fix: safer good trusted urls, meaning top-level will not be blindly s…

…uggested. Fixes #1187
jbangdev · Jan 9, 2022 · fd729a1 · fd729a1
1 parent 443871e
commit fd729a1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/src/main/java/dev/jbang/util/Util.java b/src/main/java/dev/jbang/util/Util.java
@@ -856,7 +856,13 @@ public static String goodTrustURL(String url) {
  if (uri.getPath().isEmpty() || uri.getPath().equals("/")) {
  return uri.toString();
  } else {
- return (uri.getPath().endsWith("/") ? uri.resolve("..") : uri.resolve(".")).toString();
+ URI suggested = (uri.getPath().endsWith("/") ? uri.resolve("..") : uri.resolve("."));
+ if (suggested.getPath().isEmpty() || suggested.getPath().equals("/")) {
+ // not returning top domain by default
+ return originalUrl;
+ } else {
+ return suggested.toString();
+ }
  }
  }
 

diff --git a/src/test/java/dev/jbang/util/TestTrustedSources.java b/src/test/java/dev/jbang/util/TestTrustedSources.java
@@ -22,7 +22,7 @@ void testGoodUrlsToTrust() throws IOException {
  Util.goodTrustURL(
  "https://repo1.maven.org/maven2/io/quarkus/quarkus-cli/2.0.0.Final/quarkus-cli-2.0.0.Final-runner.jar"));
 
- assertEquals("https://github.com/",
+ assertEquals("https://github.com/t.java",
  Util.goodTrustURL("https://github.com/t.java"));
 
  assertEquals("https://github.com/",
@@ -31,6 +31,12 @@ void testGoodUrlsToTrust() throws IOException {
  assertEquals("https://acme.org",
  Util.goodTrustURL("https://acme.org"));
 
+ assertEquals("https://gist.github.com/maxandersen/",
+ Util.goodTrustURL("https://gist.github.com/maxandersen/d4e465ab26ae5d85b7090aecf4003dc1"));
+
+ assertEquals("https://gist.github.com/d4e465ab26ae5d85b7090aecf4003dc1",
+ Util.goodTrustURL("https://gist.github.com/d4e465ab26ae5d85b7090aecf4003dc1"));
+
  }
 
 }