fix: prevent IPs from being used as long URL (#2418)

* fix: prevent IPs from being used as long URL

* chore: add test for ip addresses

* chore: add try/catch loop

we do this so that if there's a drift in validation we can still return
a result

* chore: npm i

Author: seaerchin

src/shared/util/validation.ts

@@ -45,7 +45,19 @@ export function isHttps(url: string, useWhitelist = false): boolean {
 // Check if a URL string is valid.
 export function isValidUrl(url: string, useWhitelist = false): boolean {
   if (useWhitelist && isWhitelisted(url)) return true
-  return validator.isURL(url, URL_OPTS)
+  if (!validator.isURL(url, URL_OPTS)) return false
+
+  // NOTE: Reject URLs with IP addresses to prevent the use of internal or private IPs
+  // as long URLs. This is a security measure to mitigate risks such as
+  // Server-Side Request Forgery (SSRF) and unauthorized access to internal resources.
+  try {
+    // NOTE: try/catch to avoid drifts in validation
+    // between validator library and `URL` constructor
+    const host = new URL(url).hostname
+    return !validator.isIP(host)
+  } catch {
+    return false
+  }
 }
 
 // Tests if a short link consists of alphanumeric and hyphen characters.

test/shared/util/validation.test.ts

@@ -77,6 +77,11 @@ describe('Test valid url check', () => {
     const url = 'http://localhost:4566/local-bucket/file1.pdf'
     expect(validation.isValidUrl(url, true)).toBe(true)
   })
+
+  test('IP addresses fails check', () => {
+    const url = 'https://8.8.8.8:4566/local-bucket/file1.pdf'
+    expect(validation.isValidUrl(url)).toBe(false)
+  })
 })
 
 describe('Test short url check', () => {