It is unsafe to match untrusted input against regular expressions without ^
anchor. URLs with missing anchors can prove fatal as malicious inputs bypass the
system's security checks.
func validateURL(req *http.Request, via []*http.Request) error {
// NOTE: The host of `req.URL` may be controlled by an attacker
// and give the vulnerable regular expression with no anchor, it
// is easy to bypass the check.
// Example:
// http://<unsafe-site>.com/?x=http://deepsource.com/
// also gets matched (embedded in query string component)
// as no anchor `^` is there.
re := "https?://www\.deepsource\.com/"
if matched, _ := regexp.MatchString(re, req.URL.String()); matched {
return nil
}
return errors.New("invalid URL")
}
Here, the check with the regular expression match (regexp.MatchString
) is easy
to bypass. For example, the string http://deepsource.com/
can be embedded in
the query string component: http://<any>/?x=http://deepsource.com/
where
func validateURL(req *http.Request, via []*http.Request) error {
re := "^https?://www\.deepsource\.com/"
if matched, _ := regexp.MatchString(re, req.URL.String()); matched {
return nil
}
return errors.New("invalid URL")
}