked via /blocking/check/www.example.com
• Verify sibling domains remain blocked (allowing www.example.com does NOT unblock ads.example.com)
• Verify trailing dot queries (example.com.) match correctly

🤖 Generated with Claude Code

## Summary - Allowing `example.com` now unblocks `www.example.com` even when `www.example.com` appears individually in the blocklist - `is_blocked` restored to zero-allocation hot path (calls `find_in_set` directly instead of constructing `BlockCheckResult`) - Extract `normalize()` helper for domain lowercasing + trailing dot stripping (4 call sites) - Trailing dots normalized consistently in `check`, `is_blocked`, `add_to_allowlist`, and `remove_from_allowlist` - Deduplicates `is_blocked`/`check` via shared `find_in_set` helper - 10 new blocklist tests (181 total) **Root cause:** `is_blocked` checked allowlist exact → blocklist exact → then interleaved allowlist/blocklist walk-up. The blocklist exact match on `www.example.com` returned `true` before reaching `example.com` in the allowlist. Fix: check allowlist at all parent levels first, then blocklist. ## Test plan - [x] `cargo test --lib blocklist` — 11 tests pass - [x] `make all` — 181 tests, clippy, fmt, audit all green - [ ] Add `example.com` to allowlist, verify `www.example.com` is unblocked via `/blocking/check/www.example.com` - [ ] Verify sibling domains remain blocked (allowing `www.example.com` does NOT unblock `ads.example.com`) - [ ] Verify trailing dot queries (`example.com.`) match correctly 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

dependencies

Pull requests that update a dependency file

docker

Pull requests that update docker code

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

github_actions

Pull requests that update GitHub Actions code

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

rust

Pull requests that update rust code

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

dearsky

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dearsky/numa#74