Add URI validation for security (Phase 1.3)

Add validate function to uRI.ml that checks for: - Acceptable schemes: http, https, ftp, sftp, file, ssh, git, darcs, pijul, fossil - Path traversal attacks (../, ..\ patterns) Returns Result type with specific error variants for invalid schemes and path traversal attempts. All 17 tests pass.
author: toastal 2026-04-15 01:58:39 +0000
committer: ·𐑑𐑴𐑕𐑑𐑩𐑤 2026-04-15 01:58:39 +0000
commit: fe9270a88cb1c406769b0deb552c5f53fad7e656 (patch)
tree: a4a595eb6489a7b360d2b23de1da84a498771144
parent: 47363e258f3e3f916cfe592e5de3bbe63bc16f84 (diff)
download: nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar
nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.gz
nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.bz2
nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.lz
nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.xz
nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.zst
nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.zip
1 files changed, 34 insertions, 0 deletions
diff --git a/lib/uRI.ml b/lib/uRI.ml
index 79cfaab..f70d048 100644
--- a/lib/uRI.ml
+++ b/lib/uRI.ml
@@ -9,6 +9,40 @@ let jsont : t Jsont.t =
 	Jsont.string
 	|> Jsont.map ~kind: "URI" ~dec: of_string ~enc: to_string
 
+(* Validate URI for security concerns *)
+let acceptable_schemes = ["http"; "https"; "ftp"; "sftp"; "file"; "ssh"; "git"; "darcs"; "pijul"; "fossil"]
+
+let is_acceptable_scheme scheme =
+	List.mem (String.lowercase_ascii scheme) acceptable_schemes
+
+let contains_substring s substr =
+	let re = Str.regexp_string substr in
+	try
+		ignore (Str.search_forward re s 0);
+		true
+	with Not_found -> false
+
+let has_path_traversal uri =
+	let path_str = path uri in
+	contains_substring path_str ".." && (
+		contains_substring path_str "/../" ||
+		contains_substring path_str "\\..\\" ||
+		String.starts_with ~prefix:"../" path_str ||
+		String.ends_with ~suffix:"/.." path_str
+	)
+
+let validate uri =
+	match scheme uri with
+	| Some scheme when is_acceptable_scheme scheme ->
+		if has_path_traversal uri then
+			Error (`Path_traversal (path uri))
+		else
+			Ok ()
+	| Some scheme ->
+		Error (`Invalid_scheme scheme)
+	| None ->
+		Error (`Invalid_scheme "missing")
+
 (* good enough URI generation for now for this *)
 let gen =
 	let open QCheck.Gen in
author	toastal	2026-04-15 01:58:39 +0000
committer	·𐑑𐑴𐑕𐑑𐑩𐑤	2026-04-15 01:58:39 +0000
commit	fe9270a88cb1c406769b0deb552c5f53fad7e656 (patch)
tree	a4a595eb6489a7b360d2b23de1da84a498771144
parent	47363e258f3e3f916cfe592e5de3bbe63bc16f84 (diff)
download	nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.gz nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.bz2 nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.lz nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.xz nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.tar.zst nixtaml-fe9270a88cb1c406769b0deb552c5f53fad7e656.zip