add check for urls that prevent incorrect urls

kitsteam · Jan 16, 2024 · 6669838 · 6669838
1 parent 735af04
commit 6669838
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 10 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -7,8 +7,8 @@ services:
       target: development
     tty: true
     environment:
-      DATABASE_USER: ${POSTGRES_USER:-postgres}
-      DATABASE_USER_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+      DATABASE_USER: ${POSTGRES_USER:-qrstorage-user}
+      DATABASE_USER_PASSWORD: ${POSTGRES_PASSWORD:-qrstorage-password}
       DATABASE_NAME: ${POSTGRES_DB:-qrstorage_dev}
       DATABASE_PORT: 5432
       DATABASE_HOST: postgres
@@ -19,7 +19,7 @@ services:
       # - Use `mix phx.gen.secret` if you have elixir and phoenix installed
       # - Use `openssl rand -base64 64 | head -c 64` on a normal unix system
       # You can override this in `docker-compose.override.yml`
-      SECRET_KEY_BASE: "this_secret_key_base_needs_to_have_a_length_of_at_least_64_characters_like_this_one!"
+      SECRET_KEY_BASE: "vg2ibc71kJUfWtTAa6lejS+lvR5JDr/wzvVpMAWeYkHQoxlgtApu0sSoe1RpPgYC%"
       URL_HOST: localhost
       URL_SCHEME: http
       URL_PORT: "4000"
@@ -80,8 +80,8 @@ services:
   postgres:
     image: postgres:15
     environment:
-      POSTGRES_USER: ${POSTGRES_USER:-postgres}
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+      POSTGRES_USER: ${POSTGRES_USER:-qrstorage-user}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-qrstorage-password}
       POSTGRES_DB: ${POSTGRES_DB:-qrstorage_dev}
       PGDATA: /var/lib/postgresql/data/pgdata
     restart: always

diff --git a/lib/qrstorage/qr_codes/qr_code.ex b/lib/qrstorage/qr_codes/qr_code.ex
@@ -177,9 +177,17 @@ defmodule Qrstorage.QrCodes.QrCode do
   # This is a very simple check - it just verifies host/scheme.
   defp valid_url?(url) when is_binary(url) do
     case URI.parse(url) do
-      %URI{host: nil} -> false
-      %URI{scheme: nil} -> false
-      %URI{} -> true
+      %URI{host: nil} ->
+        false
+
+      %URI{scheme: nil} ->
+        false
+
+      %URI{host: host} ->
+        case :inet.gethostbyname(Kernel.to_charlist(host)) do
+          {:ok, _} -> true
+          {:error, _} -> false
+        end
     end
   end
 

diff --git a/lib/qrstorage_web/views/qr_code_view.ex b/lib/qrstorage_web/views/qr_code_view.ex
@@ -63,8 +63,7 @@ defmodule QrstorageWeb.QrCodeView do
     # we upload images as base64. The actual image size will be 0.75 of the base64 encoded text.
     # To help the user, we will convert this in the error message.
     # This is not exactly accurate, because a) 0.75 is just an estimation and b) the upload form also takes text characters into account.
-    max_upload_length =
-      String.to_integer(Application.get_env(:qrstorage, :max_upload_length)) * 0.75
+    max_upload_length = String.to_integer(Application.get_env(:qrstorage, :max_upload_length)) * 0.75
 
     max_upload_length_in_mb = Decimal.round(Decimal.from_float(max_upload_length * 1.0e-6), 1)
 

diff --git a/test/qrstorage/qr_codes_test.exs b/test/qrstorage/qr_codes_test.exs
@@ -85,6 +85,12 @@ defmodule Qrstorage.QrCodesTest do
       assert {:error, %Ecto.Changeset{}} = QrCodes.create_qr_code(invalid_link_attrs)
     end
 
+    test "create_qr_code/1 with type link and invalid url with line break returns error changeset" do
+      invalid_link_attrs = %{@valid_attrs | content_type: "link", text: "https://kits.blog\n\r"}
+
+      assert {:error, %Ecto.Changeset{}} = QrCodes.create_qr_code(invalid_link_attrs)
+    end
+
     test "create_qr_code/1 with type link and valid url returns ok" do
       valid_link_attrs = %{@valid_attrs | content_type: "link", text: "https://kits.blog"}