From 406397c679e239a2f0adb992be4a1425593ae0ff Mon Sep 17 00:00:00 2001 From: Hannes Kuchelmeister Date: Fri, 3 Sep 2021 14:49:59 +0200 Subject: [PATCH] add url validation --- src/main.rs | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/main.rs b/src/main.rs index 6af3ee5..123b257 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,4 +1,5 @@ use std::collections::HashMap; +use url::Url; use actix_web::{error, web, App, Error, HttpRequest, HttpResponse, HttpServer, Responder, Result}; use sqlx::{Pool, Sqlite, SqlitePool}; @@ -127,10 +128,19 @@ async fn edit_process( tmpl: web::Data, query: web::Query>, db_pool: web::Data>, + config: web::Data, ) -> Result { // TODO: implement handling if let Some(uuid_str) = query.get("uuid") { if let Some(destination) = query.get("link") { + if destination.starts_with(&config.root) { + return error_page(tmpl, "url cannot contain url of ics-proxy".to_string()); + }; + + if let Err(_) = Url::parse(destination) { + return error_page(tmpl, "could not parse url".to_string()); + } + match Uuid::parse_str(uuid_str) { Ok(uuid) => { let link = Link { @@ -161,6 +171,7 @@ async fn index_process( tmpl: web::Data, query: web::Query>, db_pool: web::Data>, + config: web::Data, ) -> Result { if query.get("create").is_some() { let uuid = Uuid::new_v4(); @@ -168,6 +179,14 @@ async fn index_process( match query.get("link") { // TODO: actually parse link to url to make sure its valid Some(destination) => { + if destination.starts_with(&config.root) { + return error_page(tmpl, "url cannot contain url of ics-proxy".to_string()); + }; + + if let Err(_) = Url::parse(destination) { + return error_page(tmpl, "could not parse url".to_string()); + } + let insert_link = Link { uuid: uuid.to_string(), destination: destination.to_string(),