Merge pull request #1754 from guybrush/BIDS-1476/validate-notificatio…

…n-webhook-urls

(BIDS-1476) Validate notification-webhook-urls

go.mod

@@ -7,6 +7,7 @@ require (
 	cloud.google.com/go/secretmanager v1.5.0
 	firebase.google.com/go v3.13.0+incompatible
 	github.com/Gurpartap/storekit-go v0.0.0-20201205024111-36b6cd5c6a21
+	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/awa/go-iap v1.3.7
 	github.com/davecgh/go-spew v1.1.1
 	github.com/ethereum/go-ethereum v1.10.23
@@ -16,6 +17,7 @@ require (
 	github.com/gobitfly/eth.store v0.0.0-20221012115129-3b4606992669
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.2
+	github.com/google/go-querystring v1.0.0
 	github.com/gorilla/context v1.1.1
 	github.com/gorilla/csrf v1.7.0
 	github.com/gorilla/mux v1.8.0
@@ -243,7 +245,6 @@ require (
 	github.com/jackc/pgtype v1.3.0
 	github.com/jackc/puddle v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/karlseguin/ccache/v2 v2.0.8
 	github.com/klauspost/compress v1.15.9
 	github.com/klauspost/cpuid/v2 v2.0.14 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect

go.sum

@@ -148,6 +148,8 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
+github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ=
+github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/attestantio/go-eth2-client v0.11.4 h1:nSgCG7l+bhgibSU099C8Vr3TYFlQ1gR2pZ4qkSygZrM=
 github.com/attestantio/go-eth2-client v0.11.4/go.mod h1:zXL/BxC0cBBhxj+tP7QG7t9Ufoa8GwQLdlbvZRd9+dM=
 github.com/awa/go-iap v1.3.7 h1:ErmeZRa8I4tx+ToAHikpARoAZVSszHWpwyl4FCj/6XA=
@@ -548,6 +550,7 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8
 github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
+github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -798,10 +801,6 @@ github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 h1:qGQQKEcAR99REcM
 github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213/go.mod h1:vNUNkEQ1e29fT/6vq2aBdFsgNPmy8qMdSay1npru+Sw=
 github.com/kami-zh/go-capturer v0.0.0-20171211120116-e492ea43421d/go.mod h1:P2viExyCEfeWGU259JnaQ34Inuec4R38JCyBx2edgD0=
 github.com/karalabe/usb v0.0.2/go.mod h1:Od972xHfMJowv7NGVDiWVxk2zxnWgjLlJzE+F4F7AGU=
-github.com/karlseguin/ccache/v2 v2.0.8 h1:lT38cE//uyf6KcFok0rlgXtGFBWxkI6h/qg4tbFyDnA=
-github.com/karlseguin/ccache/v2 v2.0.8/go.mod h1:2BDThcfQMf/c0jnZowt16eW405XIqZPavt+HoYEtcxQ=
-github.com/karlseguin/expect v1.0.2-0.20190806010014-778a5f0c6003 h1:vJ0Snvo+SLMY72r5J4sEfkuE7AFbixEP2qRbEcum/wA=
-github.com/karlseguin/expect v1.0.2-0.20190806010014-778a5f0c6003/go.mod h1:zNBxMY8P21owkeogJELCLeHIt+voOSduHYTFUbwRAV8=
 github.com/kataras/i18n v0.0.5 h1:X9EQHxDhjpN0zh+Ry0PZvi0ODi9lf5mo4wiXWtOYhlY=
 github.com/kataras/i18n v0.0.5/go.mod h1:U0aKF7ANqGmFVs4WCexDTYGf8wg7Rb3mLJCmr/OuDoo=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
@@ -1511,8 +1510,6 @@ github.com/whyrusleeping/multiaddr-filter v0.0.0-20160516205228-e903e4adabd7/go.
 github.com/whyrusleeping/timecache v0.0.0-20160911033111-cfcb2f1abfee h1:lYbXeSvJi5zk5GLKVuid9TVjS9a0OmLIDKTfoZBL6Ow=
 github.com/whyrusleeping/timecache v0.0.0-20160911033111-cfcb2f1abfee/go.mod h1:m2aV4LZI4Aez7dP5PMyVKEHhUyEJ/RjmPEDOpDvudHg=
 github.com/willf/bitset v1.1.3/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
-github.com/wsxiaoys/terminal v0.0.0-20160513160801-0940f3fc43a0 h1:3UeQBvD0TFrlVjOeLOBz+CPAI8dnbqNSVwUwRrkp7vQ=
-github.com/wsxiaoys/terminal v0.0.0-20160513160801-0940f3fc43a0/go.mod h1:IXCdmsXIht47RaVFLEdVnh1t+pgYtTAhQGj73kz+2DM=
 github.com/x-cray/logrus-prefixed-formatter v0.5.2/go.mod h1:2duySbKsL6M18s5GU7VPsoEPHyzalCE06qoARUCeBBE=
 github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=

handlers/user.go

@@ -2570,6 +2570,12 @@ func UsersAddWebhook(w http.ResponseWriter, r *http.Request) {
 
 	urlForm := r.FormValue("url")
 
+	if !utils.IsValidUrl(urlForm) {
+		utils.SetFlash(w, r, authSessionName, "Error: The URL provided is invalid.")
+		http.Redirect(w, r, "/user/webhooks", http.StatusSeeOther)
+		return
+	}
+
 	destination := "webhook"
 
 	validatorIsOffline := r.FormValue(string(types.ValidatorIsOfflineEventName)) == "on"
@@ -2665,21 +2671,7 @@ func UsersAddWebhook(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	urlValid := ""
-
-	urlParsed, err := url.Parse(urlForm)
-	if err != nil {
-		logger.WithError(err).Errorf("could not parse url: %v", urlForm)
-		utils.SetFlash(w, r, authSessionName, "Error: The URL provided is invalid.")
-		http.Redirect(w, r, "/user/webhooks", http.StatusSeeOther)
-		return
-	}
-
-	if urlParsed != nil {
-		urlValid = urlForm
-	}
-
-	_, err = tx.Exec(`INSERT INTO users_webhooks (user_id, url, event_names, destination) VALUES ($1, $2, $3, $4)`, user.UserID, urlValid, pq.StringArray(eventNames), destination)
+	_, err = tx.Exec(`INSERT INTO users_webhooks (user_id, url, event_names, destination) VALUES ($1, $2, $3, $4)`, user.UserID, urlForm, pq.StringArray(eventNames), destination)
 	if err != nil {
 		logger.WithError(err).Errorf("error inserting a new webhook for user")
 		utils.SetFlash(w, r, authSessionName, "Error: Something went wrong adding your webhook, please try again in a bit.")

utils/utils.go

@@ -33,6 +33,7 @@ import (
 	"golang.org/x/text/message"
 	"gopkg.in/yaml.v3"
 
+	"github.com/asaskevich/govalidator"
 	"github.com/ethereum/go-ethereum/accounts/abi"
 	"github.com/ethereum/go-ethereum/params"
 	"github.com/kataras/i18n"
@@ -479,6 +480,21 @@ func IsValidEmail(s string) bool {
 	return emailRE.MatchString(s)
 }
 
+// IsValidUrl verifies whether a string represents a valid Url.
+func IsValidUrl(s string) bool {
+	u, err := url.ParseRequestURI(s)
+	if err != nil {
+		return false
+	}
+	if u.Scheme != "http" && u.Scheme != "https" {
+		return false
+	}
+	if len(u.Host) == 0 {
+		return false
+	}
+	return govalidator.IsURL(s)
+}
+
 // RoundDecimals rounds (nearest) a number to the specified number of digits after comma
 func RoundDecimals(f float64, n int) float64 {
 	d := math.Pow10(n)

utils/utils_test.go

@@ -0,0 +1,28 @@
+package utils
+
+import (
+	"testing"
+)
+
+func TestIsValidUrl(t *testing.T) {
+	tests := []struct {
+		url   string
+		valid bool
+	}{
+		{"http://foo.com", true},
+		{"https://foo.com", true},
+		{"https://foo.com/a/b/c", true},
+		{"https://foo.com:3333/a/b/c", true},
+		{"https://foo.com?hello=a", true},
+		{`https://foo.com"`, false},
+		{"https://https://https://google.com/", false},
+		{"foo.com", false},
+		{"asdf qwer", false},
+	}
+	for _, tt := range tests {
+		v := IsValidUrl(tt.url)
+		if v != tt.valid {
+			t.Errorf("wrong url validation for url %v", tt.url)
+		}
+	}
+}