Skip to content

fix: lowercase urls to prevent bypass #2419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
seaerchin merged 3 commits into from
Dec 9, 2025
Merged

fix: lowercase urls to prevent bypass #2419

seaerchin merged 3 commits into from
Dec 9, 2025

Conversation

@seaerchin
Copy link
Collaborator

@seaerchin seaerchin commented Dec 4, 2025

Problem

go has a blacklist for link shorteners, but this check is a case agnostic check, which means that Bit.ly for example, passes the chekc but bit.ly does not

Solution

  1. make teh check case insensitive by converting the url to lowercase in the check. opted against converting the url to lowercase outright incase case matters for the actual url

Copilot AI reviewed Dec 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a security vulnerability in the URL blacklist validation where case variations in domain names could bypass blacklist checks. The fix ensures that URLs like https://Bit.ly/abc are properly caught alongside https://bit.ly/abc.

Key Changes:

  • Modified isBlacklisted() to perform case-insensitive matching by converting URLs to lowercase before checking against the blacklist

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

dcshzj
dcshzj approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@dcshzj dcshzj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving first, also should add tests for this.

@seaerchin seaerchin force-pushed the fix/case-sensitivity branch from e699676 to 8f07f27 Compare December 9, 2025 04:47
@seaerchin seaerchin merged commit f88ff0e into develop Dec 9, 2025
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dcshzj dcshzj dcshzj approved these changes

@adriangohjw adriangohjw Awaiting requested review from adriangohjw

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@seaerchin @dcshzj