From e3796e7c90ecce3f07ae66fe568a6947863eed39 Mon Sep 17 00:00:00 2001 From: Brian <18603393+brian6932@users.noreply.github.com> Date: Wed, 16 Oct 2024 19:12:40 -0400 Subject: [PATCH] fix: Redirect checking being applied to all URIs should fix #67 --- pages/api/create.js | 121 ++++++++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 61 deletions(-) diff --git a/pages/api/create.js b/pages/api/create.js index 37eaeee..6bcd1f6 100644 --- a/pages/api/create.js +++ b/pages/api/create.js @@ -3,7 +3,7 @@ import { db } from "../../utils/firebase"; import CryptoJS from "crypto-js"; import { StatusCodes } from "http-status-codes"; -const regex = /^(https?|ftp|magnet):(?:\/\/[^\s/$.?#].[^\s]*|[^\s]*)$/; +const regex = /^(?:(http)s?|ftp|magnet):(?:\/\/[^\s/$.?#].[^\s]*|[^\s]*)$/; const slugRegex = /^[a-z0-9](-?[a-z0-9])*$/; @@ -91,7 +91,8 @@ export default async function handler(req, res) { } const collectionName = - process.env.NODE_ENV === "production" ? "links" : "testLinks"; + process.env.NODE_ENV === "production" ? "links" : "testLinks", + URI = regex.exec(link); // check if link is valid if (link.length < 1) { @@ -100,7 +101,7 @@ export default async function handler(req, res) { .json({ slug, message: "You entered an invalid link" }); } - if (!regex.test(link)) { + if (URI === null) { return res.status(StatusCodes.BAD_REQUEST).json({ slug, message: @@ -126,71 +127,69 @@ export default async function handler(req, res) { return res.status(401).json({ message: "Malicious link entered!" }); } - // Redirection check - try { - // Step 1: Check for HTTP redirects using fetch - const { response, redirectCount } = await fetchWithRedirects( - link, - MAX_REDIRECTS, - ); - - if (redirectCount >= MAX_REDIRECTS) { - return res.status(400).json({ - message: `Suspcious URL detected. If this is a valid URL, please report this issue.`, + if (URI[1]) { + // Redirection check + try { + // Step 1: Check for HTTP redirects using fetch + const { response, redirectCount } = await fetchWithRedirects( + link, + MAX_REDIRECTS, + ); + + if (redirectCount >= MAX_REDIRECTS) { + return res.status(400).json({ + message: `Suspcious URL detected. If this is a valid URL, please report this issue.`, + }); + } + } catch (error) { + console.error("Error checking link:", error); + return res.status(500).json({ + message: "Error checking the link.", }); } - } catch (error) { - console.error("Error checking link:", error); - return res.status(500).json({ - message: "Error checking the link.", - }); - } - if ( - process.env.SKIP_SAFE_BROWSING === "true" || - link.startsWith("magnet:") || - link.startsWith("ftp:") - ) { - console.log("Skipping safe browsing check"); - } else { - try { - const response = await fetch( - "https://safebrowsing.googleapis.com/v4/threatMatches:find?key=" + - apiKey, - { - method: "POST", - headers: { - "Content-Type": "application/json", - }, - body: JSON.stringify({ - client: { - clientId: "maglit-website", - clientVersion: "1.0.0", - }, - threatInfo: { - threatTypes: [ - "MALWARE", - "SOCIAL_ENGINEERING", - "UNWANTED_SOFTWARE", - "POTENTIALLY_HARMFUL_APPLICATION", - ], - platformTypes: ["ANY_PLATFORM"], - threatEntryTypes: ["URL"], - threatEntries: [{ url: `${link}` }], + if (process.env.SKIP_SAFE_BROWSING === "true") { + console.log("Skipping safe browsing check"); + } else { + try { + const response = await fetch( + "https://safebrowsing.googleapis.com/v4/threatMatches:find?key=" + + apiKey, + { + method: "POST", + headers: { + "Content-Type": "application/json", }, - }), - }, - ); + body: JSON.stringify({ + client: { + clientId: "maglit-website", + clientVersion: "1.0.0", + }, + threatInfo: { + threatTypes: [ + "MALWARE", + "SOCIAL_ENGINEERING", + "UNWANTED_SOFTWARE", + "POTENTIALLY_HARMFUL_APPLICATION", + ], + platformTypes: ["ANY_PLATFORM"], + threatEntryTypes: ["URL"], + threatEntries: [{ url: `${link}` }], + }, + }), + }, + ); - const data = await response.json(); - console.log("🚀 => data:", data); + const data = await response.json(); + console.log("🚀 => data:", data); - if (data && data?.matches?.length > 0) { - // Handle error cases where the URL might not be checked by Safe Browsing - res.status(401).json({ message: "Malicious link entered!" }); + if (data && data?.matches?.length > 0) { + // Handle error cases where the URL might not be checked by Safe Browsing + res.status(401).json({ message: "Malicious link entered!" }); + } + } catch (error) { + res.status(500).json({ error: "Failed to check the URL." }); } - } catch (error) { - res.status(500).json({ error: "Failed to check the URL." }); } }