From 50e2b816730c3d1272e67dfae782ab7b412fd440 Mon Sep 17 00:00:00 2001 From: Md Mushfiqur Rahim <20mahin2020@gmail.com> Date: Sat, 23 May 2026 12:01:24 +0600 Subject: [PATCH] fix(plugin): add URL format validation (#1341) ## What? Added url.Parse() call before scheme validation in plugin HTTP handler to catch malformed URLs early and return a clear error to the Lua script. ## Why? Fixes #753. --- plugin/http.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/plugin/http.go b/plugin/http.go index b0eb2738b58af5caa63dab85017dd51b7b6b3a2b..e5f447f2b07fff7312c5b203bb8d2a6327e26b35 100644 --- a/plugin/http.go +++ b/plugin/http.go @@ -3,6 +3,7 @@ package plugin import ( "io" "net/http" + "net/url" "strings" lua "github.com/yuin/gopher-lua" @@ -36,8 +37,16 @@ func (m *Manager) luaHTTP(L *lua.LState) int { } rawURL := urlVal.String() + // URL format validation. + parsedURL, err := url.Parse(rawURL) + if err != nil { + L.Push(lua.LNil) + L.Push(lua.LString("invalid URL: " + err.Error())) + return 2 + } + // Scheme validation. - if !strings.HasPrefix(rawURL, "http://") && !strings.HasPrefix(rawURL, "https://") { + if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" { L.Push(lua.LNil) L.Push(lua.LString("unsupported URL scheme: only http and https are allowed")) return 2