diff options
| author | Lauris BH <lauris@nix.lv> | 2018-08-15 09:29:37 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-15 09:29:37 +0300 |
| commit | 92466129ec242536c71b66a8987d9b37e6bc0bce (patch) | |
| tree | b9ac6959ef6365a6215868cba4083f53b74fa094 /modules/validation/helpers.go | |
| parent | 0449330dbce812e67f3309c11e265eb6a5bc0c7e (diff) | |
| download | gitea-92466129ec242536c71b66a8987d9b37e6bc0bce.tar.gz gitea-92466129ec242536c71b66a8987d9b37e6bc0bce.zip | |
Improve URL validation for external wiki and external issues (#4710)
* Improve URL validation for external wiki and external issues
* Do not allow also localhost address for external URLs
Diffstat (limited to 'modules/validation/helpers.go')
| -rw-r--r-- | modules/validation/helpers.go | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/modules/validation/helpers.go b/modules/validation/helpers.go new file mode 100644 index 0000000000..9a4dfab7a4 --- /dev/null +++ b/modules/validation/helpers.go @@ -0,0 +1,77 @@ +// Copyright 2018 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package validation + +import ( + "net" + "net/url" + "strings" + + "code.gitea.io/gitea/modules/setting" +) + +var loopbackIPBlocks []*net.IPNet + +func init() { + for _, cidr := range []string{ + "127.0.0.0/8", // IPv4 loopback + "::1/128", // IPv6 loopback + } { + if _, block, err := net.ParseCIDR(cidr); err == nil { + loopbackIPBlocks = append(loopbackIPBlocks, block) + } + } +} + +func isLoopbackIP(ip string) bool { + pip := net.ParseIP(ip) + if pip == nil { + return false + } + for _, block := range loopbackIPBlocks { + if block.Contains(pip) { + return true + } + } + return false +} + +// IsValidURL checks if URL is valid +func IsValidURL(uri string) bool { + if u, err := url.ParseRequestURI(uri); err != nil || + (u.Scheme != "http" && u.Scheme != "https") || + !validPort(portOnly(u.Host)) { + return false + } + + return true +} + +// IsAPIURL checks if URL is current Gitea instance API URL +func IsAPIURL(uri string) bool { + return strings.HasPrefix(strings.ToLower(uri), strings.ToLower(setting.AppURL+"api")) +} + +// IsValidExternalURL checks if URL is valid external URL +func IsValidExternalURL(uri string) bool { + if !IsValidURL(uri) || IsAPIURL(uri) { + return false + } + + u, err := url.ParseRequestURI(uri) + if err != nil { + return false + } + + // Currently check only if not loopback IP is provided to keep compatibility + if isLoopbackIP(u.Hostname()) || strings.ToLower(u.Hostname()) == "localhost" { + return false + } + + // TODO: Later it should be added to allow local network IP addreses + // only if allowed by special setting + + return true +} |