[GH-ISSUE #204] Web app: validate server URLs #160

New issue

Closed

opened 2026-05-07 00:20:49 +02:00 by BreizhHardware · 6 comments

BreizhHardware commented 2026-05-07 00:20:49 +02:00

Owner

Copy link

Originally created by @cmeis on GitHub (Apr 8, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/204

As in issue #193 for the Android app, the web app doesn't do any validation on the server url for user accounts (apart from it having to be at least one character long ;-) ). See screenshot:

Needs proper input validation for the URL.

Originally created by @cmeis on GitHub (Apr 8, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/204 As in issue #193 for the Android app, the web app doesn't do any validation on the server url for user accounts (apart from it having to be at least one character long ;-) ). See screenshot:  Needs proper input validation for the URL.

BreizhHardware 2026-05-07 00:20:49 +02:00

• closed this issue
• added the
  🪲 bug
  web-app
  labels

BreizhHardware commented 2026-05-07 00:20:50 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Apr 8, 2022):

Indeed. 😱

Good catch.

<!-- gh-comment-id:1093483813 --> @binwiederhier commented on GitHub (Apr 8, 2022): Indeed. :scream: Good catch.

BreizhHardware commented 2026-05-07 00:20:50 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Apr 8, 2022):

There isn't really much validation I can do apart from just checking that it starts with https?:// -- If I was gonna get fancy, I could make an endpoint to check that the server is a valid ntfy server, but that's not really worth it, so I think I'll stick with the http/s-chekc

<!-- gh-comment-id:1093485930 --> @binwiederhier commented on GitHub (Apr 8, 2022): There isn't really much validation I can do apart from just checking that it starts with `https?://` -- If I was gonna get fancy, I could make an endpoint to check that the server is a valid ntfy server, but that's not really worth it, so I think I'll stick with the http/s-chekc

BreizhHardware commented 2026-05-07 00:20:50 +02:00

Author

Owner

Copy link

@cmeis commented on GitHub (Apr 9, 2022):

Well you could validate the host a bit more, like:

• is it a valid IPv4/IPv6 address?
• is it a syntactically correct FQDN?

Perhaps something like https://www.npmjs.com/package/is-valid-hostname

<!-- gh-comment-id:1093759255 --> @cmeis commented on GitHub (Apr 9, 2022): Well you could validate the host a bit more, like: - is it a valid IPv4/IPv6 address? - is it a syntactically correct FQDN? Perhaps something like https://www.npmjs.com/package/is-valid-hostname

BreizhHardware commented 2026-05-07 00:20:50 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Apr 9, 2022):

is-valid-hostname reminded me of the left-pad debacle. I generally try to keep dependencies out as much as possible (though that's hard to do in the JS world). But hostname checking doesn't have to be that strict. If it's wrong, stuff will not work and you'll fix it. :-D

I think I'm alright with just checking for http://..

<!-- gh-comment-id:1094044331 --> @binwiederhier commented on GitHub (Apr 9, 2022): [is-valid-hostname](https://www.npmjs.com/package/is-valid-hostname) reminded me of the `left-pad` debacle. I generally try to keep dependencies out as much as possible (though that's hard to do in the JS world). But hostname checking doesn't have to be that strict. If it's wrong, stuff will not work and you'll fix it. :-D I think I'm alright with just checking for http://..

BreizhHardware commented 2026-05-07 00:20:51 +02:00

Author

Owner

Copy link

@cmeis commented on GitHub (Apr 9, 2022):

Tell me about dependency hell..... I'm fine with fixing my own sh*t 😉

<!-- gh-comment-id:1094079841 --> @cmeis commented on GitHub (Apr 9, 2022): Tell me about dependency hell..... I'm fine with fixing my own sh*t 😉

BreizhHardware commented 2026-05-07 00:20:51 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Apr 10, 2022):

This is done and will be in the next release. Just basic URL validation

<!-- gh-comment-id:1094349977 --> @binwiederhier commented on GitHub (Apr 10, 2022): This is done and will be in the next release. Just basic URL validation

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#160

No description provided.