Implement URL validation and sanitization for SSRF protection in route handling

Author: DefinetlyNotAI

app/api/preview/route.ts

@@ -1,5 +1,77 @@
 import {type NextRequest, NextResponse} from "next/server"
 import settings from '@/lib/settings'
+import {projects} from '@/lib/projectData'
+
+// Extract allowed domains from project data
+const allowedDomains = new Set(
+    projects.map(p => {
+        try {
+            return new URL(p.visitLink).hostname.toLowerCase()
+        } catch {
+            return null
+        }
+    }).filter((domain): domain is string => domain !== null)
+)
+
+// Helper function to validate and sanitize URLs for SSRF protection
+function validateUrl(url: string): { valid: boolean; error?: string; sanitized?: string } {
+    try {
+        const parsedUrl = new URL(url)
+
+        // Only allow http and https protocols
+        if (!['http:', 'https:'].includes(parsedUrl.protocol)) {
+            return { valid: false, error: 'Only HTTP and HTTPS protocols are allowed' }
+        }
+
+        // Check if domain is in the allowed list from projectData
+        const hostname = parsedUrl.hostname.toLowerCase()
+        if (!allowedDomains.has(hostname)) {
+            return { valid: false, error: 'Domain not allowed. Only configured project domains are permitted.' }
+        }
+
+        // Block localhost variants (additional safety check)
+        if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '0.0.0.0' || hostname === '[::1]') {
+            return { valid: false, error: 'Cannot access localhost' }
+        }
+
+        // Block private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x, 169.254.x.x)
+        const ipv4Regex = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/
+        const ipMatch = hostname.match(ipv4Regex)
+        if (ipMatch) {
+            const octets = ipMatch.slice(1).map(Number)
+            const [a, b] = octets
+            if (
+                a === 10 ||
+                (a === 172 && b >= 16 && b <= 31) ||
+                (a === 192 && b === 168) ||
+                (a === 169 && b === 254) ||
+                a === 0 ||
+                a >= 224 // Multicast and reserved
+            ) {
+                return { valid: false, error: 'Cannot access private IP addresses' }
+            }
+        }
+
+        // Block IPv6 private addresses
+        if (hostname.includes(':') && (hostname.startsWith('fe80:') || hostname.startsWith('fc') || hostname.startsWith('fd'))) {
+            return { valid: false, error: 'Cannot access private IPv6 addresses' }
+        }
+
+        return { valid: true, sanitized: parsedUrl.href }
+    } catch (err) {
+        return { valid: false, error: 'Invalid URL format' }
+    }
+}
+
+// Helper function to escape HTML to prevent XSS
+function escapeHtml(unsafe: string): string {
+    return unsafe
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#039;')
+}
 
 export async function GET(request: NextRequest) {
     const searchParams = request.nextUrl.searchParams
@@ -9,10 +81,16 @@ export async function GET(request: NextRequest) {
         return NextResponse.json({error: "Missing url parameter"}, {status: 400})
     }
 
+    // Validate URL to prevent SSRF
+    const validation = validateUrl(url)
+    if (!validation.valid) {
+        return NextResponse.json({error: validation.error}, {status: 400})
+    }
+
     try {
         // We want to detect redirects and, if present, wait a configured amount before following them.
         const maxRedirects = settings.preview.maxRedirects
-        let currentUrl = url
+        let currentUrl = validation.sanitized!
         let response: Response | null = null
 
         for (let i = 0; i <= maxRedirects; i++) {
@@ -35,7 +113,15 @@ export async function GET(request: NextRequest) {
 
                     // Resolve relative redirects against current URL
                     try {
-                        currentUrl = new URL(location, currentUrl).href
+                        const resolvedUrl = new URL(location, currentUrl).href
+
+                        // Validate redirect URL to prevent SSRF
+                        const redirectValidation = validateUrl(resolvedUrl)
+                        if (!redirectValidation.valid) {
+                            return NextResponse.json({error: `Invalid redirect location: ${redirectValidation.error}`}, {status: 502})
+                        }
+
+                        currentUrl = redirectValidation.sanitized!
                         // Continue loop to fetch the redirected location
                         continue
                     } catch (err) {
@@ -55,7 +141,7 @@ export async function GET(request: NextRequest) {
         // If the target explicitly forbids GET (method mismatch), surface a readable message
         if (response.status === 405) {
             return new NextResponse(
-                `<html lang="en"><body><h1>405 Method Not Allowed</h1><p>The requested URL ${currentUrl} returned 405. Preview is not available for non-GET endpoints.</p></body></html>`,
+                `<html lang="en"><body><h1>405 Method Not Allowed</h1><p>The requested URL ${escapeHtml(currentUrl)} returned 405. Preview is not available for non-GET endpoints.</p></body></html>`,
                 {
                     headers: {"Content-Type": "text/html"},
                     status: 405,
@@ -69,12 +155,13 @@ export async function GET(request: NextRequest) {
 
         // If configured to wait for full client-side load, return an iframe wrapper that waits for load event
         if (settings.preview.waitForFullLoad) {
+            const escapedUrl = escapeHtml(currentUrl)
             const iframeHtml = `<!doctype html>
 <html lang="en">
 <head>
 <meta charset="utf-8" />
 <meta name="viewport" content="width=device-width,initial-scale=1" />
-<title>Preview: ${currentUrl}</title>
+<title>Preview: ${escapedUrl}</title>
 <style>
   html,body { height:100%; margin:0; font-family:system-ui,Segoe UI,Roboto,Arial; }
   #frame { width:100%; height:100vh; border:0; display:none }
@@ -95,9 +182,9 @@ export async function GET(request: NextRequest) {
   <div style="font-size:32px;opacity:0.3;">⚠</div>
   <div style="font-size:14px;font-weight:500;">Preview Unavailable</div>
   <div style="font-size:12px;">This site cannot be displayed in a preview frame.</div>
-  <a href="${currentUrl}" target="_blank" rel="noopener noreferrer" style="font-size:12px;">Open in new tab →</a>
+  <a href="${escapedUrl}" target="_blank" rel="noopener noreferrer" style="font-size:12px;">Open in new tab →</a>
 </div>
-<iframe id="frame" src="${currentUrl}" sandbox="allow-same-origin allow-scripts allow-forms allow-pointer-lock allow-popups"></iframe>
+<iframe id="frame" src="${escapedUrl}" sandbox="allow-same-origin allow-scripts allow-forms allow-pointer-lock allow-popups"></iframe>
 <script>
   const iframe = document.getElementById('frame');
   const loader = document.getElementById('loader');
@@ -147,7 +234,7 @@ export async function GET(request: NextRequest) {
 
         html = html.replace(
             /<head>/i,
-            `<head><base href="${currentUrl}"><style>body { pointer-events: none; user-select: none; }</style>`,
+            `<head><base href="${escapeHtml(currentUrl)}"><style>body { pointer-events: none; user-select: none; }</style>`,
         )
 
         return new NextResponse(html, {

app/api/report/route.ts

@@ -41,14 +41,14 @@ export async function POST(request: NextRequest) {
             const willLog = ![401, 403, 405].includes(response.status)
             if (willLog) {
                 try {
-                    console.log(`[API] report: inserting log for ${projectSlug}${routePath} status=${response.status} responseTime=${responseTime}`)
+                    console.log('[API] report: inserting log for', projectSlug + routePath, 'status=', response.status, 'responseTime=', responseTime)
                     await insertStatusLog(projectSlug, routePath, response.status, responseTime)
-                    console.log(`[API] report: insert successful for ${projectSlug}${routePath}`)
+                    console.log('[API] report: insert successful for', projectSlug + routePath)
                 } catch (e) {
-                    console.error(`[API] report: insert failed for ${projectSlug}${routePath}:`, e)
+                    console.error('[API] report: insert failed for', projectSlug + routePath, ':', e)
                 }
             } else {
-                console.log(`[API] report: skipping insert for ${projectSlug}${routePath} status=${response.status}`)
+                console.log('[API] report: skipping insert for', projectSlug + routePath, 'status=', response.status)
             }
 
             const result: any = {
@@ -92,9 +92,9 @@ export async function POST(request: NextRequest) {
 
             try {
                 await insertStatusLog(projectSlug, routePath, 0, responseTime)
-                console.log(`[API] report: insert error-log successful for ${projectSlug}${routePath} responseTime=${responseTime}`)
+                console.log('[API] report: insert error-log successful for', projectSlug + routePath, 'responseTime=', responseTime)
             } catch (e) {
-                console.error(`[API] report: failed to insert error-log for ${projectSlug}${routePath}:`, e)
+                console.error('[API] report: failed to insert error-log for', projectSlug + routePath, ':', e)
             }
 
             return NextResponse.json({