fix: Domain allowance check to require exact matches (#39752)

ggazzo · sampaiodiego · web-flow · commit e65b1764aad1 · 2026-03-20T18:14:19.000-03:00
Co-authored-by: Diego Sampaio &lt;chinello@gmail.com&gt;
diff --git a/.changeset/eight-colts-kiss.md b/.changeset/eight-colts-kiss.md
@@ -0,0 +1,6 @@
+---
+"@rocket.chat/federation-matrix": patch
+"@rocket.chat/meteor": patch
+---
+
+Fixes an issue on Federation where all domains ending with the pattern where being allowed to communicate, the feature is meant to work with a list, url by url
diff --git a/ee/packages/federation-matrix/src/api/middlewares/isFederationDomainAllowed.ts b/ee/packages/federation-matrix/src/api/middlewares/isFederationDomainAllowed.ts
@@ -52,8 +52,8 @@ export const isFederationDomainAllowedMiddleware = createMiddleware(async (c, ne
 		return c.json({ errcode: 'M_MISSING_ORIGIN', error: 'Missing origin in authorization header.' }, 401);
 	}
 
-	// Check if domain is in allowed list
-	if (allowList.some((allowed) => domain.endsWith(allowed))) {
+	// Check if domain is in allowed list (exact match only)
+	if (allowList.some((allowed) => domain === allowed)) {
 		return next();
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -52,8 +52,8 @@ export const isFederationDomainAllowedMiddleware = createMiddleware(async (c, ne`
`52`	`52`	`return c.json({ errcode: 'M_MISSING_ORIGIN', error: 'Missing origin in authorization header.' }, 401);`
`53`	`53`	`}`
`54`	`54`
`55`		`- // Check if domain is in allowed list`
`56`		`- if (allowList.some((allowed) => domain.endsWith(allowed))) {`
	`55`	`+ // Check if domain is in allowed list (exact match only)`
	`56`	`+ if (allowList.some((allowed) => domain === allowed)) {`
`57`	`57`	`return next();`
`58`	`58`	`}`
`59`	`59`