From c67e7c41a37d990c0c48847fdf76e3c3dfa894fa Mon Sep 17 00:00:00 2001
From: Yader Velasquez <yader@netlandish.com>
Date: Thu, 8 Dec 2022 16:08:44 -0600
Subject: [PATCH] Add url checking for cert

---
 feedback.go | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/feedback.go b/feedback.go
index 041d41a..dfdc1f1 100644
--- a/feedback.go
+++ b/feedback.go
@@ -10,12 +10,16 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"reflect"
+	"regexp"
 
 	"github.com/labstack/echo/v4"
 	"hg.code.netlandish.com/~netlandish/gobwebs/server"
 )
 
+var hostPattern = regexp.MustCompile(`^sns\.[a-zA-Z0-9\-]{3,}\.amazonaws\.com(\.cn)?$`)
+
 // FeedbackURL is the url to call the feedback handler
 var FeedbackURL string = "/ses-feedback"
 
@@ -102,6 +106,21 @@ func (r Record) verify() error {
 	if err != nil {
 		return err
 	}
+
+	// Checking the Cert Url
+	certURL, err := url.Parse(r.SigningCertURL)
+	if err != nil {
+		return err
+	}
+
+	if certURL.Scheme != "https" {
+		return fmt.Errorf("Url should be using https")
+	}
+
+	if !hostPattern.Match([]byte(certURL.Host)) {
+		return fmt.Errorf("Certificate is located on an invalid domain")
+	}
+
 	// We Get the certificate from AWS
 	resp, err := http.Get(r.SigningCertURL)
 	if err != nil {
-- 
2.45.2