fix security concerns

catalog/common/sites.py

@@ -14,6 +14,7 @@
 
 import django_rq
 import requests
+from validators import url as url_validate
 
 from .models import ExternalResource, IdealIdTypes, IdType, Item, SiteName
 
@@ -283,7 +284,9 @@ def get_site_cls_by_id_type(typ: str) -> AbstractSite:
 
     @staticmethod
     def get_site_by_url(url: str) -> AbstractSite | None:
-        if not url:
+        if not url or not url_validate(
+            url, skip_ipv6_addr=True, skip_ipv4_addr=True, may_have_port=False
+        ):
             return None
         cls = next(
             filter(lambda p: p.validate_url(url), SiteManager.registry.values()), None

catalog/sites/goodreads.py

@@ -36,8 +36,8 @@ class Goodreads(AbstractSite):
     WIKI_PROPERTY_ID = "P2968"
     DEFAULT_MODEL = Edition
     URL_PATTERNS = [
-        r".+goodreads.com/.*book/show/(\d+)",
-        r".+goodreads.com/.*book/(\d+)",
+        r".+goodreads\.com/.*book/show/(\d+)",
+        r".+goodreads\.com/.*book/(\d+)",
     ]
 
     @classmethod
@@ -125,7 +125,7 @@ class Goodreads_Work(AbstractSite):
     ID_TYPE = IdType.Goodreads_Work
     WIKI_PROPERTY_ID = ""
     DEFAULT_MODEL = Work
-    URL_PATTERNS = [r".+goodreads.com/work/editions/(\d+)"]
+    URL_PATTERNS = [r".+goodreads\.com/work/editions/(\d+)"]
 
     @classmethod
     def id_to_url(cls, id_value):

journal/importers/goodreads.py

@@ -12,9 +12,9 @@
 from catalog.models import *
 from journal.models import *
 
-re_list = r"^https://www.goodreads.com/list/show/\d+"
-re_shelf = r"^https://www.goodreads.com/review/list/\d+[^?]*\?shelf=[^&]+"
-re_profile = r"^https://www.goodreads.com/user/show/(\d+)"
+re_list = r"^https://www\.goodreads\.com/list/show/\d+"
+re_shelf = r"^https://www\.goodreads\.com/review/list/\d+[^?]*\?shelf=[^&]+"
+re_profile = r"^https://www\.goodreads\.com/user/show/(\d+)"
 gr_rating = {
     "did not like it": 2,
     "it was ok": 4,

requirements.txt

@@ -43,3 +43,4 @@ setproctitle
 tqdm
 typesense
 urlman
+validators