Collapse recursive URLs to the HTML service

Eg; https://html.brow.sh/https://html.brow.sh/google.com jsut becomes google.com
browsh-org · Jul 11, 2018 · 85affab · 85affab
1 parent 3d0c224
commit 85affab
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/interfacer/src/browsh/raw_text_server.go b/interfacer/src/browsh/raw_text_server.go
@@ -78,7 +78,14 @@ func (h *slashFix) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 func handleHTTPServerRequest(w http.ResponseWriter, r *http.Request) {
 	var message string
+	var isErrored bool
 	urlForBrowsh, _ := url.PathUnescape(strings.TrimPrefix(r.URL.Path, "/"))
+	urlForBrowsh, isErrored = deRecurseURL(urlForBrowsh)
+	if isErrored {
+		message = "Invalid URL"
+		io.WriteString(w, message)
+		return
+	}
 	if isProductionHTTP(r) {
 		http.Redirect(w, r, "https://" + r.Host + "/" + urlForBrowsh, 301)
 		return
@@ -112,6 +119,18 @@ func handleHTTPServerRequest(w http.ResponseWriter, r *http.Request) {
 	waitForResponse(rawTextRequestID, w)
 }
 
+// Prevent https://html.brow.sh/html.brow.sh/... being recursive
+func deRecurseURL(urlForBrowsh string) (string, bool) {
+	nestedURL, err := url.Parse(urlForBrowsh)
+	if err != nil {
+		return urlForBrowsh, false
+	}
+	if nestedURL.Host != "html.brow.sh" && nestedURL.Host != "text.brow.sh" {
+		return urlForBrowsh, false
+	}
+	return deRecurseURL(strings.TrimPrefix(nestedURL.RequestURI(), "/"))
+}
+
 func isDisallowedURL(urlForBrowsh string) bool {
 	r, _ := regexp.Compile("[mail|accounts].google.com")
 	return r.MatchString(urlForBrowsh)

diff --git a/interfacer/src/browsh/raw_text_server_test.go b/interfacer/src/browsh/raw_text_server_test.go
@@ -0,0 +1,41 @@
+package browsh
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestRawTextServer(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Raw text server tests")
+}
+
+var _ = Describe("Raw text server", func() {
+	Describe("De-recursing URLs", func() {
+		It("should not do anything to normal URLs", func() {
+			testURL := "https://google.com/path?q=hey"
+			url, _ := deRecurseURL(testURL)
+			Expect(url).To(Equal(testURL))
+		})
+		It("should de-recurse a single level", func() {
+			testURL := "https://html.brow.sh/word"
+			url, _ := deRecurseURL(testURL)
+			Expect(url).To(Equal("word"))
+		})
+		It("should de-recurse a multi level recurse without a URL ending", func() {
+			testURL := "https://html.brow.sh/https://html.brow.sh"
+			url, _ := deRecurseURL(testURL)
+			Expect(url).To(Equal(""))
+		})
+		It("should de-recurse a multi level recurse with a URL ending", func() {
+			google := "https://google.com/path?q=hey"
+			testURL := "https://html.brow.sh/https://html.brow.sh/" + google
+			url, _ := deRecurseURL(testURL)
+			Expect(url).To(Equal(google))
+		})
+	})
+})
+
+