Etiquette and input sanitation

[Benjamin Kerman]

Hi everyone,

I've gotten a request for my mod Kerbal Changelog to add a button that will automatically take the user to a mod developer's website/forum page/ect as an easy way for the user to interact with the mod's userbase. In order to do this, I am going to utilize the method Application.OpenUrl, provided by Unity. They also give the warning that input needs to be sanitized before being passed in to prevent malicious URLs from being opened, to keep the users safe.

I developed some code to "Validate" the URLs that are given by the mod authors, and I'd just like to have a sanity check before releasing something potentially dangerous to the wider KSP community.

		bool ValidateWebsite(string url)
		{
			string[] validurls = { "github.com", "forums.kerbalspaceprogram.com" };
			Regex pattern = new Regex(@"^(\w+\.)+com"); //only works with .com sites right now but can be changed if mod authors have their own custom sites (would still have to match up with the validurls array)
			//Checks if the url is a valid .com website
			if(pattern.IsMatch(url))
			{
				Match siteMatch = pattern.Match(url); //Matches the ReGex
				string site = siteMatch.Groups[1].Value; //Pulls the top level site (whateversite.com) out of the longer string (whateversite.com/mods/mymod.html)
				if (validurls.Contains(site)) //Checks if the URL is in the list of valid urls (to prevent any sort of malicious activity)
				{
					return true;
				}
			}
			return false;
		}

Does anyone have any feedback on whether or not this is safe enough?

Thanks.

[HebaruSan]

C# has a System.Uri type that will handle the parsing for you, you can just check the Host property rather than making your own regexp.

[Benjamin Kerman]

Here's the updated code:

		static bool ValidateWebsite(string url)
		{
			string[] validurls = { "github.com", "forum.kerbalspaceprogram.com" };
			Uri siteuri = new Uri("https://" + url);
			string site = siteuri.Host;
			if (validurls.Contains(site))
			{
				return true;
			}
			return false;
		}

Does anyone have any other websites that they think would should be whitelisted? Perhaps spacedock?

Edited June 9, 2020 by Benjamin Kerman

[HebaruSan]

33 minutes ago, Benjamin Kerman said:

Does anyone have any other websites that they think would should be whitelisted? Perhaps spacedock?

Here are the other ones that CKAN tracks, for what it's worth.

Spoiler

$ jq -r '.resources.homepage' *.netkan|sort -u|egrep -v 'forum.kerbalspaceprogram.com|github.com'
http://kerbokatz.github.io/
http://kerbokatz.github.io/#CraftHistory
http://krpc.github.io/krpc
https://discordapp.com/invite/ZGbR6nv
https://genhis.github.io/KRPC.MechJeb/
https://kerbalism.github.io/Kerbalism
https://KerbalX.com/CraftManager
https://KerbalX.com/KXAPI
http://snjo.github.io/
https://www.reddit.com/r/KerbalSpaceProgram/comments/8g76wg/the_jj_kabrams_hq_flares_pack_for_scatterer/
http://www.blackleg.es
http://www.Kerbaltek.com/graphotron
http://www.Kerbaltek.com/hyperedit

 

Edited June 9, 2020 by HebaruSan

[sarbian]

Funny, I never saw your mod before. I guess you could add my jenkins server (ksp.sarbian.com) since it is where ModuleManager is mainly distributed and you can see the commit log for each version there