]> git.ipfire.org Git - thirdparty/rspamd.git/commitdiff
projects / thirdparty / rspamd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ad17b06)
[Fix] url_suspect: extract TLD from eSLD for suspicious TLD check
authorVsevolod Stakhov <vsevolod@rspamd.com>
Wed, 28 Jan 2026 11:08:49 +0000 (11:08 +0000)
committerVsevolod Stakhov <vsevolod@rspamd.com>
Wed, 28 Jan 2026 11:08:49 +0000 (11:08 +0000)
The get_tld() function returns eSLD (e.g., "phishing.tk"), not the TLD
suffix. Extract the actual TLD by removing the first label.

Also add suspicious_tlds_map to test config since the override replaces
the default url_suspect configuration.

src/plugins/lua/url_suspect.lua patch | blob | blame | history
test/functional/configs/merged-override.conf patch | blob | blame | history

diff --git a/src/plugins/lua/url_suspect.lua b/src/plugins/lua/url_suspect.lua
index e1c0003e0800e75e6d59e7da644e0f3d789e67b8..23120d16149dbb3a0155fbcf65ee43dafca37539 100644 (file)
--- a/src/plugins/lua/url_suspect.lua
+++ b/src/plugins/lua/url_suspect.lua
@@ -402,16 +402,20 @@ function checks.tld_analysis(task, url, cfg)
     return findings
   end
 
-  local tld = url:get_tld()
-  if not tld then
+  local esld = url:get_tld()
+  if not esld then
     return findings
   end
 
+  local tld = esld:match("^[^%.]+%.(.+)$") or esld
+  lua_util.debugm(N, task, "URL eSLD: %s, TLD: %s", esld, tld)
+
   -- Check suspicious TLDs map
   if maps.suspicious_tlds then
     -- Check both with and without leading dot for flexibility
-    local tld_with_dot = tld:sub(1, 1) == '.' and tld or ('.' .. tld)
-    local tld_without_dot = tld:sub(1, 1) == '.' and tld:sub(2) or tld
+    local tld_with_dot = '.' .. tld
+    local tld_without_dot = tld
+    lua_util.debugm(N, task, "Checking TLDs: with_dot=%s, without_dot=%s", tld_with_dot, tld_without_dot)
     if maps.suspicious_tlds:get_key(tld_with_dot) or maps.suspicious_tlds:get_key(tld_without_dot) then
       lua_util.debugm(N, task, "URL uses suspicious TLD: %s", tld)
       table.insert(findings, {
diff --git a/test/functional/configs/merged-override.conf b/test/functional/configs/merged-override.conf
index a5ddc527900e1868de3c43fa59d8c1edc90dcb66..e812578e005af0a69d3d3f4b958c1968e640d971 100644 (file)
--- a/test/functional/configs/merged-override.conf
+++ b/test/functional/configs/merged-override.conf
@@ -465,4 +465,10 @@ EOD;
 # URL suspect plugin for testing
 url_suspect {
   enabled = true;
+  checks {
+    tld {
+      # Map is required for suspicious TLD detection
+      suspicious_tlds_map = "file://{= env.TESTDIR =}/../../conf/maps.d/suspicious_tlds.inc";
+    }
+  }
 }
Mirror of https://github.com/rspamd/rspamd.git