From b4016505f1fad43685cb29419d1989705f526478 Mon Sep 17 00:00:00 2001
From: Khushboo Verma <43381712+vermakhushboo@users.noreply.github.com>
Date: Wed, 24 Jan 2024 19:04:32 +0530
Subject: [PATCH 1/2] Disallow spaces and shell characters in domains

---
 src/Domains/Domain.php | 11 +++++++++++
 tests/DomainTest.php   | 22 ++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/src/Domains/Domain.php b/src/Domains/Domain.php
index 3f7d088f..776b70f9 100644
--- a/src/Domains/Domain.php
+++ b/src/Domains/Domain.php
@@ -69,6 +69,17 @@ public function __construct(string $domain)
             throw new Exception("'{$domain}' must be a valid domain or hostname");
         }
 
+        if (strpos($domain, ' ') !== false || strpos($domain, ';') !== false || strpos($domain, '|') !== false || strpos($domain, '&') !== false || strpos($domain, '>') !== false || strpos($domain, '<') !== false) {
+            throw new Exception("Spaces and shell metacharacters not allowed in {$domain} domain");
+        }
+
+        $labels = explode('.', $domain);
+        foreach ($labels as $label) {
+            if (strpos($label, '-') === 0 || strpos($label, '-') === strlen($label) - 1) {
+                throw new Exception("Hyphens not allowed at label edges in domain {$domain}");
+            }
+        }
+
         $this->domain = \mb_strtolower($domain);
         $this->parts = \explode('.', $this->domain);
 
diff --git a/tests/DomainTest.php b/tests/DomainTest.php
index 28e3f597..1a68d858 100755
--- a/tests/DomainTest.php
+++ b/tests/DomainTest.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Utopia PHP Framework
  *
@@ -212,6 +213,27 @@ public function testHTTPSException2(): void
         new Domain('https://facbook.com');
     }
 
+    public function testDomainWithSpaces(): void
+    {
+        $this->expectException('Exception');
+        $this->expectExceptionMessage("Spaces and shell metacharacters not allowed in rm -f -r * domain");
+        $domain = new Domain('rm -f -r *');
+    }
+
+    public function testDomainWithShellMetaCharacters(): void
+    {
+        $this->expectException('Exception');
+        $this->expectExceptionMessage("Spaces and shell metacharacters not allowed in ls; cat /etc/passwd domain");
+        $domain = new Domain('ls; cat /etc/passwd');
+    }
+
+    public function testDomainWithHypens(): void
+    {
+        $this->expectException('Exception');
+        $this->expectExceptionMessage("Hyphens not allowed at label edges in domain -my--domain.com");
+        $domain = new Domain('-my--domain.com');
+    }
+
     public function testExampleExampleCk(): void
     {
         $domain = new Domain('example.example.ck');

From eae1a6108046d0dd14e2886bf6a67da24bed3928 Mon Sep 17 00:00:00 2001
From: Khushboo Verma <43381712+vermakhushboo@users.noreply.github.com>
Date: Tue, 30 Jan 2024 02:17:45 +0530
Subject: [PATCH 2/2] Use PHP methods to validate domain and hostname

---
 src/Domains/Domain.php | 13 +------------
 tests/DomainTest.php   |  6 +++---
 2 files changed, 4 insertions(+), 15 deletions(-)

diff --git a/src/Domains/Domain.php b/src/Domains/Domain.php
index 776b70f9..ca0531ff 100644
--- a/src/Domains/Domain.php
+++ b/src/Domains/Domain.php
@@ -65,21 +65,10 @@ class Domain
      */
     public function __construct(string $domain)
     {
-        if ((strpos($domain, 'http://') === 0) || (strpos($domain, 'https://') === 0)) {
+        if ((strpos($domain, 'http://') === 0) || (strpos($domain, 'https://') === 0 || !filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME))) {
             throw new Exception("'{$domain}' must be a valid domain or hostname");
         }
 
-        if (strpos($domain, ' ') !== false || strpos($domain, ';') !== false || strpos($domain, '|') !== false || strpos($domain, '&') !== false || strpos($domain, '>') !== false || strpos($domain, '<') !== false) {
-            throw new Exception("Spaces and shell metacharacters not allowed in {$domain} domain");
-        }
-
-        $labels = explode('.', $domain);
-        foreach ($labels as $label) {
-            if (strpos($label, '-') === 0 || strpos($label, '-') === strlen($label) - 1) {
-                throw new Exception("Hyphens not allowed at label edges in domain {$domain}");
-            }
-        }
-
         $this->domain = \mb_strtolower($domain);
         $this->parts = \explode('.', $this->domain);
 
diff --git a/tests/DomainTest.php b/tests/DomainTest.php
index 1a68d858..266cee14 100755
--- a/tests/DomainTest.php
+++ b/tests/DomainTest.php
@@ -216,21 +216,21 @@ public function testHTTPSException2(): void
     public function testDomainWithSpaces(): void
     {
         $this->expectException('Exception');
-        $this->expectExceptionMessage("Spaces and shell metacharacters not allowed in rm -f -r * domain");
+        $this->expectExceptionMessage("'rm -f -r *' must be a valid domain or hostname");
         $domain = new Domain('rm -f -r *');
     }
 
     public function testDomainWithShellMetaCharacters(): void
     {
         $this->expectException('Exception');
-        $this->expectExceptionMessage("Spaces and shell metacharacters not allowed in ls; cat /etc/passwd domain");
+        $this->expectExceptionMessage("'ls; cat /etc/passwd' must be a valid domain or hostname");
         $domain = new Domain('ls; cat /etc/passwd');
     }
 
     public function testDomainWithHypens(): void
     {
         $this->expectException('Exception');
-        $this->expectExceptionMessage("Hyphens not allowed at label edges in domain -my--domain.com");
+        $this->expectExceptionMessage("'-my--domain.com' must be a valid domain or hostname");
         $domain = new Domain('-my--domain.com');
     }