From 38f9d1e76428bea47c5944c440eab25428c7d99e Mon Sep 17 00:00:00 2001
From: syuilo <Syuilotan@yahoo.co.jp>
Date: Sat, 4 Feb 2023 14:20:07 +0900
Subject: fix(client): validate urls to improve security

---
 packages/backend/src/server/web/UrlPreviewService.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'packages/backend/src/server')

diff --git a/packages/backend/src/server/web/UrlPreviewService.ts b/packages/backend/src/server/web/UrlPreviewService.ts
index 1bf88fe434..57461b7a33 100644
--- a/packages/backend/src/server/web/UrlPreviewService.ts
+++ b/packages/backend/src/server/web/UrlPreviewService.ts
@@ -73,6 +73,14 @@ export class UrlPreviewService {
 			});
 	
 			this.logger.succ(`Got preview of ${url}: ${summary.title}`);
+
+			if (summary.url && !(summary.url.startsWith('http://') || summary.url.startsWith('https://'))) {
+				throw new Error('unsupported schema included');
+			}
+
+			if (summary.player?.url && !(summary.player.url.startsWith('http://') || summary.player.url.startsWith('https://'))) {
+				throw new Error('unsupported schema included');
+			}
 	
 			summary.icon = this.wrap(summary.icon);
 			summary.thumbnail = this.wrap(summary.thumbnail);
-- 
cgit v1.2.3-freya