valdiate urls

[robin-drexler]

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Added URL validation to proxy and redirect endpoints. Invalid URLs, empty URLs, or URLs with unsupported protocols now return an error response instead of attempting to process the request.

• Tests

  • Added comprehensive test coverage for URL validation across all affected endpoints, covering valid/invalid formats, empty inputs, and protocol validation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
httsleep	Ready	Preview, Comment	Dec 20, 2025 10:42pm

[robin-drexler]

@coderabbitai review

[coderabbitai]

Walkthrough

Adds URL validation to proxy and redirect middlewares using a new validateUrl utility function. Both middlewares now validate URLs before processing, returning 400 errors for invalid inputs. Early exit paths replace unconditional processing. Comprehensive test coverage validates the utility and middleware behaviors.

Changes

Cohort / File(s)	Summary
Validation utility src/utils/validateUrl.js	New utility function that validates absolute URLs, accepting only http/https protocols and returning { valid: boolean, error?: string } with descriptive error messages.
Validation utility tests src/tests/validateUrl.test.js	New test suite covering valid URLs, empty/null/undefined inputs, invalid URL format, and disallowed protocols (file://, javascript:).
Proxy middleware validation src/middleware/proxyMiddleware.js	Adds validateUrl import and call; returns 400 with error details if proxyUrl is invalid, otherwise proceeds with existing flow.
Proxy middleware tests src/tests/proxy.test.js	Adds test case asserting 400 response for invalid proxyUrl.
Redirect middleware validation src/middleware/redirectMiddleware.js	Adds validateUrl import and call; validates finalUrl before 301 redirect, returning 400 with error message if invalid.
Redirect middleware tests src/tests/redirect.test.js	Adds test case asserting 400 response for invalid redirectUrl query parameter.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• validateUrl utility: Verify edge cases in URL parsing, protocol validation, and error message clarity
• Middleware integration: Ensure consistent validation pattern applied identically across both middlewares
• Test coverage: Confirm all validation branches are tested (valid URLs, empty, null/undefined, invalid format, disallowed protocols)

Poem

🐰 A validator hops in with grace,
Checking URLs all over the place,
Invalid ones get a 400 reply,
While valid ones safely pass by,
Security tightens, no more surprise! 🔐

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'valdiate urls' contains a typo ('valdiate' instead of 'validate') and is vague, failing to clearly summarize the main change of adding URL validation to proxy and redirect middleware.	Correct the typo to 'validate urls' or use a more descriptive title like 'Add URL validation to proxy and redirect middleware' to clearly convey the changeset's primary purpose.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch validation

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/middleware/proxyMiddleware.js (1)

10-14: LGTM! Validation properly gates proxy forwarding.

The validation correctly prevents proxying to invalid or non-HTTP(S) URLs, mitigating SSRF risks.

Optional: Avoid double URL parsing

The URL is parsed twice: once in validateUrl (line 10) and again on line 16. You could optimize by having validateUrl return the parsed URL object:

-  const validation = validateUrl(proxyUrl);
-  if (!validation.valid) {
-    return res.status(400).json({ error: validation.error });
-  }
-
-  req.url = proxyUrl;
-  const host = new URL(proxyUrl).host;
+  const validation = validateUrl(proxyUrl);
+  if (!validation.valid) {
+    return res.status(400).json({ error: validation.error });
+  }
+
+  req.url = proxyUrl;
+  const host = validation.parsed.host;  // Reuse parsed URL

However, this would require changing the validateUrl API to return the parsed URL. The current approach is simpler and the performance impact is negligible.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e22a936 and 699bba4.

📒 Files selected for processing (6)

• src/middleware/proxyMiddleware.js (1 hunks)
• src/middleware/redirectMiddleware.js (2 hunks)
• src/tests/proxy.test.js (1 hunks)
• src/tests/redirect.test.js (1 hunks)
• src/tests/validateUrl.test.js (1 hunks)
• src/utils/validateUrl.js (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (5)

src/tests/redirect.test.js (2)

src/middleware/redirectMiddleware.js (2)

• redirectUrl (5-5)
• redirectUrl (21-21)

src/middleware/proxyMiddleware.js (1)

• response (21-21)

src/middleware/proxyMiddleware.js (2)

src/middleware/redirectMiddleware.js (2)

• req (20-34)
• validation (28-28)

src/utils/validateUrl.js (1)

• validateUrl (6-23)

src/middleware/redirectMiddleware.js (2)

src/middleware/proxyMiddleware.js (2)

• req (3-32)
• validation (10-10)

src/utils/validateUrl.js (1)

• validateUrl (6-23)

src/tests/proxy.test.js (1)

src/middleware/proxyMiddleware.js (2)

• proxyUrl (4-4)
• response (21-21)

src/tests/validateUrl.test.js (1)

src/utils/validateUrl.js (1)

• validateUrl (6-23)

🔇 Additional comments (7)

src/utils/validateUrl.js (1)

6-23: LGTM! Solid validation logic with good security posture.

The validation correctly:

• Rejects empty/null/undefined inputs
• Validates URL format via the URL constructor
• Restricts protocols to HTTP/HTTPS, preventing file://, javascript:, data:, and other potentially dangerous protocols

This effectively mitigates SSRF and open redirect risks.

src/middleware/redirectMiddleware.js (2)

1-1: LGTM! Proper import of validation utility.

---

27-33: LGTM! Validation properly integrated into redirect flow.

The validation is correctly positioned after URL resolution (getRedirectUrl), ensuring:

• Relative URLs are resolved against referer first
• Only the final absolute URL is validated
• Invalid URLs return 400 before any redirect occurs

This prevents open redirects to non-HTTP(S) protocols.

src/tests/proxy.test.js (1)

22-28: LGTM! Good test coverage for invalid URL handling.

The test properly verifies that invalid proxy URLs return a 400 error response.

src/middleware/proxyMiddleware.js (1)

1-1: LGTM! Proper import of validation utility.

src/tests/redirect.test.js (1)

55-62: LGTM! Good test coverage for invalid redirect URL handling.

The test properly verifies that invalid redirect URLs return a 400 error response, consistent with the pattern used in other redirect tests.

src/tests/validateUrl.test.js (1)

4-52: LGTM! Comprehensive test coverage for URL validation.

The test suite thoroughly validates:

• Valid HTTP/HTTPS URLs ✓
• Edge cases (empty, null, undefined) ✓
• Invalid URL formats ✓
• Security: Dangerous protocols (file://, javascript:) ✓

This provides strong confidence in the validation utility's behavior.