Check urls in a better way

oBusk · oBusk · commit 526b3456a83c · 2026-02-01T21:10:49.000+01:00
diff --git a/src/app/[...parts]/_page/Sources/SourceCard/SourceCard.tsx b/src/app/[...parts]/_page/Sources/SourceCard/SourceCard.tsx
@@ -3,6 +3,7 @@ import ExternalLink from "^/components/ExternalLink";
 import Heading from "^/components/ui/Heading";
 import { type SourceInformation } from "^/lib/api/npm/sourceInformation";
 import { cx } from "^/lib/cva";
+import { isGitHubUrl, isGitLabUrl } from "^/lib/utils/isAllowedRepositoryHost";
 import ProvenanceCard from "./ProvenanceCard";
 import { ProvenanceInfoIcon } from "./ProvenanceInfoIcon";
 import { TrustedPublisherCard } from "./TrustedPublisherCard";
@@ -39,13 +40,9 @@ export default function SourceCard({
                     >
                         <span className="text-sm">Repo:</span>
                         <div className="flex items-center gap-1.5">
-                            {sourceInformation.repositoryUrl.startsWith(
-                                "https://github.com",
-                            ) ? (
+                            {isGitHubUrl(sourceInformation.repositoryUrl) ? (
                                 <Github className="size-3.5 shrink-0" />
-                            ) : sourceInformation.repositoryUrl.startsWith(
-                                  "https://gitlab.com",
-                              ) ? (
+                            ) : isGitLabUrl(sourceInformation.repositoryUrl) ? (
                                 <Gitlab className="size-3.5 shrink-0" />
                             ) : null}
                             <span className="text-sm font-medium">
diff --git a/src/app/[...parts]/_page/Sources/SourceCompareButton/SourceCompareButton.tsx b/src/app/[...parts]/_page/Sources/SourceCompareButton/SourceCompareButton.tsx
@@ -1,4 +1,5 @@
 import { type SourceInformation } from "^/lib/api/npm/sourceInformation";
+import { isGitHubUrl, isGitLabUrl } from "^/lib/utils/isAllowedRepositoryHost";
 import { CompareButton } from "./CompareButton";
 
 export interface SourceCompareButtonProps {
@@ -12,7 +13,7 @@ export default function SourceCompareButton({
 }: SourceCompareButtonProps) {
     if (sourceA.repositoryUrl !== sourceB.repositoryUrl) {
         return null;
-    } else if (sourceA.repositoryUrl.startsWith("https://github.com")) {
+    } else if (isGitHubUrl(sourceA.repositoryUrl)) {
         return (
             <CompareButton
                 commitA={sourceA.commitHash}
@@ -21,7 +22,7 @@ export default function SourceCompareButton({
                 serviceName="GitHub.com"
             />
         );
-    } else if (sourceA.repositoryUrl.startsWith("https://gitlab.com")) {
+    } else if (isGitLabUrl(sourceA.repositoryUrl)) {
         return (
             <CompareButton
                 commitA={sourceA.commitHash}
diff --git a/src/lib/utils/isAllowedRepositoryHost.test.ts b/src/lib/utils/isAllowedRepositoryHost.test.ts
@@ -0,0 +1,69 @@
+import { isGitHubUrl, isGitLabUrl } from "./isAllowedRepositoryHost";
+
+describe("isGitHubUrl", () => {
+    it("returns true for valid GitHub URL", () => {
+        expect(isGitHubUrl("https://github.com/owner/repo")).toBe(true);
+    });
+
+    it("returns true for GitHub URL with path", () => {
+        expect(isGitHubUrl("https://github.com/owner/repo/tree/main")).toBe(
+            true,
+        );
+    });
+
+    it("returns false for GitLab URL", () => {
+        expect(isGitHubUrl("https://gitlab.com/owner/repo")).toBe(false);
+    });
+
+    it("rejects subdomain attack: github.com.evil.com", () => {
+        expect(isGitHubUrl("https://github.com.evil.com/repo")).toBe(false);
+    });
+
+    it("rejects subdomain attack: evil-github.com", () => {
+        expect(isGitHubUrl("https://evil-github.com/repo")).toBe(false);
+    });
+
+    it("rejects path injection: evil.com/github.com", () => {
+        expect(isGitHubUrl("https://evil.com/github.com/repo")).toBe(false);
+    });
+
+    it("rejects subdomain: api.github.com", () => {
+        expect(isGitHubUrl("https://api.github.com/repo")).toBe(false);
+    });
+
+    it("rejects HTTP (non-HTTPS)", () => {
+        expect(isGitHubUrl("http://github.com/owner/repo")).toBe(false);
+    });
+
+    it("rejects invalid URL", () => {
+        expect(isGitHubUrl("not-a-url")).toBe(false);
+    });
+});
+
+describe("isGitLabUrl", () => {
+    it("returns true for valid GitLab URL", () => {
+        expect(isGitLabUrl("https://gitlab.com/owner/repo")).toBe(true);
+    });
+
+    it("returns true for GitLab URL with path", () => {
+        expect(isGitLabUrl("https://gitlab.com/owner/repo/-/tree/main")).toBe(
+            true,
+        );
+    });
+
+    it("returns false for GitHub URL", () => {
+        expect(isGitLabUrl("https://github.com/owner/repo")).toBe(false);
+    });
+
+    it("rejects subdomain attack: gitlab.com.evil.com", () => {
+        expect(isGitLabUrl("https://gitlab.com.evil.com/repo")).toBe(false);
+    });
+
+    it("rejects HTTP (non-HTTPS)", () => {
+        expect(isGitLabUrl("http://gitlab.com/owner/repo")).toBe(false);
+    });
+
+    it("rejects invalid URL", () => {
+        expect(isGitLabUrl("not-a-url")).toBe(false);
+    });
+});
diff --git a/src/lib/utils/isAllowedRepositoryHost.ts b/src/lib/utils/isAllowedRepositoryHost.ts
@@ -0,0 +1,17 @@
+/** Parses URL and checks if hostname exactly matches the expected host. */
+function isHostUrl(url: string, expectedHost: string): boolean {
+    try {
+        const { protocol, hostname } = new URL(url);
+        return protocol === "https:" && hostname.toLowerCase() === expectedHost;
+    } catch {
+        return false;
+    }
+}
+
+export function isGitHubUrl(url: string): boolean {
+    return isHostUrl(url, "github.com");
+}
+
+export function isGitLabUrl(url: string): boolean {
+    return isHostUrl(url, "gitlab.com");
+}
