SECURITY: vulnerability in WildcardUrlChecker

app/services/wildcard_domain_checker.rb

@@ -4,7 +4,7 @@ module WildcardDomainChecker
 
   def self.check_domain(domain, external_domain)
     escaped_domain = domain[0] == "*" ? Regexp.escape(domain).sub("\\*", '\S*') : Regexp.escape(domain)
-    domain_regex = Regexp.new("^#{escaped_domain}$", 'i')
+    domain_regex = Regexp.new("\\A#{escaped_domain}\\z", 'i')
 
     external_domain.match(domain_regex)
   end

app/services/wildcard_url_checker.rb

@@ -1,12 +1,23 @@
 # frozen_string_literal: true
 
 module WildcardUrlChecker
+  VALID_PROTOCOLS = %w(http https discourse).freeze
 
   def self.check_url(url, url_to_check)
+    return nil if !valid_url?(url_to_check)
+
     escaped_url = Regexp.escape(url).sub("\\*", '\S*')
-    url_regex = Regexp.new("^#{escaped_url}$", 'i')
+    url_regex = Regexp.new("\\A#{escaped_url}\\z", 'i')
 
     url_to_check.match(url_regex)
   end
 
+  private
+
+  def self.valid_url?(url)
+    uri = URI.parse(url)
+    VALID_PROTOCOLS.include?(uri&.scheme) && uri&.host.present?
+  rescue URI::InvalidURIError
+    false
+  end
 end

spec/services/wildcard_domain_checker_spec.rb

@@ -31,6 +31,9 @@ describe WildcardDomainChecker do
 
         result4 = WildcardDomainChecker.check_domain('www.*.discourse.org', 'www.www.discourse.org')
         expect(result4).to eq(nil)
+
+        result5 = WildcardDomainChecker.check_domain('www.discourse.org', "www.discourse.org\nwww.discourse.org.evil.com")
+        expect(result5).to eq(nil)
       end
     end
   end

spec/services/wildcard_url_checker_spec.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe WildcardUrlChecker do
+
+  describe 'check_url' do
+    context 'valid url' do
+      it 'returns correct domain' do
+        result1 = described_class.check_url('https://*.discourse.org', 'https://anything.is.possible.discourse.org')
+        expect(result1[0]).to eq('https://anything.is.possible.discourse.org')
+
+        result2 = described_class.check_url('https://www.discourse.org', 'https://www.discourse.org')
+        expect(result2[0]).to eq('https://www.discourse.org')
+
+        result3 = described_class.check_url('*', 'https://hello.discourse.org')
+        expect(result3[0]).to eq('https://hello.discourse.org')
+
+        result4 = described_class.check_url('discourse://auth_redirect', 'discourse://auth_redirect')
+        expect(result4[0]).to eq('discourse://auth_redirect')
+      end
+    end
+
+    context 'invalid domain' do
+      it "doesn't return the domain" do
+        result1 = described_class.check_url('https://*.discourse.org', 'https://bad-domain.discourse.org.evil.com')
+        expect(result1).to eq(nil)
+
+        result2 = described_class.check_url('https://www.discourse.org', 'https://www.discourse.org.evil.com')
+        expect(result2).to eq(nil)
+
+        result3 = described_class.check_url('https://www.discourse.org', 'https://www.www.discourse.org')
+        expect(result3).to eq(nil)
+
+        result4 = described_class.check_url('https://www.discourse.org', "https://www.discourse.org\nwww.discourse.org.evil.com")
+        expect(result4).to eq(nil)
+
+        result5 = described_class.check_url('ttps://www.discourse.org', "ttps://www.discourse.org")
+        expect(result5).to eq(nil)
+
+        result6 = described_class.check_url('https://', "https://")
+        expect(result6).to eq(nil)
+      end
+    end
+  end
+end