package security import ( "context" "net" "net/netip" "net/url" "strconv" "strings" "time" "github.com/tech/sendico/pkg/merrors" ) type service struct { requireHTTPS bool allowedHosts map[string]struct{} allowedPorts map[int]struct{} dnsTimeout time.Duration resolver *net.Resolver } // New creates URL validator. func New(cfg Config) Validator { hosts := make(map[string]struct{}, len(cfg.AllowedHosts)) for _, host := range cfg.AllowedHosts { h := strings.ToLower(strings.TrimSpace(host)) if h == "" { continue } hosts[h] = struct{}{} } ports := make(map[int]struct{}, len(cfg.AllowedPorts)) for _, port := range cfg.AllowedPorts { if port > 0 { ports[port] = struct{}{} } } timeout := time.Duration(cfg.DNSResolveTimeout) * time.Millisecond if timeout <= 0 { timeout = 2 * time.Second } return &service{ requireHTTPS: cfg.RequireHTTPS, allowedHosts: hosts, allowedPorts: ports, dnsTimeout: timeout, resolver: net.DefaultResolver, } } func (s *service) ValidateURL(ctx context.Context, target string) error { parsed, err := url.Parse(strings.TrimSpace(target)) if err != nil { return merrors.InvalidArgumentWrap(err, "invalid callback URL", "url") } if parsed == nil || parsed.Host == "" { return merrors.InvalidArgument("callback URL host is required", "url") } if parsed.User != nil { return merrors.InvalidArgument("callback URL credentials are not allowed", "url") } if s.requireHTTPS && !strings.EqualFold(parsed.Scheme, "https") { return merrors.InvalidArgument("callback URL must use HTTPS", "url") } host := strings.ToLower(strings.TrimSpace(parsed.Hostname())) if host == "" { return merrors.InvalidArgument("callback URL host is empty", "url") } if len(s.allowedHosts) > 0 { if _, ok := s.allowedHosts[host]; !ok { return merrors.InvalidArgument("callback host is not in allowlist", "url.host") } } port, err := resolvePort(parsed) if err != nil { return err } if len(s.allowedPorts) > 0 { if _, ok := s.allowedPorts[port]; !ok { return merrors.InvalidArgument("callback URL port is not allowed", "url.port") } } if addr, addrErr := netip.ParseAddr(host); addrErr == nil { if isBlocked(addr) { return merrors.InvalidArgument("callback URL resolves to blocked IP range", "url") } return nil } lookupCtx := ctx if lookupCtx == nil { lookupCtx = context.Background() } lookupCtx, cancel := context.WithTimeout(lookupCtx, s.dnsTimeout) defer cancel() ips, err := s.resolver.LookupIPAddr(lookupCtx, host) if err != nil { return merrors.InternalWrap(err, "failed to resolve callback host") } if len(ips) == 0 { return merrors.InvalidArgument("callback host did not resolve", "url.host") } for _, ip := range ips { if ip.IP == nil { continue } addr, ok := netip.AddrFromSlice(ip.IP) if ok && isBlocked(addr) { return merrors.InvalidArgument("callback URL resolves to blocked IP range", "url.host") } } return nil } func resolvePort(parsed *url.URL) (int, error) { if parsed == nil { return 0, merrors.InvalidArgument("callback URL is required", "url") } portStr := strings.TrimSpace(parsed.Port()) if portStr == "" { if strings.EqualFold(parsed.Scheme, "https") { return 443, nil } if strings.EqualFold(parsed.Scheme, "http") { return 80, nil } return 0, merrors.InvalidArgument("callback URL scheme is not supported", "url.scheme") } port, err := strconv.Atoi(portStr) if err != nil || port <= 0 || port > 65535 { return 0, merrors.InvalidArgument("callback URL port is invalid", "url.port") } return port, nil } func isBlocked(ip netip.Addr) bool { if !ip.IsValid() { return true } if ip.IsLoopback() || ip.IsPrivate() || ip.IsMulticast() || ip.IsUnspecified() { return true } if ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() { return true } // Block common cloud metadata endpoint. if ip.Is4() && ip.String() == "169.254.169.254" { return true } return false }