PB-737: Update regex so that only allowed domains are accepted

geoadmin · Aug 7, 2024 · a1cbeb1 · a1cbeb1
1 parent 3f7a23d
commit a1cbeb1
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 4 deletions.
diff --git a/.env.default b/.env.default
@@ -3,5 +3,5 @@ AWS_SECRET_ACCESS_KEY=dummy123
 AWS_ENDPOINT_URL=http://localhost:8080
 AWS_DEFAULT_REGION=eu-central-1
 AWS_DYNAMODB_TABLE_NAME=test-db
-ALLOWED_DOMAINS=.*localhost,.*admin\.ch,.*bgdi\.ch
+ALLOWED_DOMAINS=.*localhost((:[0-9]*)?|\/)?$,.*admin\.ch$,.*bgdi\.ch$
 STAGING=local
diff --git a/.env.testing b/.env.testing
@@ -1,4 +1,4 @@
-ALLOWED_DOMAINS=.*\.geo\.admin\.ch,.*\.bgdi\.ch,http://localhost
+ALLOWED_DOMAINS=.*\.geo\.admin\.ch$,.*\.bgdi\.ch$,.*localhost((:[0-9]*)?|\/)?$
 AWS_ACCESS_KEY_ID=testing
 AWS_SECRET_ACCESS_KEY=testing
 AWS_SECURITY_TOKEN=testing
@@ -8,4 +8,4 @@ AWS_SESSION_TOKEN=testing
 AWS_DEFAULT_REGION=us-east-1
 AWS_DYNAMODB_TABLE_NAME=test-db
 
-STAGING=test
+STAGING=test
diff --git a/app/helpers/utils.py b/app/helpers/utils.py
@@ -4,6 +4,7 @@
 import re
 from itertools import chain
 from pathlib import Path
+from urllib.parse import urlparse
 
 import validators
 import yaml
@@ -112,7 +113,7 @@ def get_url():
             f"The url given as parameter was too long. (limit is 2046 "
             f"characters, {len(url)} given)"
         )
-    if not re.match(ALLOWED_DOMAINS_PATTERN, url):
+    if not re.match(ALLOWED_DOMAINS_PATTERN, urlparse(url).netloc):
         logger.error('URL(%s) given as a parameter is not allowed', url)
         abort(400, 'URL given as a parameter is not allowed.')