torsten/trainingstagebuch
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(clickTtHttpPageRoutes): extend proxy URL validation to include liga.nu

Browse Source 
- Added a new function, isAllowedProxyUrl, to validate URLs against an updated list of allowed domains, including liga.nu.
- Updated existing checks in the proxy GET and POST routes to utilize the new validation function, ensuring consistent error messaging for unsupported URLs.
- Enhanced error responses to reflect the inclusion of liga.nu in the allowed domains, improving user guidance during proxy interactions.
This commit is contained in:
Torsten Schulz (local)
2026-03-10 23:06:46 +01:00
parent df95753f4d
commit 4484f122d2
1 changed files with 16 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
backend/routes/clickTtHttpPageRoutes.js
View File

@@ -57,7 +57,17 @@ function serializeFormBody(req) {
}
/** Domains, deren Links durch den Proxy umgeleitet werden (für Folge-Logs) */
const PROXY_DOMAINS = ['click-tt.de', 'httv.de'];
const PROXY_DOMAINS = ['click-tt.de', 'httv.de', 'liga.nu'];
function isAllowedProxyUrl(url) {
if (!url || typeof url !== 'string') return false;
try {
const hostname = new URL(url).hostname.toLowerCase();
return PROXY_DOMAINS.some(domain => hostname === domain || hostname.endsWith(`.${domain}`));
} catch {
return false;
}
}
/**
* Prüft, ob eine URL durch unseren Proxy umgeleitet werden soll
@@ -66,7 +76,7 @@ function shouldProxyUrl(href) {
if (!href || typeof href !== 'string') return false;
const h = href.trim();
if (h.startsWith('#') || h.startsWith('javascript:')) return false;
return PROXY_DOMAINS.some(d => h.includes(d));
return isAllowedProxyUrl(h);
}
/**
@@ -242,8 +252,8 @@ router.get('/proxy', async (req, res, next) => {
let fetchType = 'proxy';
if (url) {
if (!url.includes('click-tt.de') && !url.includes('httv.de')) {
return res.status(400).send('<html><body><h1>Fehler</h1><p>Nur URLs von click-tt.de oder httv.de sind erlaubt.</p></body></html>');
if (!isAllowedProxyUrl(url)) {
return res.status(400).send('<html><body><h1>Fehler</h1><p>Nur URLs von click-tt.de, httv.de oder liga.nu sind erlaubt.</p></body></html>');
}
targetUrl = url;
fetchType = 'arbitrary';
@@ -343,8 +353,8 @@ router.post('/proxy', async (req, res, next) => {
const cookies = cookieStore.get(sid) || {};
const targetUrl = req.query.url;
if (!targetUrl || (!targetUrl.includes('click-tt.de') && !targetUrl.includes('httv.de'))) {
return res.status(400).send('<html><body><h1>Fehler</h1><p>Parameter url (click-tt.de oder httv.de) erforderlich.</p></body></html>');
if (!targetUrl || !isAllowedProxyUrl(targetUrl)) {
return res.status(400).send('<html><body><h1>Fehler</h1><p>Parameter url (click-tt.de, httv.de oder liga.nu) erforderlich.</p></body></html>');
}
const contentType = req.get('content-type') || 'application/x-www-form-urlencoded';