Fix - Incomplete regular expression for hostnames (#1993)

Fixed the codeql issue ``` Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts. If a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping regular-expression meta-characters such as .. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behavior when it accidentally succeeds. ```
2022-03-15 23:16:04 -05:00 · 2022-03-15 23:16:04 -05:00 · 783979948d
parent 34b2c347c9
commit 783979948d
1 changed files with 6 additions and 5 deletions
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@ -20,7 +20,7 @@ const (
 	// RootDir is the path to the root directory
 	RootDir = "/"

-	//KanikoDir is the path to the Kaniko directory
+	// KanikoDir is the path to the Kaniko directory
 	KanikoDir = "/kaniko"

 	IgnoreListPath = "/proc/self/mountinfo"
@ -76,8 +76,9 @@ const (
 var ScratchEnvVars = []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}

 // AzureBlobStorageHostRegEx is ReqEX for Valid azure blob storage host suffix in url for AzureCloud, AzureChinaCloud, AzureGermanCloud and AzureUSGovernment
-var AzureBlobStorageHostRegEx = []string{"https://(.+?).blob.core.windows.net/(.+)",
-	"https://(.+?).blob.core.chinacloudapi.cn/(.+)",
-	"https://(.+?).blob.core.cloudapi.de/(.+)",
-	"https://(.+?).blob.core.usgovcloudapi.net/(.+)",
+var AzureBlobStorageHostRegEx = []string{
+	"https://(.+?)\\.blob\\.core\\.windows\\.net/(.+)",
+	"https://(.+?)\\.blob\\.core\\.chinacloudapi\\.cn/(.+)",
+	"https://(.+?)\\.blob\\.core\\.cloudapi\\.de/(.+)",
+	"https://(.+?)\\.blob\\.core\\.usgovcloudapi\\.net/(.+)",
 }