Skip to content

Feat: https enforcement on url validator#68

Merged
Meldiron merged 2 commits into
mainfrom
feat-validator-https-protection
Jul 14, 2026
Merged

Feat: https enforcement on url validator#68
Meldiron merged 2 commits into
mainfrom
feat-validator-https-protection

Conversation

@Meldiron

Copy link
Copy Markdown
Contributor

Adds ability to only allow for HTTP for looback URLs - best way to enforce HTTP for URLs, unles during development.

@greptile-apps

greptile-apps Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a httpsOrLoopback boolean flag to the URL validator, implementing the OAuth 2.0 secure-redirect transport policy from RFC 8252 §7.3: when enabled, standard URLs must use https on any host or http restricted to localhost, 127.0.0.1, or [::1]; private-use scheme URIs remain exempt.

  • The loopback host list correctly uses [::1] (with brackets), matching PHP 8.x parse_url(…, PHP_URL_HOST) output for IPv6 literals; scheme and host comparisons are case-folded with strtolower.
  • The refactored $isPrivateUseSchemeURI pre-computation is logically equivalent to the prior inline condition and avoids calling isPrivateUseSchemeURI twice when both httpsOrLoopback and allowPrivateUseSchemes are active.
  • Test coverage spans happy-path (https, loopback http, private-use), rejection cases (routable http, lookalike hostnames, non-http(s) schemes, fragments), default-off behavior, and the additive interaction with allowedSchemes.

Confidence Score: 5/5

Safe to merge — the new flag is opt-in, defaults to false, and leaves all existing code paths untouched.

The change is additive and backward-compatible. The loopback host matching is correct (PHP 8.x parse_url returns [::1] with brackets), the $isPrivateUseSchemeURI refactor is logically equivalent to the prior inline condition, and the test suite covers the critical rejection and acceptance cases including the allowedSchemes interaction.

No files require special attention.

Important Files Changed

Filename Overview
packages/validators/src/Validator/URL.php Adds httpsOrLoopback constructor flag that enforces HTTPS or HTTP-on-loopback per RFC 8252 §7.3; logic is correct, loopback host list covers localhost/127.0.0.1/[::1], and the refactored $isPrivateUseSchemeURI pre-computation is logically equivalent to the prior inline condition.
packages/validators/tests/Validator/URLTest.php Two new test methods cover the happy path (https, loopback http, private-use schemes), rejection cases (routable http, lookalike hostnames, non-http(s) schemes, fragments), default-off behavior, and the additive interaction with allowedSchemes.
packages/validators/CHANGELOG.md New CHANGELOG file documents the 0.4.0 addition of httpsOrLoopback, the RFC 8252 motivation, and backward-compatibility guarantees.

Reviews (2): Last reviewed commit: "Improve valiator compatibility between p..." | Re-trigger Greptile

Comment thread packages/validators/src/Validator/URL.php Outdated
Comment thread packages/validators/src/Validator/URL.php Outdated
@Meldiron Meldiron merged commit a84ed8e into main Jul 14, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants