Improved link validation and sanatization, in order to mitigate CVE-2025-56200 from validator.js NPM package.

src/utils/linkUtils.js

@@ -16,6 +16,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
 //NPM Imports
 const validator = require('validator');//No express here, so regular validator it is!
+const {sanitizeUrl} = require("@braintree/sanitize-url");
 
 //Create link cache
 /**
@@ -25,10 +26,12 @@ module.exports.cache = new Map();
 
 /**
  * Validates links and returns a marked link object that can be returned to the client to format/embed accordingly
- * @param {String} link - URL to Validate
+ * @param {String} dirtyLink - URL to Validate
  * @returns {Object} Marked link object
  */
-module.exports.markLink = async function(link){
+module.exports.markLink = async function(dirtyLink){
+    const link = sanitizeUrl(dirtyLink);
+
     //Check link cache for the requested link
     const cachedLink = module.exports.cache.get(link);
 
@@ -44,7 +47,7 @@ module.exports.markLink = async function(link){
     var type = "malformedLink"    
 
     //Make sure we have an actual, factual URL
-    if(validator.isURL(link)){
+    if(validator.isURL(link,{require_valid_protocol: true, protocols: ['http', 'https']})){
         //The URL is valid, so this is at least a dead link
         type = 'deadLink';
 

src/utils/loggerUtils.js

@@ -173,7 +173,7 @@ module.exports.errorMiddleware = function(err, req, res, next){
  * @param {Error} err - error to dump to file
  * @param {Date} date - Date of error, defaults to now
  */
-module.exports.dumpError = async function(err, date = new Date(), subDir){
+module.exports.dumpError = async function(err, date = new Date(), subDir = ''){
         try{
                 //Crash directory
                 const dir = `./log/crash/${subDir}`

src/utils/media/yanker.js

@@ -17,6 +17,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //NPM Imports
 //const url = require("node:url");
 const validator = require('validator');//No express here, so regular validator it is!
+const {sanitizeUrl} = require("@braintree/sanitize-url");
 
 //local import
 const iaUtil = require('./internetArchiveUtils');
@@ -96,12 +97,15 @@ module.exports.refreshRawLink = async function(mediaObj){
  * Still this has some improvements like url pre-checks and the fact that it's handled serverside, recuing possibility of bad requests.
  * Some of the regex expressions for certain services have also been improved, such as youtube, and the fore.st-unique archive.org
  * 
- * @param {String} url - URL to determine media type of
+ * @param {String} dirtyURL - URL to determine media type of
  * @returns {Object} containing URL type and clipped ID string
  */
-module.exports.getMediaType = async function(url){
+module.exports.getMediaType = async function(dirtyURL){
+    //Sanatize our URL
+    const url = sanitizeUrl(dirtyURL);
+
     //Check if we have a valid url, encode it on the fly in case it's too humie-friendly
-    if(!validator.isURL(encodeURI(url))){
+    if(!validator.isURL(encodeURI(url,{require_valid_protocol: true}))){
         //If not toss the fucker out
         return {
             type: null,