diff options
| author | Samantaz Fox <coding@samantaz.fr> | 2024-02-17 14:27:25 +0100 |
|---|---|---|
| committer | Samantaz Fox <coding@samantaz.fr> | 2024-08-17 19:22:40 +0200 |
| commit | 78c5ba93c7f4eecf7aae623079c0c77f78670b67 (patch) | |
| tree | fc4f9ac9647307dc05c561b64d9c95e530759a34 /src | |
| parent | 31a80420ec9f4dbd61a7145044f5e1797d4e0dd0 (diff) | |
| download | invidious-78c5ba93c7f4eecf7aae623079c0c77f78670b67.tar.gz invidious-78c5ba93c7f4eecf7aae623079c0c77f78670b67.tar.bz2 invidious-78c5ba93c7f4eecf7aae623079c0c77f78670b67.zip | |
Misc: Clean some code in UrlSanitizer
Diffstat (limited to 'src')
| -rw-r--r-- | src/invidious/yt_backend/url_sanitizer.cr | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/src/invidious/yt_backend/url_sanitizer.cr b/src/invidious/yt_backend/url_sanitizer.cr index 02bf77bf..725382ee 100644 --- a/src/invidious/yt_backend/url_sanitizer.cr +++ b/src/invidious/yt_backend/url_sanitizer.cr @@ -16,23 +16,21 @@ module UrlSanitizer ], } - # Returns wether the given string is an ASCII word. This is the same as + # Returns whether the given string is an ASCII word. This is the same as # running the following regex in US-ASCII locale: /^[\w-]+$/ private def ascii_word?(str : String) : Bool - if str.bytesize == str.size - str.each_byte do |byte| - next if 'a'.ord <= byte <= 'z'.ord - next if 'A'.ord <= byte <= 'Z'.ord - next if '0'.ord <= byte <= '9'.ord - next if byte == '-'.ord || byte == '_'.ord - - return false - end + return false if str.bytesize != str.size + + str.each_byte do |byte| + next if 'a'.ord <= byte <= 'z'.ord + next if 'A'.ord <= byte <= 'Z'.ord + next if '0'.ord <= byte <= '9'.ord + next if byte == '-'.ord || byte == '_'.ord - return true - else return false end + + return true end # Return which kind of parameters are allowed based on the @@ -74,12 +72,15 @@ module UrlSanitizer str = "https://#{str}" if !str.starts_with?(/https?:\/\//) unsafe_uri = URI.parse(str) + unsafe_host = unsafe_uri.host + unsafe_path = unsafe_uri.path + new_uri = URI.new(path: "/") # Redirect to homepage for bogus URLs - return new_uri if (unsafe_uri.host.nil? || unsafe_uri.path.nil?) + return new_uri if (unsafe_host.nil? || unsafe_path.nil?) - breadcrumbs = unsafe_uri.path + breadcrumbs = unsafe_path .split('/', remove_empty: true) .compact_map do |bc| # Exclude attempts at path trasversal @@ -96,7 +97,7 @@ module UrlSanitizer return new_uri if breadcrumbs.empty? # Replace the original query parameters with the sanitized ones - case unsafe_uri.host.not_nil! + case unsafe_host when .ends_with?("youtube.com") # Use our sanitized path (not forgetting the leading '/') new_uri.path = "/#{breadcrumbs.join('/')}" @@ -115,7 +116,6 @@ module UrlSanitizer new_uri.query_params = new_params end - new_uri.host = nil # Safety measure return new_uri end end |