feat: add scheme checks

Per https://www.w3.org/TR/webmention/#request-verification

2 files changed, 16 insertions, 1 deletions

diff --git a/main.go b/main.go
index d80ba6a..41f8334 100644
--- a/main.go
+++ b/main.go
@@ -10,6 +10,7 @@ import (
 const (
 	errSrcInvalid     = "source is not a parsable URL"
 	errTgtNotAccepted = "can not process webmentions for this target"
+	errInvalidScheme  = "URL scheme is not HTTP(S)"
 )
 
 // endpoint is a webmention receiver.
@@ -19,15 +20,27 @@ type endpoint struct {
 
 // ServeHTTP is http.Handler implementation.
 func (ep endpoint) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	_, err := url.Parse(r.PostFormValue("source"))
+	source, err := url.Parse(r.PostFormValue("source"))
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		w.Write([]byte(errSrcInvalid))
+		return
+	}
+	if source.Scheme != "http" && source.Scheme != "https" {
+		w.WriteHeader(http.StatusBadRequest)
+		w.Write([]byte(errInvalidScheme))
+		return
 	}
 	target, err := url.Parse(r.PostFormValue("target"))
 	if err != nil || !ep.targetAllowed(target) {
 		w.WriteHeader(http.StatusBadRequest)
 		w.Write([]byte(errTgtNotAccepted))
+		return
+	}
+	if target.Scheme != "http" && target.Scheme != "https" {
+		w.WriteHeader(http.StatusBadRequest)
+		w.Write([]byte(errInvalidScheme))
+		return
 	}
 }
 
diff --git a/main_test.go b/main_test.go
index 0510af8..37fe250 100644
--- a/main_test.go
+++ b/main_test.go
@@ -20,6 +20,8 @@ func TestSyncRejection(t *testing.T) {
 	}{
 		{"invalid source", "https||:example.org/somewhere", "my.site/part/target", errSrcInvalid},
 		{"target no accepted", "https://example.org/somewhere", "wrong.site/tgt", errTgtNotAccepted},
+		{"wrong source scheme", "ftp://example.org/somewhere", "http://my.site/part/tgt", errInvalidScheme},
+		{"wrong source scheme", "http://example.org/somewhere", "ssh://my.site/part/tgt", errInvalidScheme},
 	}
 
 	for _, tc := range tests {