From fb4127ec8b89825939888bcde02c8b8a037ef6a4 Mon Sep 17 00:00:00 2001
From: Chris Halbert <christopher.halbert@gmail.com>
Date: Fri, 19 Jan 2024 20:58:05 -0500
Subject: [PATCH] Add light url validation and sanitization with tests.

---
 google/google.go      | 13 ++++++++++---
 google/google_test.go | 41 ++++++++++++++++++++++++++++++++++-------
 2 files changed, 44 insertions(+), 10 deletions(-)

diff --git a/google/google.go b/google/google.go
index 430ec2e..4a43271 100644
--- a/google/google.go
+++ b/google/google.go
@@ -10,9 +10,10 @@ import (
 	"encoding/gob"
 	"encoding/json"
 	"fmt"
-
 	"net/http"
+	"net/url"
 	"os"
+	"strings"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/cookie"
@@ -116,8 +117,14 @@ func GetLoginURL(state string) string {
 	return conf.AuthCodeURL(state)
 }
 
-func WithLoginURL(url string) {
-	loginURL = url
+func WithLoginURL(s string) error {
+	s = strings.TrimSpace(s)
+	url, err := url.ParseRequestURI(s)
+	if err != nil {
+		return err
+	}
+	loginURL = url.String()
+	return nil
 }
 
 // Auth is the google authorization middleware. You can use them to protect a routergroup.
diff --git a/google/google_test.go b/google/google_test.go
index e9c2a90..16aecb1 100644
--- a/google/google_test.go
+++ b/google/google_test.go
@@ -19,11 +19,38 @@ func TestSetupFromString(t *testing.T) {
 }
 
 func TestWithLoginURL(t *testing.T) {
-	t.Run("should assign the login url", func(t *testing.T) {
-		loginURL = ""
-		url := "http://fake.fake"
-		WithLoginURL(url)
-		assert.NotEmpty(t, url)
-		assert.Equal(t, url, loginURL)
-	})
+
+	var testCases = []struct {
+		description    string
+		urlParm        string
+		expectUrlLogin string
+		isErrNil       bool
+	}{
+		{
+			description:    "should assign a valid url without error",
+			urlParm:        "http://fake.fake",
+			expectUrlLogin: "http://fake.fake",
+			isErrNil:       true,
+		},
+		{
+			description:    "should assign a sanitizable url without error",
+			urlParm:        " http://fake.fake   ",
+			expectUrlLogin: "http://fake.fake",
+			isErrNil:       true,
+		},
+		{
+			description:    "should not assign an invalid url without error",
+			urlParm:        "not a parseable url",
+			expectUrlLogin: "",
+			isErrNil:       false,
+		},
+	}
+	for _, testCase := range testCases {
+		t.Run(testCase.description, func(t *testing.T) {
+			loginURL = ""
+			err := WithLoginURL(testCase.urlParm)
+			assert.Equal(t, testCase.expectUrlLogin, loginURL)
+			assert.Equal(t, testCase.isErrNil, err == nil)
+		})
+	}
 }