SNS URL trust-policy validation — SSRF guard for cert and subscribe URLs.
Validates SigningCertURL and SubscribeURL from SNS messages before any
network I/O. Implements the safe host pattern from the AWS PHP SDK reference
implementation to prevent S3 namespace collision attacks (per D-06, D-09).
All functions are pure predicates — no side effects, no network I/O, no Logger.
Callers raise %Mailglass.SignatureError{} on false.
Summary
Functions
Returns true if url is a trusted SNS signing certificate URL.
Returns true if url is a trusted SNS subscribe/unsubscribe URL.
Functions
Returns true if url is a trusted SNS signing certificate URL.
Requirements (all must hold):
- Scheme: https only
- Host: matches
^sns\.[a-zA-Z0-9\-]{3,}\.amazonaws\.com(\.cn)?$ - No userinfo component
- No fragment component
- Path ends with
.pem - No query string (certs are static resources)
Returns true if url is a trusted SNS subscribe/unsubscribe URL.
Requirements (all must hold):
- Scheme: https only
- Host: matches SNS host pattern (same regex as cert URL)
- No userinfo component
- No fragment component
Note: SubscribeURL validation is a consistency check per D-07. The actual
subscription confirmation does NOT follow this URL — it constructs the
ConfirmSubscription API request from TopicArn + Token instead.