Misc: Clean some code in UrlSanitizer
This commit is contained in:
parent
31a80420ec
commit
78c5ba93c7
1 changed files with 15 additions and 15 deletions
|
@ -16,10 +16,11 @@ module UrlSanitizer
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
# Returns wether the given string is an ASCII word. This is the same as
|
# Returns whether the given string is an ASCII word. This is the same as
|
||||||
# running the following regex in US-ASCII locale: /^[\w-]+$/
|
# running the following regex in US-ASCII locale: /^[\w-]+$/
|
||||||
private def ascii_word?(str : String) : Bool
|
private def ascii_word?(str : String) : Bool
|
||||||
if str.bytesize == str.size
|
return false if str.bytesize != str.size
|
||||||
|
|
||||||
str.each_byte do |byte|
|
str.each_byte do |byte|
|
||||||
next if 'a'.ord <= byte <= 'z'.ord
|
next if 'a'.ord <= byte <= 'z'.ord
|
||||||
next if 'A'.ord <= byte <= 'Z'.ord
|
next if 'A'.ord <= byte <= 'Z'.ord
|
||||||
|
@ -30,9 +31,6 @@ module UrlSanitizer
|
||||||
end
|
end
|
||||||
|
|
||||||
return true
|
return true
|
||||||
else
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# Return which kind of parameters are allowed based on the
|
# Return which kind of parameters are allowed based on the
|
||||||
|
@ -74,12 +72,15 @@ module UrlSanitizer
|
||||||
str = "https://#{str}" if !str.starts_with?(/https?:\/\//)
|
str = "https://#{str}" if !str.starts_with?(/https?:\/\//)
|
||||||
|
|
||||||
unsafe_uri = URI.parse(str)
|
unsafe_uri = URI.parse(str)
|
||||||
|
unsafe_host = unsafe_uri.host
|
||||||
|
unsafe_path = unsafe_uri.path
|
||||||
|
|
||||||
new_uri = URI.new(path: "/")
|
new_uri = URI.new(path: "/")
|
||||||
|
|
||||||
# Redirect to homepage for bogus URLs
|
# Redirect to homepage for bogus URLs
|
||||||
return new_uri if (unsafe_uri.host.nil? || unsafe_uri.path.nil?)
|
return new_uri if (unsafe_host.nil? || unsafe_path.nil?)
|
||||||
|
|
||||||
breadcrumbs = unsafe_uri.path
|
breadcrumbs = unsafe_path
|
||||||
.split('/', remove_empty: true)
|
.split('/', remove_empty: true)
|
||||||
.compact_map do |bc|
|
.compact_map do |bc|
|
||||||
# Exclude attempts at path trasversal
|
# Exclude attempts at path trasversal
|
||||||
|
@ -96,7 +97,7 @@ module UrlSanitizer
|
||||||
return new_uri if breadcrumbs.empty?
|
return new_uri if breadcrumbs.empty?
|
||||||
|
|
||||||
# Replace the original query parameters with the sanitized ones
|
# Replace the original query parameters with the sanitized ones
|
||||||
case unsafe_uri.host.not_nil!
|
case unsafe_host
|
||||||
when .ends_with?("youtube.com")
|
when .ends_with?("youtube.com")
|
||||||
# Use our sanitized path (not forgetting the leading '/')
|
# Use our sanitized path (not forgetting the leading '/')
|
||||||
new_uri.path = "/#{breadcrumbs.join('/')}"
|
new_uri.path = "/#{breadcrumbs.join('/')}"
|
||||||
|
@ -115,7 +116,6 @@ module UrlSanitizer
|
||||||
new_uri.query_params = new_params
|
new_uri.query_params = new_params
|
||||||
end
|
end
|
||||||
|
|
||||||
new_uri.host = nil # Safety measure
|
|
||||||
return new_uri
|
return new_uri
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue