From 2658a6df65998ec0519c273608b2a62dd4300ced Mon Sep 17 00:00:00 2001
From: Romain J <romain.ordi@gmail.com>
Date: Mon, 28 Sep 2020 14:01:36 +0200
Subject: [PATCH] fix(security): add better verification for links

---
 app.py | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/app.py b/app.py
index e8468a5..ed3fa2e 100644
--- a/app.py
+++ b/app.py
@@ -1,17 +1,34 @@
-from flask import Flask, render_template, request, redirect, url_for, \
-    make_response, Markup
+from flask import Flask, render_template, request, redirect, make_response, \
+    Markup
 from enum import Enum
 from bs4 import BeautifulSoup
+import re
 
 app = Flask('ui', static_url_path="/static")
 app.config['TEMPLATES_AUTO_RELOAD'] = True
 
+DEBUG = False
+
 
 class Status(Enum):
-    ERREUR_LIEN = "Le lien doit être en http ou https !"
+    ERREUR_LIEN = "Le lien doit être en http ou https et valide !"
     BON = "Lien ajouté !"
 
 
+def valideUrl(url: str) -> bool:
+    # thx django
+    regex = re.compile(
+        r'^(?:http|ftp)s?://' # http:// or https://
+        r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain...
+        r'localhost|' # localhost...
+        r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4
+        r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6
+        r'(?::\d+)?' # optional port
+        r'(?:/?|[/?]\S+)$', re.IGNORECASE)
+
+    return bool(re.search(regex, url))
+
+
 def ecritureFichierHtml(nouvLien, cheminFichier):
     with open(cheminFichier, 'r+') as file:
         soup = BeautifulSoup(file, 'html.parser')
@@ -46,7 +63,7 @@ def bizutage_redirect():
 def bizutage():
     if request.method == "POST":
         lien = request.values['lien'].lower()
-        if not (lien.startswith("http") or lien.startswith("https")):
+        if not valideUrl(lien):
             return render_template(
                 "ajout.html",
                 erreur=Status.ERREUR_LIEN.value
@@ -72,4 +89,4 @@ def bizutage():
 
 
 if __name__ == "__main__":
-    app.run(debug=True)
+    app.run(debug=DEBUG)