Prevent from shortening kutt URLs. Resolves #150

server/controllers/validateBodyController.js

@@ -1,6 +1,7 @@
 const { promisify } = require('util');
 const dns = require('dns');
 const axios = require('axios');
+const URL = require('url');
 const urlRegex = require('url-regex');
 const validator = require('express-validator/check');
 const { subHours } = require('date-fns/');
@@ -8,6 +9,7 @@ const { validationResult } = require('express-validator/check');
 const { addCooldown, banUser } = require('../db/user');
 const { getBannedDomain, getBannedHost, urlCountFromDate } = require('../db/url');
 const subDay = require('date-fns/sub_days');
+const { addProtocol } = require('../utils');
 
 const dnsLookup = promisify(dns.lookup);
 
@@ -74,6 +76,12 @@ exports.validateUrl = async ({ body, user }, res, next) => {
   const isValidUrl = urlRegex({ exact: true, strict: false }).test(body.target);
   if (!isValidUrl) return res.status(400).json({ error: 'URL is not valid.' });
 
+  // If target is the URL shortener itself
+  const { host } = URL.parse(addProtocol(body.target));
+  if (host === process.env.DEFAULT_DOMAIN) {
+    return res.status(400).json({ error: `${process.env.DEFAULT_DOMAIN} URLs are not allowed.` });
+  }
+
   // Validate password length
   if (body.password && body.password.length > 64) {
     return res.status(400).json({ error: 'Maximum password length is 64.' });