Merge pull request #26 from datachainlab/audit-suggestion

Improve url validation Signed-off-by: Jun Kimura <[email protected]>
datachainlab · Dec 24, 2024 · d1afe7b · d1afe7b
2 parents 021ca43 + b9ce959
commit d1afe7b
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/crates/light-client-cli/src/context.rs b/crates/light-client-cli/src/context.rs
@@ -29,8 +29,8 @@ impl<
     pub fn build(network: Network, opts: Opts) -> Result<Self, Error> {
         let home_dir = opts.home_dir();
         if !home_dir.exists() {
-            info!("directory {:?} is created", home_dir);
             std::fs::create_dir(&home_dir)?;
+            info!("directory {:?} is created", home_dir);
         }
         Ok(Self {
             config: network.config(),

diff --git a/crates/lodestar-rpc/src/client.rs b/crates/lodestar-rpc/src/client.rs
@@ -8,7 +8,7 @@ use ethereum_consensus::beacon::Slot;
 use ethereum_consensus::sync_protocol::SyncCommitteePeriod;
 use ethereum_consensus::types::H256;
 use log::debug;
-use reqwest::{Client, StatusCode};
+use reqwest::{Client, StatusCode, Url};
 use serde::de::DeserializeOwned;
 
 type Result<T> = core::result::Result<T, Error>;
@@ -20,9 +20,25 @@ pub struct RPCClient {
 
 impl RPCClient {
     pub fn new(endpoint: impl Into<String>) -> Self {
+        let url = Url::parse(&endpoint.into()).expect("Invalid URL");
+        if url.scheme() != "http" && url.scheme() != "https" {
+            panic!("Invalid URL scheme: {}", url.scheme());
+        }
+        if url.path() != "/" {
+            panic!("Invalid URL path: {}", url.path());
+        }
+        if url.host().is_none() {
+            panic!("Invalid URL host: {}", url.host().unwrap());
+        }
+        if url.query().is_some() {
+            panic!("Invalid URL query: {}", url.query().unwrap());
+        }
+        if url.fragment().is_some() {
+            panic!("Invalid URL fragment: {}", url.fragment().unwrap());
+        }
         Self {
             http_client: reqwest::Client::new(),
-            endpoint: endpoint.into(),
+            endpoint: url.as_str().strip_suffix("/").unwrap().to_string(),
         }
     }
 
@@ -168,8 +184,8 @@ impl RPCClient {
 
 #[derive(serde::Serialize, serde::Deserialize)]
 struct InternalServerError {
-    #[serde(rename = "statusCode")]
+    #[serde(alias = "statusCode", alias = "code")]
     status_code: u64,
-    error: String,
+    error: Option<String>,
     message: String,
 }