File size: 1,082 Bytes
daa8246 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | package common
import (
"fmt"
"net/url"
"strings"
"github.com/QuantumNous/new-api/constant"
)
// ValidateRedirectURL validates that a redirect URL is safe to use.
// It checks that:
// - The URL is properly formatted
// - The scheme is either http or https
// - The domain is in the trusted domains list (exact match or subdomain)
//
// Returns nil if the URL is valid and trusted, otherwise returns an error
// describing why the validation failed.
func ValidateRedirectURL(rawURL string) error {
// Parse the URL
parsedURL, err := url.Parse(rawURL)
if err != nil {
return fmt.Errorf("invalid URL format: %s", err.Error())
}
if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" {
return fmt.Errorf("invalid URL scheme: only http and https are allowed")
}
domain := strings.ToLower(parsedURL.Hostname())
for _, trustedDomain := range constant.TrustedRedirectDomains {
if domain == trustedDomain || strings.HasSuffix(domain, "."+trustedDomain) {
return nil
}
}
return fmt.Errorf("domain %s is not in the trusted domains list", domain)
}
|