merge: Improve URL validation (!1155)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/1155

Approved-by: dakkar <dakkar@thenautilus.net>
Approved-by: Marie <github@yuugi.dev>

packages/backend/src/misc/captcha-error.ts

@@ -0,0 +1,18 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import type { CaptchaErrorCode } from '@/core/CaptchaService.js';
+
+export class CaptchaError extends Error {
+	public readonly code: CaptchaErrorCode;
+	public readonly cause?: unknown;
+
+	constructor(code: CaptchaErrorCode, message: string, cause?: unknown) {
+		super(message, cause ? { cause } : undefined);
+		this.code = code;
+		this.cause = cause;
+		this.name = 'CaptchaError';
+	}
+}

packages/backend/src/misc/render-inline-error.ts

@@ -5,7 +5,7 @@
 
 import { IdentifiableError } from '@/misc/identifiable-error.js';
 import { StatusError } from '@/misc/status-error.js';
-import { CaptchaError } from '@/core/CaptchaService.js';
+import { CaptchaError } from '@/misc/captcha-error.js';
 
 export function renderInlineError(err: unknown): string {
 	const parts: string[] = [];

packages/backend/src/misc/verify-field-link.ts

@@ -10,8 +10,9 @@ type Field = { name: string, value: string };
 
 export async function verifyFieldLinks(fields: Field[], profileUrls: string[], httpRequestService: HttpRequestService): Promise<string[]> {
 	const verified_links = [];
-	for (const field_url of fields.filter(x => URL.canParse(x.value) && ['http:', 'https:'].includes((new URL(x.value).protocol)))) {
+	for (const field_url of fields) {
 		try {
+			// getHtml validates the input URL, so we can safely pass in untrusted values
 			const html = await httpRequestService.getHtml(field_url.value);
 
 			const doc = cheerio(html);