From dabd36001639ef2ec343dc7500e2fc12b15dfe67 Mon Sep 17 00:00:00 2001
From: Zaid-maker <pzhafeez@gmail.com>
Date: Wed, 27 Nov 2024 12:06:48 +0500
Subject: [PATCH] update dns monitor type to improve security

---
 server/monitor-types/dns.js | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/server/monitor-types/dns.js b/server/monitor-types/dns.js
index 8b87932fe..36eade1d1 100644
--- a/server/monitor-types/dns.js
+++ b/server/monitor-types/dns.js
@@ -17,10 +17,45 @@ class DnsMonitorType extends MonitorType {
         new ConditionVariable("record", defaultStringOperators ),
     ];
 
+    /**
+     * Validate hostname to ensure it's a valid domain without protocol or path
+     * @param {string} hostname Hostname to validate
+     * @returns {boolean} True if hostname is valid
+     */
+    validateHostname(hostname) {
+        try {
+            // First check if hostname contains protocol or path
+            if (hostname.includes("/") || hostname.includes(":")) {
+                return false;
+            }
+
+            // Try to construct a URL with a dummy protocol
+            const url = new URL(`http://${hostname}`);
+
+            // Ensure there's no path or query parameters
+            if (url.pathname !== "/" || url.search !== "") {
+                return false;
+            }
+
+            // Ensure the hostname matches the original input
+            // This catches cases where the URL constructor might "fix" invalid hostnames
+            return url.hostname === hostname;
+        } catch (error) {
+            return false;
+        }
+    }
+
     /**
      * @inheritdoc
      */
     async check(monitor, heartbeat, _server) {
+        // Validate hostname before proceeding
+        if (!this.validateHostname(monitor.hostname)) {
+            heartbeat.msg = "Invalid hostname format";
+            heartbeat.status = DOWN;
+            return;
+        }
+
         let startTime = dayjs().valueOf();
         let dnsMessage = "";