Merge branch '241' into 'main'

azmeuk · azmeuk · commit 089873637e3a · 2025-03-10T07:11:14.000Z
Replace regex with urlparse in validate_uri

See merge request yaal/canaille!245
diff --git a/canaille/app/__init__.py b/canaille/app/__init__.py
@@ -2,9 +2,9 @@
 import hashlib
 import hmac
 import json
-import re
 from base64 import b64encode
 from io import BytesIO
+from urllib.parse import urlparse
 
 from flask import current_app
 from flask import request
@@ -52,16 +52,10 @@ def get_current_mail_domain():
 
 
 def validate_uri(value):
-    regex = re.compile(
-        r"^(?:[A-Z0-9\\.-]+)s?://"  # scheme + ://
-        r"(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|"  # domain...
-        r"[A-Z0-9\\.-]+|"  # hostname...
-        r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"  # ...or ip
-        r"(?::\d+)?"  # optional port
-        r"(?:/?|[/?]\S+)$",
-        re.IGNORECASE,
+    parsed = urlparse(value)
+    return (parsed.scheme in ["http", "https"] or "." in parsed.scheme) and bool(
+        parsed.netloc
     )
-    return re.match(regex, value) is not None
 
 
 class classproperty:
diff --git a/tests/app/test_apputils.py b/tests/app/test_apputils.py
@@ -3,7 +3,13 @@
 
 def test_validate_uri():
     assert validate_uri("https://canaille.test")
-    assert validate_uri("scheme.with.dots://canaille.test")
+    assert validate_uri("http://canaille.test")
+    assert validate_uri("scheme.with.dots://canaille.tld")
     assert validate_uri("scheme.with.dots://localhost")
     assert validate_uri("scheme.with.dots://oauth")
+    assert validate_uri("http://127.0.0.1")
+    assert validate_uri("http://127.0.0.1:8000")
+    assert not validate_uri("data://canaille.test")
+    assert not validate_uri("file://canaille.test")
+    assert not validate_uri("javascript:alert()")
     assert not validate_uri("invalid")
