fix(api): block registering domains under .internal, fixes #283

api/desecapi/models.py

@@ -213,14 +213,18 @@ class Domain(models.Model):
     def is_registrable(cls, domain_name: str, user: User):
         """
         Returns False in any of the following cases:
-        (a) the domain_name appears on the public suffix list,
-        (b) the domain is descendant to a zone that belongs to any user different from the given one,
+        (a) the domain name is under .internal,
+        (b) the domain_name appears on the public suffix list,
+        (c) the domain is descendant to a zone that belongs to any user different from the given one,
             unless it's parent is a public suffix, either through the Internet PSL or local settings.
         Otherwise, True is returned.
         """
         if domain_name != domain_name.lower():
             raise ValueError
 
+        if f'.{domain_name}'.endswith('.internal'):
+            return False
+
         try:
             public_suffix = psl.get_public_suffix(domain_name)
             is_public_suffix = psl.is_public_suffix(domain_name)

api/desecapi/tests/test_domains.py

@@ -105,6 +105,11 @@ class IsRegistrableTestCase(DesecTestCase, PublicSuffixMockMixin):
             self.assertNotRegistrable('b.private.public.suffix', user_c)
             self.assertRegistrable('b.private.public.suffix', user_b)
 
+    def test_cant_register_internal(self):
+        self.assertNotRegistrable('internal')
+        self.assertNotRegistrable('catalog.internal')
+        self.assertNotRegistrable('some.other.internal')
+
 
 class UnauthenticatedDomainTests(DesecTestCase):