From 5da867a2fbc901d7a491475dffb62e1697d6a9c5 Mon Sep 17 00:00:00 2001
From: Dorian Niemiec <dorian.niemiec@svrjs.org>
Date: Sun, 12 May 2024 18:45:13 +0200
Subject: [PATCH] Added referrer security

---
 backend/serverSideScript.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/backend/serverSideScript.js b/backend/serverSideScript.js
index dbaf3b5..52c2303 100644
--- a/backend/serverSideScript.js
+++ b/backend/serverSideScript.js
@@ -99,6 +99,17 @@ if (href.match(/^\/admin\/?$/)) {
     });
      return;
    }
+   var baseURL = (req.socket.encrypted ? "https" : "http") + "://" + (req.headers.host ? req.headers.host : req.socket.localAddress);
+   if(req.headers.referer && (req.headers.referer + "/").substring(0,baseURL.length + 1) != (baseURL + "/")) {
+     formatTemplate("index.html", {
+       "url": "",
+       "shorturl": "<b>CSRF detected</b>"
+     }, function(data) {
+       res.writeHead(400, {"Content-Type": "text/html; charset=utf-8"});
+       res.end(data);
+     });
+     return;
+   }
    var postdata = "";
    req.on("data", function(data) {postdata += data.toString();});
    req.on("end", function() {
@@ -123,7 +134,7 @@ if (href.match(/^\/admin\/?$/)) {
        return;
      } else {
        function finalizeResponse(uri, id) {
-         var shorturl = (req.socket.encrypted ? "https" : "http") + "://" + (req.headers.host ? req.headers.host : req.socket.localAddress) + "/" + id;
+         var shorturl = baseURL + "/" + id;
          formatTemplate("index.html", {
            "url": antiXSS(uri),
            "shorturl": "<p>Shortened URL: <b><a href=\"" + antiXSS(shorturl) + "\" target=\"_blank\">" + antiXSS(shorturl) + "</a></b>"