fix: improve API endpoint regex [IDE-1896]

[rrama]

Description

Ensure the endpoint is restricted to Snyk domains.

Checklist

• Tests added and all succeed (make test)
• Regenerated mocks, etc. (make generate)
• N/A
• Linted (make lint)
• Test your changes work for the CLI
  1. Clone / pull the latest CLI main.
  2. Run go get github.com/snyk/go-application-framework@YOUR_LATEST_GAF_COMMIT in the cliv2 directory.
     • Tip: for local testing, you can uncomment the line near the bottom of the CLI's go.mod to point to your local GAF code.
  3. Run go mod tidy in the cliv2 directory.
  4. Run the CLI tests and do any required manual testing.
  5. Open a PR in the CLI repo now with the go.mod and go.sum changes.
  • Once this PR is merged, repeat these steps, but pointing to the latest GAF commit on main and update your CLI PR.
  • http://github.com/snyk/cli/pull/6733

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ No major issues detected

📚 Repository Context Analyzed This review considered 7 relevant code sections from 7 files (average relevance: 0.75) pkg/auth/authHost.go (lines 1-37) pkg/local_workflows/connectivity_check_extension/connectivity/types.go (lines 1-192) internal/api/urls.go (lines 1-100) internal/api/fedramp.go (lines 1-20) pkg/apiclients/ldx_sync_config/ldx_sync/2024-10-15/spec.yaml (lines 433-673) pkg/local_workflows/local_models/models.gen.go (lines 1-239) internal/constants/constants.go (lines 1-9)

[bastiandoetsch]

This would prevent snyk to use private cloud unicode URLs.

It would be better to update IsValidHost with url.Parse to extract the actual host. The function could be moved to its own package to prevent possible import cycles.

[rrama]

Maybe I don't want to allow people to spin up PCs with unicode characters and this is my way of discouraging their use. 😉

But in all seriousness, you are right that since this regex is only used in a few places, it may be better to scrap it entirely and have a function which parses the URL and checks the beginning subdomain is "api" and the actual domain is in a list of allowed domains (the list could be stored in a GAF configuration like this regex).

[bastiandoetsch]

Added a comment for improvement

because i can dismiss my own review!