impl: strict URL validation (#164)

This commit rejects any URL that is opaque, not hierarchical, not using
http or https protocol, or it misses the hostname. The rejection is
handled in the connection/auth screen and also in the URI protocol
handling logic<img width="486" height="746" alt="image"
src="https://github.com/user-attachments/assets/489964c8-491c-4766-9891-42c63cfd353e"
/>
<img width="486" height="746" alt="image"
src="https://github.com/user-attachments/assets/dec6acae-4a5e-4a2a-8e59-69b74ba52a9e"
/>
<img width="486" height="746" alt="image"
src="https://github.com/user-attachments/assets/802558be-60dc-43e3-9512-ff9007aa50af"
/>

Author: fioan89

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Changed
+
+- URL validation is stricter in the connection screen and URI protocol handler
+
 ## 0.6.0 - 2025-07-25
 
 ### Changed

src/main/kotlin/com/coder/toolbox/util/CoderProtocolHandler.kt

@@ -9,6 +9,7 @@ import com.coder.toolbox.sdk.CoderRestClient
 import com.coder.toolbox.sdk.v2.models.Workspace
 import com.coder.toolbox.sdk.v2.models.WorkspaceAgent
 import com.coder.toolbox.sdk.v2.models.WorkspaceStatus
+import com.coder.toolbox.util.WebUrlValidationResult.Invalid
 import com.jetbrains.toolbox.api.remoteDev.connection.RemoteToolsHelper
 import kotlinx.coroutines.Job
 import kotlinx.coroutines.TimeoutCancellationException
@@ -107,6 +108,11 @@ open class CoderProtocolHandler(
             context.logAndShowError(CAN_T_HANDLE_URI_TITLE, "Query parameter \"$URL\" is missing from URI")
             return null
         }
+        val validationResult = deploymentURL.validateStrictWebUrl()
+        if (validationResult is Invalid) {
+            context.logAndShowError(CAN_T_HANDLE_URI_TITLE, "\"$URL\" is invalid: ${validationResult.reason}")
+            return null
+        }
         return deploymentURL
     }
 

src/main/kotlin/com/coder/toolbox/util/URLExtensions.kt

@@ -1,11 +1,44 @@
 package com.coder.toolbox.util
 
+import com.coder.toolbox.util.WebUrlValidationResult.Invalid
+import com.coder.toolbox.util.WebUrlValidationResult.Valid
 import java.net.IDN
 import java.net.URI
 import java.net.URL
 
 fun String.toURL(): URL = URI.create(this).toURL()
 
+fun String.validateStrictWebUrl(): WebUrlValidationResult = try {
+    val uri = URI(this)
+
+    when {
+        uri.isOpaque -> Invalid(
+            "The URL \"$this\" is invalid because it is not in the standard format. " +
+                    "Please enter a full web address like \"https://example.com\""
+        )
+
+        !uri.isAbsolute -> Invalid(
+            "The URL \"$this\" is missing a scheme (like https://). " +
+                    "Please enter a full web address like \"https://example.com\""
+        )
+        uri.scheme?.lowercase() !in setOf("http", "https") ->
+            Invalid(
+                "The URL \"$this\" must start with http:// or https://, not \"${uri.scheme}\""
+            )
+        uri.authority.isNullOrBlank() ->
+            Invalid(
+                "The URL \"$this\" does not include a valid website name. " +
+                        "Please enter a full web address like \"https://example.com\""
+            )
+        else -> Valid
+    }
+} catch (_: Exception) {
+    Invalid(
+        "The input \"$this\" is not a valid web address. " +
+                "Please enter a full web address like \"https://example.com\""
+    )
+}
+
 fun URL.withPath(path: String): URL = URL(
     this.protocol,
     this.host,
@@ -30,3 +63,8 @@ fun URI.toQueryParameters(): Map<String, String> = (this.query ?: "")
             parts[0] to ""
         }
     }
+
+sealed class WebUrlValidationResult {
+    object Valid : WebUrlValidationResult()
+    data class Invalid(val reason: String) : WebUrlValidationResult()
+}

src/main/kotlin/com/coder/toolbox/views/DeploymentUrlStep.kt

@@ -2,7 +2,9 @@ package com.coder.toolbox.views
 
 import com.coder.toolbox.CoderToolboxContext
 import com.coder.toolbox.settings.SignatureFallbackStrategy
+import com.coder.toolbox.util.WebUrlValidationResult.Invalid
 import com.coder.toolbox.util.toURL
+import com.coder.toolbox.util.validateStrictWebUrl
 import com.coder.toolbox.views.state.CoderCliSetupContext
 import com.coder.toolbox.views.state.CoderCliSetupWizardState
 import com.jetbrains.toolbox.api.ui.components.CheckboxField
@@ -69,16 +71,11 @@ class DeploymentUrlStep(
 
     override fun onNext(): Boolean {
         context.settingsStore.updateSignatureFallbackStrategy(signatureFallbackStrategyField.checkedState.value)
-        var url = urlField.textState.value
+        val url = urlField.textState.value
         if (url.isBlank()) {
             errorField.textState.update { context.i18n.ptrl("URL is required") }
             return false
         }
-        url = if (!url.startsWith("http://") && !url.startsWith("https://")) {
-            "https://$url"
-        } else {
-            url
-        }
         try {
             CoderCliSetupContext.url = validateRawUrl(url)
         } catch (e: MalformedURLException) {
@@ -98,6 +95,10 @@ class DeploymentUrlStep(
      */
     private fun validateRawUrl(url: String): URL {
         try {
+            val result = url.validateStrictWebUrl()
+            if (result is Invalid) {
+                throw MalformedURLException(result.reason)
+            }
             return url.toURL()
         } catch (e: Exception) {
             throw MalformedURLException(e.message)

src/test/kotlin/com/coder/toolbox/util/URLExtensionsTest.kt

@@ -60,4 +60,96 @@ internal class URLExtensionsTest {
             )
         }
     }
+
+    @Test
+    fun `valid http URL should return Valid`() {
+        val result = "http://coder.com".validateStrictWebUrl()
+        assertEquals(WebUrlValidationResult.Valid, result)
+    }
+
+    @Test
+    fun `valid https URL with path and query should return Valid`() {
+        val result = "https://coder.com/bin/coder-linux-amd64?query=1".validateStrictWebUrl()
+        assertEquals(WebUrlValidationResult.Valid, result)
+    }
+
+    @Test
+    fun `relative URL should return Invalid with appropriate message`() {
+        val url = "/bin/coder-linux-amd64"
+        val result = url.validateStrictWebUrl()
+        assertEquals(
+            WebUrlValidationResult.Invalid("The URL \"/bin/coder-linux-amd64\" is missing a scheme (like https://). Please enter a full web address like \"https://example.com\""),
+            result
+        )
+    }
+
+    @Test
+    fun `opaque URI like mailto should return Invalid`() {
+        val url = "mailto:[email protected]"
+        val result = url.validateStrictWebUrl()
+        assertEquals(
+            WebUrlValidationResult.Invalid("The URL \"mailto:[email protected]\" is invalid because it is not in the standard format. Please enter a full web address like \"https://example.com\""),
+            result
+        )
+    }
+
+    @Test
+    fun `unsupported scheme like ftp should return Invalid`() {
+        val url = "ftp://coder.com"
+        val result = url.validateStrictWebUrl()
+        assertEquals(
+            WebUrlValidationResult.Invalid("The URL \"ftp://coder.com\" must start with http:// or https://, not \"ftp\""),
+            result
+        )
+    }
+
+    @Test
+    fun `http URL with missing authority should return Invalid`() {
+        val url = "http:///bin/coder-linux-amd64"
+        val result = url.validateStrictWebUrl()
+        assertEquals(
+            WebUrlValidationResult.Invalid("The URL \"http:///bin/coder-linux-amd64\" does not include a valid website name. Please enter a full web address like \"https://example.com\""),
+            result
+        )
+    }
+
+    @Test
+    fun `malformed URI should return Invalid with parsing error message`() {
+        val url = "http://[invalid-uri]"
+        val result = url.validateStrictWebUrl()
+        assertEquals(
+            WebUrlValidationResult.Invalid("The input \"http://[invalid-uri]\" is not a valid web address. Please enter a full web address like \"https://example.com\""),
+            result
+        )
+    }
+
+    @Test
+    fun `URI without colon should return Invalid as URI is not absolute`() {
+        val url = "http//coder.com"
+        val result = url.validateStrictWebUrl()
+        assertEquals(
+            WebUrlValidationResult.Invalid("The URL \"http//coder.com\" is missing a scheme (like https://). Please enter a full web address like \"https://example.com\""),
+            result
+        )
+    }
+
+    @Test
+    fun `URI without double forward slashes should return Invalid because the URI is not hierarchical`() {
+        val url = "http:coder.com"
+        val result = url.validateStrictWebUrl()
+        assertEquals(
+            WebUrlValidationResult.Invalid("The URL \"http:coder.com\" is invalid because it is not in the standard format. Please enter a full web address like \"https://example.com\""),
+            result
+        )
+    }
+
+    @Test
+    fun `URI without a single forward slash should return Invalid because the URI does not have a hostname`() {
+        val url = "https:/coder.com"
+        val result = url.validateStrictWebUrl()
+        assertEquals(
+            WebUrlValidationResult.Invalid("The URL \"https:/coder.com\" does not include a valid website name. Please enter a full web address like \"https://example.com\""),
+            result
+        )
+    }
 }