fix security issue OWASP-BLT#1512

JisanAR03 · Nov 11, 2023 · 0de510a · 0de510a
1 parent 34ea266
commit 0de510a
Showing 1 changed file with 24 additions and 5 deletions.
diff --git a/company/views.py b/company/views.py
@@ -3,7 +3,7 @@
 import json
 from django import http 
 import requests
-from urllib.parse import urlparse
+from urllib.parse import urlparse, urlunparse
 from datetime import timedelta, datetime
 
 from django.shortcuts import render, redirect, get_object_or_404
@@ -13,6 +13,8 @@
 from django.db.models import Q, Sum, Count
 from django.utils import timezone
 from django.db.models.functions import ExtractMonth
+from django.core.validators import URLValidator
+from django.core.exceptions import ValidationError
 from django.core.files.storage import default_storage
 from django.contrib.auth.models import User
 from django.http import Http404
@@ -21,6 +23,18 @@
 
 restricted_domain = ["gmail.com","hotmail.com","outlook.com","yahoo.com","proton.com"]
 
+def is_valid_https_url(url):
+    validate = URLValidator(schemes=['https'])  # Only allow HTTPS URLs
+    try:
+        validate(url)
+        return True
+    except ValidationError:
+        return False
+def rebuild_safe_url(url):
+    parsed_url = urlparse(url)
+    # Rebuild the URL with scheme, netloc, and path only
+    return urlunparse((parsed_url.scheme, parsed_url.netloc, parsed_url.path, '', '', ''))
+
 
 def get_email_domain(email):
     domain = email.split("@")[-1]
@@ -433,10 +447,15 @@ def post(self,request,company,*args,**kwargs):
 
         # validate domain url
         try:
-            print(domain_data["url"])
-            response = requests.get(domain_data["url"] ,timeout=5)
-            if response.status_code != 200:
-                raise Exception
+            if is_valid_https_url(domain_data["url"]):
+                safe_url = rebuild_safe_url(domain_data["url"])
+                try:
+                    response = requests.get(safe_url, timeout=5)
+                    if response.status_code != 200:
+                        raise Exception
+                except Exception as e:
+                    messages.error(request,"Domain does not exist.")
+                    return redirect("add_domain",company)
         except Exception as e:
             print(e)
             messages.error(request,"Domain does not exist.")