From a9714fe51ac9df5b9f49a3480a1d6fb74a743daf Mon Sep 17 00:00:00 2001
From: meeg_leeto <miguelmurca@cumperativa.xyz>
Date: Sat, 30 Apr 2022 01:57:29 +0100
Subject: [PATCH] misc: try to be more strict in URL filter

---
 src/main.rs | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 735314a..a5eb785 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -223,7 +223,7 @@ mod service {
     use validators::prelude::*;
 
     #[derive(Validator)]
-    #[validator(http_url(local(Allow)))]
+    #[validator(http_url(local(NotAllow)))]
     #[derive(Clone, Debug)]
     /// A struct representing a URL.
     pub struct HttpUrl {
@@ -237,6 +237,24 @@ mod service {
         }
     }
 
+    impl HttpUrl {
+        /// Transform this into an `Err(())` if the url does not match more
+        /// criteria.
+        pub fn strict(self) -> Result<Self, ()> {
+            // Don't even bother with URLs that don't have hosts.
+            if !self.url.has_host() {
+                return Err(());
+            }
+
+            // URLs that cannot be a base are weird (UNIX sockets, data types)
+            if self.url.cannot_be_a_base() {
+                return Err(())
+            }
+
+            Ok(self)
+        }
+    }
+
     /// Database management, including messaging and work stealing.
     pub mod db {
         use super::{slug::Slug, HttpUrl};
@@ -679,7 +697,9 @@ async fn shorten(
                 .into(),
             )
         })?;
-        HttpUrl::parse_str(url_str)
+        HttpUrl::parse_string(url_str)
+            .map_err(|_| (warp::http::StatusCode::BAD_REQUEST, "Invalid URL.".into()))?
+            .strict()
             .map_err(|_| (warp::http::StatusCode::BAD_REQUEST, "Invalid URL.".into()))?
     };