fix: correct acl-generator test assertions to match formatDomainForSquid output (#5049)

* fix: correct acl-generator test assertions to match formatDomainForSquid output

formatDomainForSquid prepends a dot to domains (e.g. evil.com -> .evil.com)
but the tests searched for the bare domain as an exact whitespace-delimited
token, which never matched. Updated to use .includes('.evil.com') and
.includes('.metrics.example.com') which correctly matches the formatted output.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding 'CodeQL / Incomplete URL substring sanitization'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for pull request finding 'CodeQL / Incomplete URL substring sanitization'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* fix: strengthen trailing-slash test assertion to not.toContain('/')

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: 4 people

src/squid/acl-generator.test.ts

@@ -88,11 +88,11 @@ describe('generateAclSections', () => {
 
       expect(aclLines).toContain('# ACL definitions for HTTP-only domains');
       expect(
-        aclLines.some(
-          l =>
-            l.startsWith('acl allowed_http_only dstdomain') &&
-            /\b\.metrics\.example\.com\b/.test(l)
-        )
+        aclLines.some(l => {
+          if (!l.startsWith('acl allowed_http_only dstdomain')) return false;
+          const tokens = l.trim().split(/\s+/);
+          return tokens.includes('.metrics.example.com');
+        })
       ).toBe(true);
     });
 
@@ -165,7 +165,7 @@ describe('generateAclSections', () => {
         blockedDomainConfig.aclLines.some(l => {
           if (!l.startsWith('acl blocked_domains dstdomain')) return false;
           const tokens = l.trim().split(/\s+/);
-          return tokens.includes('evil.com');
+          return tokens.includes('.evil.com');
         })
       ).toBe(true);
       expect(blockedDomainConfig.accessRules).toContain('http_access deny blocked_domains');
@@ -175,7 +175,7 @@ describe('generateAclSections', () => {
       const { domainsByProto, patternsByProto } = parseDomainConfig(['github.com']);
       const { blockedDomainConfig } = generateAclSections(domainsByProto, patternsByProto, ['https://evil.com']);
 
-      const aclLine = blockedDomainConfig.aclLines.find(l => l.split(/\s+/).includes('evil.com'));
+      const aclLine = blockedDomainConfig.aclLines.find(l => l.trim().split(/\s+/).includes('.evil.com'));
       expect(aclLine).toBeDefined();
       expect(aclLine).not.toContain('https://');
     });
@@ -184,7 +184,7 @@ describe('generateAclSections', () => {
       const { domainsByProto, patternsByProto } = parseDomainConfig(['github.com']);
       const { blockedDomainConfig } = generateAclSections(domainsByProto, patternsByProto, ['http://evil.com']);
 
-      const aclLine = blockedDomainConfig.aclLines.find(l => l.split(/\s+/).includes('evil.com'));
+      const aclLine = blockedDomainConfig.aclLines.find(l => l.trim().split(/\s+/).includes('.evil.com'));
       expect(aclLine).toBeDefined();
       expect(aclLine).not.toContain('http://');
     });
@@ -193,7 +193,7 @@ describe('generateAclSections', () => {
       const { domainsByProto, patternsByProto } = parseDomainConfig(['github.com']);
       const { blockedDomainConfig } = generateAclSections(domainsByProto, patternsByProto, ['evil.com/']);
 
-      const aclLine = blockedDomainConfig.aclLines.find(l => l.split(/\s+/).includes('evil.com'));
+      const aclLine = blockedDomainConfig.aclLines.find(l => l.trim().split(/\s+/).includes('.evil.com'));
       expect(aclLine).toBeDefined();
       expect(aclLine).not.toContain('/');
     });