mirror of
https://github.com/QuantumNous/new-api.git
synced 2026-03-29 23:10:35 +00:00
40 lines
1.1 KiB
Go
40 lines
1.1 KiB
Go
package common
|
|
|
|
import (
|
|
"fmt"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"github.com/QuantumNous/new-api/constant"
|
|
)
|
|
|
|
// ValidateRedirectURL validates that a redirect URL is safe to use.
|
|
// It checks that:
|
|
// - The URL is properly formatted
|
|
// - The scheme is either http or https
|
|
// - The domain is in the trusted domains list (exact match or subdomain)
|
|
//
|
|
// Returns nil if the URL is valid and trusted, otherwise returns an error
|
|
// describing why the validation failed.
|
|
func ValidateRedirectURL(rawURL string) error {
|
|
// Parse the URL
|
|
parsedURL, err := url.Parse(rawURL)
|
|
if err != nil {
|
|
return fmt.Errorf("invalid URL format: %s", err.Error())
|
|
}
|
|
|
|
if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" {
|
|
return fmt.Errorf("invalid URL scheme: only http and https are allowed")
|
|
}
|
|
|
|
domain := strings.ToLower(parsedURL.Hostname())
|
|
|
|
for _, trustedDomain := range constant.TrustedRedirectDomains {
|
|
if domain == trustedDomain || strings.HasSuffix(domain, "."+trustedDomain) {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
return fmt.Errorf("domain %s is not in the trusted domains list", domain)
|
|
}
|