🐛 Fix CWE-20 in URL parsing

staart · Nov 8, 2020 · ac17d98 · ac17d98
1 parent d9ad820
commit ac17d98
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/src/modules/domains/domains.service.ts b/src/modules/domains/domains.service.ts
@@ -46,11 +46,10 @@ export class DomainsService {
       where: { id: groupId },
       select: { profilePictureUrl: true },
     });
-    if (
-      currentProfilePicture.profilePictureUrl.startsWith(
-        'https://ui-avatars.com',
-      )
-    )
+    const parsedProfilePicture = new URL(
+      currentProfilePicture.profilePictureUrl,
+    );
+    if (parsedProfilePicture.hostname === 'ui-avatars.com')
       try {
         const img = await got('https://logo.clearbit.com/${data.domain}', {
           responseType: 'buffer',