feat: Add trusted redirect domains.
This commit is contained in:
mehunk
39
common/url_validator.go
Normal file
39
common/url_validator.go
Normal file
@@ -0,0 +1,39 @@
|
||||
package common
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"github.com/QuantumNous/new-api/constant"
|
||||
)
|
||||
|
||||
// ValidateRedirectURL validates that a redirect URL is safe to use.
|
||||
// It checks that:
|
||||
// - The URL is properly formatted
|
||||
// - The scheme is either http or https
|
||||
// - The domain is in the trusted domains list (exact match or subdomain)
|
||||
//
|
||||
// Returns nil if the URL is valid and trusted, otherwise returns an error
|
||||
// describing why the validation failed.
|
||||
func ValidateRedirectURL(rawURL string) error {
|
||||
// Parse the URL
|
||||
parsedURL, err := url.Parse(rawURL)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid URL format: %s", err.Error())
|
||||
}
|
||||
|
||||
if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" {
|
||||
return fmt.Errorf("invalid URL scheme: only http and https are allowed")
|
||||
}
|
||||
|
||||
domain := strings.ToLower(parsedURL.Hostname())
|
||||
|
||||
for _, trustedDomain := range constant.TrustedRedirectDomains {
|
||||
if domain == trustedDomain || strings.HasSuffix(domain, "."+trustedDomain) {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
return fmt.Errorf("domain %s is not in the trusted domains list", domain)
|
||||
}
|
||||
Reference in New Issue
Block a user