diff --git a/plugin/http.go b/plugin/http.go index b0eb2738b58af5caa63dab85017dd51b7b6b3a2b..e5f447f2b07fff7312c5b203bb8d2a6327e26b35 100644 --- a/plugin/http.go +++ b/plugin/http.go @@ -3,6 +3,7 @@ package plugin import ( "io" "net/http" + "net/url" "strings" lua "github.com/yuin/gopher-lua" @@ -36,8 +37,16 @@ func (m *Manager) luaHTTP(L *lua.LState) int { } rawURL := urlVal.String() + // URL format validation. + parsedURL, err := url.Parse(rawURL) + if err != nil { + L.Push(lua.LNil) + L.Push(lua.LString("invalid URL: " + err.Error())) + return 2 + } + // Scheme validation. - if !strings.HasPrefix(rawURL, "http://") && !strings.HasPrefix(rawURL, "https://") { + if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" { L.Push(lua.LNil) L.Push(lua.LString("unsupported URL scheme: only http and https are allowed")) return 2