From e2523d2604f2426cdb58fde0ab395c4fc68ed6cb Mon Sep 17 00:00:00 2001
From: Mike Cao <moocao@gmail.com>
Date: Mon, 10 Feb 2025 21:52:30 -0800
Subject: [PATCH] Check for valid urls.

---
 src/app/api/send/route.ts |  9 +++++----
 src/lib/schema.ts         | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/app/api/send/route.ts b/src/app/api/send/route.ts
index fce649da..b70f5d19 100644
--- a/src/app/api/send/route.ts
+++ b/src/app/api/send/route.ts
@@ -9,6 +9,7 @@ import { getClientInfo, hasBlockedIp } from '@/lib/detect';
 import { secret, uuid, visitSalt } from '@/lib/crypto';
 import { COLLECTION_TYPE } from '@/lib/constants';
 import { createSession, saveEvent, saveSessionData } from '@/queries';
+import { urlOrPathParam } from '@/lib/schema';
 
 const schema = z.object({
   type: z.enum(['event', 'identify']),
@@ -17,11 +18,11 @@ const schema = z.object({
     data: z.object({}).passthrough().optional(),
     hostname: z.string().max(100).optional(),
     language: z.string().max(35).optional(),
-    referrer: z.string().optional(),
+    referrer: urlOrPathParam,
     screen: z.string().max(11).optional(),
     title: z.string().optional(),
-    url: z.string().optional(),
-    name: z.string().max(50).optional(),
+    url: urlOrPathParam,
+    name: z.string().url().max(50).optional(),
     tag: z.string().max(50).optional(),
     ip: z.string().ip().optional(),
     userAgent: z.string().optional(),
@@ -129,7 +130,7 @@ export async function POST(request: Request) {
     }
 
     if (type === COLLECTION_TYPE.event) {
-      const base = hostname ? `http://${hostname}` : 'http://localhost';
+      const base = hostname ? `https://${hostname}` : 'https://localhost';
       const currentUrl = new URL(url, base);
 
       let urlPath = currentUrl.pathname;
diff --git a/src/lib/schema.ts b/src/lib/schema.ts
index 84662f04..9fca4b8a 100644
--- a/src/lib/schema.ts
+++ b/src/lib/schema.ts
@@ -36,6 +36,20 @@ export const unitParam = z.string().refine(value => UNIT_TYPES.includes(value),
 
 export const roleParam = z.enum(['team-member', 'team-view-only', 'team-manager']);
 
+export const urlOrPathParam = z.string().refine(
+  value => {
+    try {
+      new URL(value, 'https://localhost');
+      return true;
+    } catch {
+      return false;
+    }
+  },
+  {
+    message: 'Invalid URL.',
+  },
+);
+
 export const reportTypeParam = z.enum([
   'funnel',
   'insights',