feat: increased security

internal/handlers/links.go

@@ -3,6 +3,7 @@ package handlers
 import (
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -47,7 +48,7 @@ func (h *LinksHandler) CreateLink(c *gin.Context) {
 		return
 	}
 
-	address := fmt.Sprintf("http://%v:%s/r/%v", h.host, h.port, id)
+	address := fmt.Sprintf("https://%s/r/%s", h.host, id)
 
 	response := CreateLinkResponse{
 		Status:       "success",
@@ -89,5 +90,44 @@ func NormalizeURL(raw string) (string, error) {
 		return "", errors.New("invalid host in URL")
 	}
 
+	host := u.Hostname()
+	if isPrivateHost(host) {
+		return "", errors.New("URLs pointing to private/internal addresses are not allowed")
+	}
+
 	return u.String(), nil
 }
+
+func isPrivateHost(host string) bool {
+	ip := net.ParseIP(host)
+	if ip == nil {
+		addrs, err := net.LookupHost(host)
+		if err != nil || len(addrs) == 0 {
+			return false
+		}
+		ip = net.ParseIP(addrs[0])
+		if ip == nil {
+			return false
+		}
+	}
+
+	privateRanges := []string{
+		"127.0.0.0/8",
+		"10.0.0.0/8",
+		"172.16.0.0/12",
+		"192.168.0.0/16",
+		"169.254.0.0/16",
+		"0.0.0.0/8",
+		"::1/128",
+		"fc00::/7",
+		"fe80::/10",
+	}
+
+	for _, cidr := range privateRanges {
+		_, network, _ := net.ParseCIDR(cidr)
+		if network.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}