Merge pull request #3878 from Countly/hotfix/push

ar2rsawseen · web-flow · commit 3ad5b4ca773b · 2023-01-30T14:18:40.000+02:00
[core] URL validation without regexp
diff --git a/api/utils/common.js b/api/utils/common.js
@@ -814,14 +814,20 @@ common.validateArgs = function(args, argProperties, returnErrors) {
                             return false;
                         }
                     }
-                    else if (args[arg] && !/^([a-z]([a-z]|\d|\+|-|\.)*):(\/\/(((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=]|:)*@)?((\[(|(v[\da-f]{1,}\.(([a-z]|\d|-|\.|_|~)|[!$&'()*+,;=]|:)+))\])|((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5]))|(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=])*)(:\d*)?)(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=]|:|@)*)*|(\/((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=]|:|@)*)*)?)|((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=]|:|@)*)*)|((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=]|:|@)){0})(\?((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=]|:|@)|[\uE000-\uF8FF]|\/|\?)*)?(#((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!$&'()*+,;=]|:|@)|\/|\?)*)?$/i.test(args[arg])) {
-                        if (returnErrors) {
-                            returnObj.errors.push("Invalid url string " + arg);
-                            returnObj.result = false;
-                            argState = false;
+                    else {
+                        let { URL } = require('url');
+                        try {
+                            new URL(args[arg]);
                         }
-                        else {
-                            return false;
+                        catch (ignored) {
+                            if (returnErrors) {
+                                returnObj.errors.push('Invalid url string ' + arg);
+                                returnObj.result = false;
+                                argState = false;
+                            }
+                            else {
+                                return false;
+                            }
                         }
                     }
                 }

Original file line number	Diff line number	Diff line change
`@@ -814,14 +814,20 @@ common.validateArgs = function(args, argProperties, returnErrors) {`
`814`	`814`	`return false;`
`815`	`815`	`}`
`816`	`816`	`}`
`817`		- else if (args[arg] && !/^([a-z]([a-z]\|\d\|\+\|-\|\.)):(\/\/(((([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]\|:)@)?((\[(\|(v[\da-f]{1,}\.(([a-z]\|\d\|-\|\.\|_\|~)\|[!$&'()+,;=]\|:)+))\])\|((\d\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-5])\.(\d\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-5])\.(\d\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-5])\.(\d\|[1-9]\d\|1\d\d\|2[0-4]\d\|25[0-5]))\|(([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]))(:\d)?)(\/(([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]\|:\|@))\|(\/((([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]\|:\|@)+(\/(([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]\|:\|@)))?)\|((([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]\|:\|@)+(\/(([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]\|:\|@)))\|((([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]\|:\|@)){0})(\?((([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]\|:\|@)\|[\uE000-\uF8FF]\|\/\|\?))?(#((([a-z]\|\d\|-\|\.\|_\|~\|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])\|(%[\da-f]{2})\|[!$&'()+,;=]\|:\|@)\|\/\|\?)*)?$/i.test(args[arg])) {
`818`		`- if (returnErrors) {`
`819`		`- returnObj.errors.push("Invalid url string " + arg);`
`820`		`- returnObj.result = false;`
`821`		`- argState = false;`
	`817`	`+ else {`
	`818`	`+ let { URL } = require('url');`
	`819`	`+ try {`
	`820`	`+ new URL(args[arg]);`
`822`	`821`	`}`
`823`		`- else {`
`824`		`- return false;`
	`822`	`+ catch (ignored) {`
	`823`	`+ if (returnErrors) {`
	`824`	`+ returnObj.errors.push('Invalid url string ' + arg);`
	`825`	`+ returnObj.result = false;`
	`826`	`+ argState = false;`
	`827`	`+ }`
	`828`	`+ else {`
	`829`	`+ return false;`
	`830`	`+ }`
`825`	`831`	`}`
`826`	`832`	`}`
`827`	`833`	`}`