Add security improvements to the codebase

README.md

@@ -48,6 +48,20 @@ go get github.com/tiendc/go-linkpreview
     // }
 ```
 
+## Security Guidelines and Best Practices
+## Added by VMHUNG
+When using this library, it is important to follow security best practices to ensure the safety and integrity of your application. Here are some guidelines:
+
+1. **Input Validation and Sanitization**: Always validate and sanitize input URLs before processing them. This library includes basic validation, but you should implement additional checks as needed for your specific use case.
+
+2. **Security Headers**: The library sets some security headers for HTTP requests, such as `X-Content-Type-Options`, `X-Frame-Options`, and `X-XSS-Protection`. Ensure that these headers are appropriate for your application and consider adding more if necessary.
+
+3. **Error Handling**: Properly handle errors to avoid exposing sensitive information. This library includes basic error handling, but you should implement additional error handling as needed.
+
+4. **Dependencies**: Keep your dependencies up to date to avoid known vulnerabilities. Regularly check for updates and apply them promptly.
+
+5. **Configuration**: Review and configure the library options to suit your security requirements. Disable features that you do not need to minimize the attack surface.
+
 ## Contributing
 
 - You are welcome to make pull requests for new functions and bug fixes.

go.mod

@@ -6,5 +6,6 @@ require github.com/PuerkitoBio/goquery v1.9.2
 
 require (
 	github.com/andybalholm/cascadia v1.3.2 // indirect
+	github.com/mvdan/xurls v1.1.0 // indirect
 	golang.org/x/net v0.24.0 // indirect
 )

go.sum

@@ -2,6 +2,8 @@ github.com/PuerkitoBio/goquery v1.9.2 h1:4/wZksC3KgkQw7SQgkKotmKljk0M6V8TUvA8Wb4
 github.com/PuerkitoBio/goquery v1.9.2/go.mod h1:GHPCaP0ODyyxqcNoFGYlAprUFH81NuRPd0GX3Zu2Mvk=
 github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss=
 github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU=
+github.com/mvdan/xurls v1.1.0 h1:OpuDelGQ1R1ueQ6sSryzi6P+1RtBpfQHM8fJwlE45ww=
+github.com/mvdan/xurls v1.1.0/go.mod h1:tQlNn3BED8bE/15hnSL2HLkDeLWpNPAwtw7wkEq44oU=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=

linkpreview.go

@@ -1,17 +1,38 @@
 package linkpreview
 
 import (
+	"errors"
 	"io"
 	"net/http"
+	"net/url"
+	"strings"
 
 	"github.com/PuerkitoBio/goquery"
 )
 
+func validateURL(link string) error {
+	parsedURL, err := url.ParseRequestURI(link)
+	if err != nil || !strings.HasPrefix(parsedURL.Scheme, "http") {
+		return errors.New("invalid URL")
+	}
+	return nil
+}
+
 func Parse(link string, options ...ConfigOption) (ParserResult, error) {
+	if err := validateURL(link); err != nil {
+		return ParserResult{}, err
+	}
+
 	request, err := http.NewRequest("GET", link, nil)
 	if err != nil {
 		return ParserResult{}, err
 	}
+
+	// Add security headers
+	request.Header.Set("X-Content-Type-Options", "nosniff")
+	request.Header.Set("X-Frame-Options", "DENY")
+	request.Header.Set("X-XSS-Protection", "1; mode=block")
+
 	response, err := http.DefaultClient.Do(request)
 	if err != nil {
 		return ParserResult{}, err
@@ -22,6 +43,10 @@ func Parse(link string, options ...ConfigOption) (ParserResult, error) {
 }
 
 func ParseFromReader(link string, data io.Reader, options ...ConfigOption) (ParserResult, error) {
+	if err := validateURL(link); err != nil {
+		return ParserResult{}, err
+	}
+
 	doc, err := goquery.NewDocumentFromReader(data)
 	if err != nil {
 		return ParserResult{}, err

parser.go

@@ -1,5 +1,9 @@
 package linkpreview
 
+import (
+	"errors"
+)
+
 func (ctx *ParserContext) Parse() error {
 	err := ctx.readAllTags()
 	if err != nil {
@@ -52,6 +56,9 @@ func (ctx *ParserContext) readAllTags() error {
 				metaTag.OtherAttrs[attr.Key] = attr.Val
 			}
 		}
+		if err := validateMetaTag(metaTag); err != nil {
+			return err
+		}
 		ctx.MetaTags = append(ctx.MetaTags, metaTag)
 	}
 
@@ -76,6 +83,9 @@ func (ctx *ParserContext) readAllTags() error {
 				linkTag.OtherAttrs[attr.Key] = attr.Val
 			}
 		}
+		if err := validateLinkTag(linkTag); err != nil {
+			return err
+		}
 		ctx.LinkTags = append(ctx.LinkTags, linkTag)
 	}
 
@@ -95,3 +105,23 @@ func (ctx *ParserContext) parseBasicTags() {
 		}
 	}
 }
+
+func validateMetaTag(tag *MetaTag) error {
+	if tag.Name == "" && tag.Property == "" {
+		return errors.New("meta tag must have either a name or property attribute")
+	}
+	if tag.Content == "" && tag.Value == "" {
+		return errors.New("meta tag must have either a content or value attribute")
+	}
+	return nil
+}
+
+func validateLinkTag(tag *LinkTag) error {
+	if tag.Rel == "" {
+		return errors.New("link tag must have a rel attribute")
+	}
+	if tag.Href == "" {
+		return errors.New("link tag must have an href attribute")
+	}
+	return nil
+}

parser_favicons.go

@@ -19,18 +19,22 @@ func (ctx *ParserContext) parseMaybeFavicon(tag *LinkTag) *Image {
 		return nil
 	}
 
+	if err := validateURL(tag.Href); err != nil {
+		return nil
+	}
+
 	image := &Image{
 		URL:  parseURL(tag.Href, ctx.Link),
 		Type: strOr(tag.Type, tag.Rel),
 	}
 
 	if tag.Sizes != "" {
-		wh := strings.Split(tag.Sizes, "x")
-		if len(wh) == 2 {
-			image.Width = parseInt(wh[0])
-			image.Height = parseInt(wh[1])
+			wh := strings.Split(tag.Sizes, "x")
+			if len(wh) == 2 {
+				image.Width = parseInt(wh[0])
+				image.Height = parseInt(wh[1])
+			}
 		}
-	}
 
 	return image
 }

parser_og.go

@@ -17,6 +17,9 @@ func (ctx *ParserContext) parseOGMeta() {
 			continue
 		}
 		tagContent := tag.Content
+		if tagContent == "" {
+			continue
+		}
 		parsed := true
 
 		switch tagProp {
@@ -60,6 +63,9 @@ func (ctx *ParserContext) parseOGMeta() {
 func (ctx *ParserContext) parseOGImages(ogMeta *OGMeta, tags []*MetaTag) {
 	var currImage *OGImage
 	for _, tag := range tags {
+		if tag.Content == "" {
+			continue
+		}
 		switch tag.Property {
 		case "og:image":
 			if currImage != nil {
@@ -96,6 +102,9 @@ func (ctx *ParserContext) parseOGImages(ogMeta *OGMeta, tags []*MetaTag) {
 func (ctx *ParserContext) parseOGVideos(ogMeta *OGMeta, tags []*MetaTag) {
 	var currVideo *OGVideo
 	for _, tag := range tags {
+		if tag.Content == "" {
+			continue
+		}
 		switch tag.Property {
 		case "og:video":
 			if currVideo != nil {

parser_twitter.go

@@ -16,6 +16,10 @@ func (ctx *ParserContext) parseTwitterMeta() {
 		tagName = tagName[len("twitter:"):]
 		tagContent := strOr(tag.Content, tag.Value)
 
+		if tagContent == "" {
+			continue
+		}
+
 		switch tagName {
 		case "url":
 			twitterMeta.URL = tagContent