Improve URL validation and centralise client and server validators #164
Conversation
src/server/models/url.ts
Outdated
| // Disable long url checks for localstack in development. | ||
| ...(!DEV_ENV ? { isUrl: true } : {}), | ||
| urlCheck(url: string) { | ||
| if (!isValidUrl(url, true)) { |
There was a problem hiding this comment.
does this mean someone will be able to save the whitelisted localhost URL in production?
There was a problem hiding this comment.
Technically, users will not be able to using as we are enforcing https during link creation and edits. But I get the gist here. I will convert the whitelist to a dev-only whitelist. Subsequently, if there is a need for a global whitelist in the future, it should be quite easy to add in.
There was a problem hiding this comment.
looks like a good first step towards standardising URL validation. can we guarantee there is no change in behavior?
one possible improvement in the future would be to replace the useWhitelist flag with dependency injection, because the setting is specific to the application environment, and the onus is on the caller to know whether to use a whitelist or not.
|
I have updated my code such that whitelist is only used when |
Problem
This PR is a follow-up to #149. Previously, the check for https was disabled in development, as localstack endpoints are not valid urls.
And as suggested by @liangyuanruo, I have centralised the common validators used by our client and server sides.
Solution
isUrlcheck to our customised checks using thevalidatorlibrary. After which, I whitelist the endpoint used by localstack (http://localhost:4572).isValidUrlandisHttps, to indicate whether to take into account whitelisted hostnames when running the validation.Improvements:
src/shared/util/validation.ts.