Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Accurately separates a URL's subdomain, domain, and public suffix, using the Public Suffix List (PSL). By default, this includes the public ICANN TLDs and their exceptions. You can optionally support the Public Suffix List's private domains as well.
tldextract
accurately separates a URL's subdomain, domain, and public suffix,
using the Public Suffix List (PSL).
Say you want just the "google" part of https://www.google.com. Everybody gets
this wrong. Splitting on the "." and taking the 2nd-to-last element only works
for simple domains, e.g. .com. Consider
http://forums.bbc.co.uk: the naive splitting method
will give you "co" as the domain, instead of "bbc". Rather than juggle TLDs,
gTLDs, or ccTLDs yourself, tldextract
extracts the currently living public
suffixes according to the Public Suffix List.
A "public suffix" is one under which Internet users can directly register names.
A public suffix is also sometimes called an effective TLD (eTLD).
>>> import tldextract
>>> tldextract.extract('http://forums.news.cnn.com/')
ExtractResult(subdomain='forums.news', domain='cnn', suffix='com', is_private=False)
>>> tldextract.extract('http://forums.bbc.co.uk/') # United Kingdom
ExtractResult(subdomain='forums', domain='bbc', suffix='co.uk', is_private=False)
>>> tldextract.extract('http://www.worldbank.org.kg/') # Kyrgyzstan
ExtractResult(subdomain='www', domain='worldbank', suffix='org.kg', is_private=False)
Note subdomain and suffix are optional. Not all URL-like inputs have a subdomain or a valid suffix.
>>> tldextract.extract('google.com')
ExtractResult(subdomain='', domain='google', suffix='com', is_private=False)
>>> tldextract.extract('google.notavalidsuffix')
ExtractResult(subdomain='google', domain='notavalidsuffix', suffix='', is_private=False)
>>> tldextract.extract('http://127.0.0.1:8080/deployed/')
ExtractResult(subdomain='', domain='127.0.0.1', suffix='', is_private=False)
To rejoin the original hostname, if it was indeed a valid, registered hostname:
>>> ext = tldextract.extract('http://forums.bbc.co.uk')
>>> ext.registered_domain
'bbc.co.uk'
>>> ext.fqdn
'forums.bbc.co.uk'
By default, this package supports the public ICANN TLDs and their exceptions. You can optionally support the Public Suffix List's private domains as well.
This package started by implementing the chosen answer from this StackOverflow question on getting the "domain name" from a URL. However, the proposed regex solution doesn't address many country codes like com.au, or the exceptions to country codes like the registered domain parliament.uk. The Public Suffix List does, and so does this package.
Latest release on PyPI:
pip install tldextract
Or the latest dev version:
pip install -e 'git://github.com/john-kurkowski/tldextract.git#egg=tldextract'
Command-line usage, splits the URL components by space:
tldextract http://forums.bbc.co.uk
# forums bbc co.uk
Beware when first calling tldextract
, it updates its TLD list with a live HTTP
request. This updated TLD set is usually cached indefinitely in $HOME/.cache/python-tldextract
.
To control the cache's location, set TLDEXTRACT_CACHE environment variable or set the
cache_dir path in TLDExtract initialization.
(Arguably runtime bootstrapping like that shouldn't be the default behavior, like for production systems. But I want you to have the latest TLDs, especially when I haven't kept this code up to date.)
# extract callable that falls back to the included TLD snapshot, no live HTTP fetching
no_fetch_extract = tldextract.TLDExtract(suffix_list_urls=())
no_fetch_extract('http://www.google.com')
# extract callable that reads/writes the updated TLD set to a different path
custom_cache_extract = tldextract.TLDExtract(cache_dir='/path/to/your/cache/')
custom_cache_extract('http://www.google.com')
# extract callable that doesn't use caching
no_cache_extract = tldextract.TLDExtract(cache_dir=None)
no_cache_extract('http://www.google.com')
If you want to stay fresh with the TLD definitions--though they don't change often--delete the cache file occasionally, or run
tldextract --update
or:
env TLDEXTRACT_CACHE="~/tldextract.cache" tldextract --update
It is also recommended to delete the file after upgrading this lib.
The PSL maintains a concept of "private" domains.
PRIVATE domains are amendments submitted by the domain holder, as an expression of how they operate their domain security policy. … While some applications, such as browsers when considering cookie-setting, treat all entries the same, other applications may wish to treat ICANN domains and PRIVATE domains differently.
By default, tldextract
treats public and private domains the same.
>>> extract = tldextract.TLDExtract()
>>> extract('waiterrant.blogspot.com')
ExtractResult(subdomain='waiterrant', domain='blogspot', suffix='com', is_private=False)
The following overrides this.
>>> extract = tldextract.TLDExtract()
>>> extract('waiterrant.blogspot.com', include_psl_private_domains=True)
ExtractResult(subdomain='', domain='waiterrant', suffix='blogspot.com', is_private=True)
or to change the default for all extract calls,
>>> extract = tldextract.TLDExtract( include_psl_private_domains=True)
>>> extract('waiterrant.blogspot.com')
ExtractResult(subdomain='', domain='waiterrant', suffix='blogspot.com', is_private=True)
The thinking behind the default is, it's the more common case when people mentally parse a domain name. It doesn't assume familiarity with the PSL nor that the PSL makes a public/private distinction. Note this default may run counter to the default parsing behavior of other, PSL-based libraries.
You can specify your own input data in place of the default Mozilla Public Suffix List:
extract = tldextract.TLDExtract(
suffix_list_urls=["http://foo.bar.baz"],
# Recommended: Specify your own cache file, to minimize ambiguities about where
# tldextract is getting its data, or cached data, from.
cache_dir='/path/to/your/cache/',
fallback_to_snapshot=False)
The above snippet will fetch from the URL you specified, upon first need to download the suffix list (i.e. if the cached version doesn't exist).
If you want to use input data from your local filesystem, just use the file://
protocol:
extract = tldextract.TLDExtract(
suffix_list_urls=["file://" + "/absolute/path/to/your/local/suffix/list/file"],
cache_dir='/path/to/your/cache/',
fallback_to_snapshot=False)
Use an absolute path when specifying the suffix_list_urls
keyword argument.
os.path
is your friend.
The command line update command can be used with a URL or local file you specify:
tldextract --update --suffix_list_url "http://foo.bar.baz"
This could be useful in production when you don't want the delay associated with updating the suffix list on first use, or if you are behind a complex firewall that prevents a simple update from working.
This project doesn't contain an actual list of public suffixes. That comes from the Public Suffix List (PSL). Submit amendments there.
(In the meantime, you can tell tldextract about your exception by either
forking the PSL and using your fork in the suffix_list_urls
param, or adding
your suffix piecemeal with the extra_suffixes
param.)
Check if your suffix is in the private section of the list. See this documentation.
To keep tldextract
light in LoC & overhead, and because there are plenty of
URL validators out there, this library is very lenient with input. If valid
URLs are important to you, validate them before calling tldextract
.
To avoid parsing a string twice, you can pass tldextract
the output of
urllib.parse
methods.
For example:
extractor = TLDExtract()
split_url = urllib.parse.urlsplit("https://foo.bar.com:8080")
split_suffix = extractor.extract_urllib(split_url)
url_to_crawl = f"{split_url.scheme}://{split_suffix.registered_domain}:{split_url.port}"
tldextract
's lenient string parsing stance lowers the learning curve of using
the library, at the cost of desensitizing users to the nuances of URLs. This
could be overhauled. For example, users could opt into validation, either
receiving exceptions or error metadata on results.
git clone
this repository.pip install --upgrade --editable '.[testing]'
Run all tests against all supported Python versions:
tox --parallel
Run all tests against a specific Python environment configuration:
tox -l
tox -e py311
Automatically format all code:
black .
FAQs
Accurately separates a URL's subdomain, domain, and public suffix, using the Public Suffix List (PSL). By default, this includes the public ICANN TLDs and their exceptions. You can optionally support the Public Suffix List's private domains as well.
We found that tldextract demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.