fix: harden donation mode — URL protocol validation, image position allowlist, config merge

Kenbak · Kenbak · commit f48867ee2e1b · 2026-04-06T09:08:56.000+02:00
- Add validate_url_protocol() and validate_image_position() to validation.rs
- Apply protocol checks to website_url, cover_image_url, success_url in both
  create and update paths (closes XSS via javascript: href on PATCH)
- Allowlist cover_image_position to prevent arbitrary CSS injection
- Merge donation_config fields on update instead of replacing entire object
- Rate-limit the public /info endpoint
- Add tests for new validation helpers
diff --git a/src/api/mod.rs b/src/api/mod.rs
@@ -91,7 +91,7 @@ pub fn configure(cfg: &mut web::ServiceConfig) {
             .route("/payment-links/{id}", web::patch().to(payment_links::update))
             .route("/payment-links/{id}", web::delete().to(payment_links::delete))
             .route("/payment-links/{slug}/checkout", web::post().to(payment_links::resolve).wrap(Governor::new(&session_rate_limit)))
-            .route("/payment-links/{slug}/info", web::get().to(payment_links::info))
+            .route("/payment-links/{slug}/info", web::get().to(payment_links::info).wrap(Governor::new(&session_rate_limit)))
             // Donation links (merchant auth)
             .route("/donation-links", web::post().to(payment_links::create_donation))
             // Buyer checkout (public)
diff --git a/src/api/payment_links.rs b/src/api/payment_links.rs
@@ -604,18 +604,24 @@ fn validate_create_donation(req: &CreateDonationLinkRequest) -> Result<(), valid
     }
     if let Some(ref url) = req.cover_image_url {
         validation::validate_length("cover_image_url", url, 2000)?;
+        validation::validate_url_protocol("cover_image_url", url, false)?;
+    }
+    if let Some(ref pos) = req.cover_image_position {
+        validation::validate_image_position("cover_image_position", pos)?;
     }
     if let Some(ref email) = req.contact_email {
         validation::validate_length("contact_email", email, 200)?;
     }
     if let Some(ref url) = req.website_url {
         validation::validate_length("website_url", url, 2000)?;
+        validation::validate_url_protocol("website_url", url, true)?;
     }
     if let Some(ref text) = req.social_share_text {
         validation::validate_length("social_share_text", text, 500)?;
     }
     if let Some(ref url) = req.success_url {
         validation::validate_length("success_url", url, 2000)?;
+        validation::validate_url_protocol("success_url", url, true)?;
     }
     Ok(())
 }
@@ -626,6 +632,9 @@ fn validate_update(req: &UpdatePaymentLinkRequest) -> Result<(), validation::Val
     }
     if let Some(ref url) = req.success_url {
         validation::validate_length("success_url", url, 2000)?;
+        if !url.is_empty() {
+            validation::validate_url_protocol("success_url", url, true)?;
+        }
     }
     if let Some(ref dc) = req.donation_config {
         if let Some(ref mission) = dc.mission {
@@ -639,12 +648,21 @@ fn validate_update(req: &UpdatePaymentLinkRequest) -> Result<(), validation::Val
         }
         if let Some(ref url) = dc.cover_image_url {
             validation::validate_length("cover_image_url", url, 2000)?;
+            if !url.is_empty() {
+                validation::validate_url_protocol("cover_image_url", url, false)?;
+            }
+        }
+        if let Some(ref pos) = dc.cover_image_position {
+            validation::validate_image_position("cover_image_position", pos)?;
         }
         if let Some(ref email) = dc.contact_email {
             validation::validate_length("contact_email", email, 200)?;
         }
         if let Some(ref url) = dc.website_url {
             validation::validate_length("website_url", url, 2000)?;
+            if !url.is_empty() {
+                validation::validate_url_protocol("website_url", url, true)?;
+            }
         }
         if let Some(ref text) = dc.social_share_text {
             validation::validate_length("social_share_text", text, 500)?;
diff --git a/src/payment_links/mod.rs b/src/payment_links/mod.rs
@@ -289,9 +289,33 @@ pub async fn update_payment_link(
         .or(existing.metadata);
 
     let donation_config_json = if existing.mode == "donation" {
-        req.donation_config.as_ref()
-            .map(|dc| serde_json::to_string(dc).unwrap_or_default())
-            .or(existing.donation_config)
+        match (&req.donation_config, &existing.donation_config) {
+            (Some(updates), Some(existing_json)) => {
+                let mut base: DonationConfig = serde_json::from_str(existing_json)
+                    .unwrap_or(DonationConfig {
+                        mission: None, thank_you: None, suggested_amounts: None,
+                        currency: "USD".to_string(), min_amount: None, max_amount: None,
+                        campaign_name: None, campaign_goal: None, cover_image_url: None,
+                        cover_image_position: None, contact_email: None, website_url: None,
+                        social_share_text: None,
+                    });
+                if updates.mission.is_some() { base.mission = updates.mission.clone(); }
+                if updates.thank_you.is_some() { base.thank_you = updates.thank_you.clone(); }
+                if updates.suggested_amounts.is_some() { base.suggested_amounts = updates.suggested_amounts.clone(); }
+                if updates.min_amount.is_some() { base.min_amount = updates.min_amount; }
+                if updates.max_amount.is_some() { base.max_amount = updates.max_amount; }
+                if updates.campaign_name.is_some() { base.campaign_name = updates.campaign_name.clone(); }
+                if updates.campaign_goal.is_some() { base.campaign_goal = updates.campaign_goal; }
+                if updates.cover_image_url.is_some() { base.cover_image_url = updates.cover_image_url.clone(); }
+                if updates.cover_image_position.is_some() { base.cover_image_position = updates.cover_image_position.clone(); }
+                if updates.contact_email.is_some() { base.contact_email = updates.contact_email.clone(); }
+                if updates.website_url.is_some() { base.website_url = updates.website_url.clone(); }
+                if updates.social_share_text.is_some() { base.social_share_text = updates.social_share_text.clone(); }
+                Some(serde_json::to_string(&base).unwrap_or_default())
+            }
+            (Some(dc), None) => Some(serde_json::to_string(dc).unwrap_or_default()),
+            (None, existing_dc) => existing_dc.clone(),
+        }
     } else {
         existing.donation_config
     };
diff --git a/src/validation.rs b/src/validation.rs
@@ -47,6 +47,33 @@ pub fn validate_optional_length(
     Ok(())
 }
 
+pub fn validate_url_protocol(field: &str, url: &str, allow_http: bool) -> Result<(), ValidationError> {
+    if url.starts_with("https://") {
+        return Ok(());
+    }
+    if allow_http && url.starts_with("http://") {
+        return Ok(());
+    }
+    let msg = if allow_http {
+        "must start with http:// or https://"
+    } else {
+        "must start with https://"
+    };
+    Err(ValidationError::invalid(field, msg))
+}
+
+const ALLOWED_IMAGE_POSITIONS: &[&str] = &[
+    "center top", "center center", "center bottom",
+];
+
+pub fn validate_image_position(field: &str, value: &str) -> Result<(), ValidationError> {
+    if ALLOWED_IMAGE_POSITIONS.contains(&value) {
+        Ok(())
+    } else {
+        Err(ValidationError::invalid(field, "must be one of: center top, center center, center bottom"))
+    }
+}
+
 pub fn validate_email_format(field: &str, email: &str) -> Result<(), ValidationError> {
     validate_length(field, email, 254)?;
 
@@ -286,6 +313,27 @@ mod tests {
         assert!(validate_zcash_address("addr", "t1000000000000000000000000000000000").is_err());
     }
 
+    #[test]
+    fn test_validate_url_protocol() {
+        assert!(validate_url_protocol("url", "https://example.com", false).is_ok());
+        assert!(validate_url_protocol("url", "http://example.com", false).is_err());
+        assert!(validate_url_protocol("url", "http://example.com", true).is_ok());
+        assert!(validate_url_protocol("url", "javascript:alert(1)", false).is_err());
+        assert!(validate_url_protocol("url", "javascript:alert(1)", true).is_err());
+        assert!(validate_url_protocol("url", "data:text/html,<h1>hi</h1>", false).is_err());
+        assert!(validate_url_protocol("url", "ftp://example.com", true).is_err());
+    }
+
+    #[test]
+    fn test_validate_image_position() {
+        assert!(validate_image_position("pos", "center top").is_ok());
+        assert!(validate_image_position("pos", "center center").is_ok());
+        assert!(validate_image_position("pos", "center bottom").is_ok());
+        assert!(validate_image_position("pos", "left top").is_err());
+        assert!(validate_image_position("pos", "expression(alert(1))").is_err());
+        assert!(validate_image_position("pos", "").is_err());
+    }
+
     #[test]
     fn test_is_private_ip() {
         assert!(is_private_ip(&"127.0.0.1".parse().unwrap()));

Original file line number	Diff line number	Diff line change
`@@ -604,18 +604,24 @@ fn validate_create_donation(req: &CreateDonationLinkRequest) -> Result<(), valid`
`604`	`604`	`}`
`605`	`605`	`if let Some(ref url) = req.cover_image_url {`
`606`	`606`	`validation::validate_length("cover_image_url", url, 2000)?;`
	`607`	`+ validation::validate_url_protocol("cover_image_url", url, false)?;`
	`608`	`+ }`
	`609`	`+ if let Some(ref pos) = req.cover_image_position {`
	`610`	`+ validation::validate_image_position("cover_image_position", pos)?;`
`607`	`611`	`}`
`608`	`612`	`if let Some(ref email) = req.contact_email {`
`609`	`613`	`validation::validate_length("contact_email", email, 200)?;`
`610`	`614`	`}`
`611`	`615`	`if let Some(ref url) = req.website_url {`
`612`	`616`	`validation::validate_length("website_url", url, 2000)?;`
	`617`	`+ validation::validate_url_protocol("website_url", url, true)?;`
`613`	`618`	`}`
`614`	`619`	`if let Some(ref text) = req.social_share_text {`
`615`	`620`	`validation::validate_length("social_share_text", text, 500)?;`
`616`	`621`	`}`
`617`	`622`	`if let Some(ref url) = req.success_url {`
`618`	`623`	`validation::validate_length("success_url", url, 2000)?;`
	`624`	`+ validation::validate_url_protocol("success_url", url, true)?;`
`619`	`625`	`}`
`620`	`626`	`Ok(())`
`621`	`627`	`}`
`@@ -626,6 +632,9 @@ fn validate_update(req: &UpdatePaymentLinkRequest) -> Result<(), validation::Val`
`626`	`632`	`}`
`627`	`633`	`if let Some(ref url) = req.success_url {`
`628`	`634`	`validation::validate_length("success_url", url, 2000)?;`
	`635`	`+ if !url.is_empty() {`
	`636`	`+ validation::validate_url_protocol("success_url", url, true)?;`
	`637`	`+ }`
`629`	`638`	`}`
`630`	`639`	`if let Some(ref dc) = req.donation_config {`
`631`	`640`	`if let Some(ref mission) = dc.mission {`
`@@ -639,12 +648,21 @@ fn validate_update(req: &UpdatePaymentLinkRequest) -> Result<(), validation::Val`
`639`	`648`	`}`
`640`	`649`	`if let Some(ref url) = dc.cover_image_url {`
`641`	`650`	`validation::validate_length("cover_image_url", url, 2000)?;`
	`651`	`+ if !url.is_empty() {`
	`652`	`+ validation::validate_url_protocol("cover_image_url", url, false)?;`
	`653`	`+ }`
	`654`	`+ }`
	`655`	`+ if let Some(ref pos) = dc.cover_image_position {`
	`656`	`+ validation::validate_image_position("cover_image_position", pos)?;`
`642`	`657`	`}`
`643`	`658`	`if let Some(ref email) = dc.contact_email {`
`644`	`659`	`validation::validate_length("contact_email", email, 200)?;`
`645`	`660`	`}`
`646`	`661`	`if let Some(ref url) = dc.website_url {`
`647`	`662`	`validation::validate_length("website_url", url, 2000)?;`
	`663`	`+ if !url.is_empty() {`
	`664`	`+ validation::validate_url_protocol("website_url", url, true)?;`
	`665`	`+ }`
`648`	`666`	`}`
`649`	`667`	`if let Some(ref text) = dc.social_share_text {`
`650`	`668`	`validation::validate_length("social_share_text", text, 500)?;`