fix: coderabbit suggestions

2025-12-18 22:22:30 +00:00 · 2025-08-26 14:31:09 +03:00
parent d3c40bb366
commit a5e1ae096b
19 changed files with 178 additions and 47 deletions
--- a/internal/utils/app_utils.go
+++ b/internal/utils/app_utils.go
@@ -2,6 +2,7 @@ package utils

 import (
 	"errors"
+	"net"
 	"net/url"
 	"strings"
 	"tinyauth/internal/config"
@@ -12,16 +13,25 @@ import (
 )

 // Get upper domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
-func GetUpperDomain(urlSrc string) (string, error) {
-	urlParsed, err := url.Parse(urlSrc)
+func GetUpperDomain(appUrl string) (string, error) {
+	appUrlParsed, err := url.Parse(appUrl)
 	if err != nil {
 		return "", err
 	}

-	urlSplitted := strings.Split(urlParsed.Hostname(), ".")
-	urlFinal := strings.Join(urlSplitted[1:], ".")
+	host := appUrlParsed.Hostname()

-	return urlFinal, nil
+	if netIP := net.ParseIP(host); netIP != nil {
+		return "", errors.New("IP addresses are not allowed")
+	}
+
+	urlParts := strings.Split(host, ".")
+
+	if len(urlParts) < 2 {
+		return "", errors.New("invalid domain, must be at least second level domain")
+	}
+
+	return strings.Join(urlParts[1:], "."), nil
 }

 func ParseFileToLine(content string) string {
@@ -63,8 +73,38 @@ func GetContext(c *gin.Context) (config.UserContext, error) {
 	return *userContext, nil
 }

+func IsRedirectSafe(redirectURL string, domain string) bool {
+	if redirectURL == "" {
+		return false
+	}
+
+	parsedURL, err := url.Parse(redirectURL)
+
+	if err != nil {
+		return false
+	}
+
+	if !parsedURL.IsAbs() {
+		return false
+	}
+
+	upper, err := GetUpperDomain(redirectURL)
+
+	if err != nil {
+		return false
+	}
+
+	if upper != domain {
+		return false
+	}
+
+	return true
+}
+
 func GetLogLevel(level string) zerolog.Level {
 	switch strings.ToLower(level) {
+	case "trace":
+		return zerolog.TraceLevel
 	case "debug":
 		return zerolog.DebugLevel
 	case "info":
--- a/internal/utils/label_utils.go
+++ b/internal/utils/label_utils.go
@@ -1,6 +1,7 @@
 package utils

 import (
+	"net/http"
 	"strings"
 	"tinyauth/internal/config"

@@ -26,6 +27,10 @@ func ParseHeaders(headers []string) map[string]string {
 			continue
 		}
 		key := SanitizeHeader(strings.TrimSpace(split[0]))
+		if strings.ContainsAny(key, " \t") {
+			continue
+		}
+		key = http.CanonicalHeaderKey(key)
 		value := SanitizeHeader(strings.TrimSpace(split[1]))
 		headerMap[key] = value
 	}
--- a/internal/utils/user_utils.go
+++ b/internal/utils/user_utils.go
@@ -9,6 +9,12 @@ import (
 func ParseUsers(users string) ([]config.User, error) {
 	var usersParsed []config.User

+	users = strings.TrimSpace(users)
+
+	if users == "" {
+		return []config.User{}, nil
+	}
+
 	userList := strings.Split(users, ",")

 	if len(userList) == 0 {
@@ -16,7 +22,10 @@ func ParseUsers(users string) ([]config.User, error) {
 	}

 	for _, user := range userList {
-		parsed, err := ParseUser(user)
+		if strings.TrimSpace(user) == "" {
+			continue
+		}
+		parsed, err := ParseUser(strings.TrimSpace(user))
 		if err != nil {
 			return []config.User{}, err
 		}
@@ -39,12 +48,13 @@ func GetUsers(conf string, file string) ([]config.User, error) {

 	if file != "" {
 		contents, err := ReadFile(file)
-		if err == nil {
-			if users != "" {
-				users += ","
-			}
-			users += ParseFileToLine(contents)
+		if err != nil {
+			return []config.User{}, err
 		}
+		if users != "" {
+			users += ","
+		}
+		users += ParseFileToLine(contents)
 	}

 	return ParseUsers(users)