feat(api): add URL validation for external links in og and proxy handlers

QSchlegel · QSchlegel · commit c10f089d92b4 · 2025-09-23T12:43:03.000+02:00
diff --git a/src/pages/api/v1/og.ts b/src/pages/api/v1/og.ts
@@ -1,5 +1,43 @@
 import type { NextApiRequest, NextApiResponse } from "next";
 
+function isValidExternalUrl(url: string): boolean {
+  try {
+    const parsed = new URL(url);
+    
+    // Only allow HTTP and HTTPS protocols
+    if (!['http:', 'https:'].includes(parsed.protocol)) {
+      return false;
+    }
+    
+    // Block private/internal IP ranges
+    const hostname = parsed.hostname;
+    
+    // Block localhost and loopback
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1') {
+      return false;
+    }
+    
+    // Block private IP ranges (RFC 1918)
+    const privateRanges = [
+      /^10\./,                    // 10.0.0.0/8
+      /^172\.(1[6-9]|2[0-9]|3[0-1])\./, // 172.16.0.0/12
+      /^192\.168\./,              // 192.168.0.0/16
+      /^169\.254\./,              // Link-local
+      /^::1$/,                    // IPv6 loopback
+      /^fc00:/,                   // IPv6 private
+      /^fe80:/,                   // IPv6 link-local
+    ];
+    
+    if (privateRanges.some(range => range.test(hostname))) {
+      return false;
+    }
+    
+    return true;
+  } catch {
+    return false;
+  }
+}
+
 function extractMeta(html: string, property: string): string | null {
   const propRegex = new RegExp(`<meta[^>]+property=["']${property}["'][^>]*content=["']([^"']+)["'][^>]*>`, "i");
   const nameRegex = new RegExp(`<meta[^>]+name=["']${property}["'][^>]*content=["']([^"']+)["'][^>]*>`, "i");
@@ -46,6 +84,10 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
   if (!url) {
     return res.status(400).json({ error: "Missing url parameter" });
   }
+  
+  if (!isValidExternalUrl(url)) {
+    return res.status(400).json({ error: "Invalid or unsafe URL" });
+  }
 
   try {
     const controller = new AbortController();
diff --git a/src/pages/api/v1/proxy.ts b/src/pages/api/v1/proxy.ts
@@ -1,10 +1,52 @@
 import type { NextApiRequest, NextApiResponse } from "next";
 
+function isValidExternalUrl(url: string): boolean {
+  try {
+    const parsed = new URL(url);
+    
+    // Only allow HTTP and HTTPS protocols
+    if (!['http:', 'https:'].includes(parsed.protocol)) {
+      return false;
+    }
+    
+    // Block private/internal IP ranges
+    const hostname = parsed.hostname;
+    
+    // Block localhost and loopback
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1') {
+      return false;
+    }
+    
+    // Block private IP ranges (RFC 1918)
+    const privateRanges = [
+      /^10\./,                    // 10.0.0.0/8
+      /^172\.(1[6-9]|2[0-9]|3[0-1])\./, // 172.16.0.0/12
+      /^192\.168\./,              // 192.168.0.0/16
+      /^169\.254\./,              // Link-local
+      /^::1$/,                    // IPv6 loopback
+      /^fc00:/,                   // IPv6 private
+      /^fe80:/,                   // IPv6 link-local
+    ];
+    
+    if (privateRanges.some(range => range.test(hostname))) {
+      return false;
+    }
+    
+    return true;
+  } catch {
+    return false;
+  }
+}
+
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {
   const src = req.query.src as string | undefined;
   if (!src) {
     return res.status(400).json({ error: "Missing src parameter" });
   }
+  
+  if (!isValidExternalUrl(src)) {
+    return res.status(400).json({ error: "Invalid or unsafe URL" });
+  }
   try {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 10000);
