check input URL scheme before continuing

author: Hazelnoot <acomputerdog@gmail.com> 2025-05-28 13:31:40 -0400
committer: Hazelnoot <acomputerdog@gmail.com> 2025-06-04 10:47:19 -0400
commit: f601cff5c5222d6f3a7c06ecbafb3d07ad63997f (patch)
tree: 87b7234e8c9ef289dcc5eb704f902cf10d8a8955 /packages/backend/src/server/web
parent: check if previews are disabled before anything else (diff)
download: sharkey-f601cff5c5222d6f3a7c06ecbafb3d07ad63997f.tar.gz
sharkey-f601cff5c5222d6f3a7c06ecbafb3d07ad63997f.tar.bz2
sharkey-f601cff5c5222d6f3a7c06ecbafb3d07ad63997f.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/packages/backend/src/server/web/UrlPreviewService.ts b/packages/backend/src/server/web/UrlPreviewService.ts
index 160cf37c00..da2660ab0f 100644
--- a/packages/backend/src/server/web/UrlPreviewService.ts
+++ b/packages/backend/src/server/web/UrlPreviewService.ts
@@ -139,6 +139,13 @@ export class UrlPreviewService {
 			return;
 		}
 
+		// Enforce HTTP(S) for input URLs
+		const urlScheme = this.utilityService.getUrlScheme(url);
+		if (urlScheme !== 'http:' && urlScheme !== 'https:') {
+			reply.code(400);
+			return;
+		}
+
 		const lang = request.query.lang;
 		if (Array.isArray(lang)) {
 			reply.code(400);
author	Hazelnoot <acomputerdog@gmail.com>	2025-05-28 13:31:40 -0400
committer	Hazelnoot <acomputerdog@gmail.com>	2025-06-04 10:47:19 -0400
commit	f601cff5c5222d6f3a7c06ecbafb3d07ad63997f (patch)
tree	87b7234e8c9ef289dcc5eb704f902cf10d8a8955 /packages/backend/src/server/web
parent	check if previews are disabled before anything else (diff)
download	sharkey-f601cff5c5222d6f3a7c06ecbafb3d07ad63997f.tar.gz sharkey-f601cff5c5222d6f3a7c06ecbafb3d07ad63997f.tar.bz2 sharkey-f601cff5c5222d6f3a7c06ecbafb3d07ad63997f.zip