[Vulnerability] Default domain name regex matching does not use `$`

[FWDekker]

OpenSnitch contains (what I believe to be) a security vulnerability, allowing adversaries to make connections even if the user thinks the adversary cannot. The adversary does so by exploiting the fact that when a user chooses to whitelist a host name with a regex (e.g. whitelist *.example.org), OpenSnitch uses the regex ^(|.*\.)example\.org, without a terminating $. If an adversary can make a decent guess as to which domains are whitelisted, they can simply append an arbitrary domain name at the end (e.g. example.org.evil.com) and circumvent the intended whitelisting.

To reproduce

1. Use a fresh OpenSnitch installation without any rules. (Or at least without any rules that apply to the remaining actions in this list.)
2. Run ping sub.example.org.
3. An OpenSnitch prompt opens, informing of a DNS request for sub.example.org. Click the "+", then choose to match by *.example.org. Then allow the connection.
4. At this point, the user expects that any DNS lookup by ping will trigger a prompt by OpenSnitch, unless the DNS lookup is for example.org or one of its sub-domains.
5. Run ping example.org.evil.com. Observe that OpenSnitch allows the connection without creating a prompt!

Example threats

1. I have an IDE installed. I also have plugins installed. Plugins are sandboxed in the IDE, so they cannot hijack OpenSnitch or something like that. I like my plugins, but fear that there is a plugin sending my code to an external website to train AI on. Therefore, I want to whitelist connections with OpenSnitch. My IDE checks for updates automatically, so I have whitelisted *.cool-ide.org using the OpenSnitch prompt. A malicious plugin vendor knows about the vulnerability I describe here, and thus connects to cool-ide.org.evil.com. As demonstrated earlier, OpenSnitch does not whitelist sub-domains correctly, and allows the connection.
2. Basically the same as above, except with JavaScript inside a browser.
3. Basically the same as above, except with me whitelisting ssh to connect to *.github.com, and another program then ssh'ing to github.com.evil.com.

Solution
Make sure that, when a user opts to match a rule for sub-domains (such as *.example.org), the regex used to match this ends with $`. This will close this vulnerability in its entirety.

Responsible disclosure
This repository does not have a security policy and does not have GitHub's vulnerability reporting feature enabled. Additionally, I could not find the email address or other contact information of the currently active maintainer, Gustavo Iñiguez Goia. I therefore decided to report it as a regular issue instead. I recommend that a security policy is added for this repository. Good example policies include the policy of git/git and the policy of GitHub itself. I also like my own policy.