dub icon indicating copy to clipboard operation
dub copied to clipboard
verified publisher icon dubinc

Circular Links Not Blocked – Causes Infinite Redirects

Open Zingzy opened this issue 10 months ago • 7 comments

Currently, the platform allows users to create short links that redirect to themselves, leading to an infinite redirection loop when accessed. This can cause usability issues and excessive browser resource consumption.

Steps to Reproduce

  1. Go to Dub.co or a self-hosted instance.
  2. Create a new short link with a custom alias, e.g., mytestlink.
  3. Set the destination URL as the same short link: https://dub.co/mytestlink.
  4. Click "Create" and then access the generated link.
  5. The browser enters an infinite redirection loop.

https://github.com/user-attachments/assets/6a01ce32-c608-4537-81bc-119bbf4fea5f

Expected Behavior

  • The system should detect circular references and prevent users from creating short links that redirect to themselves.
  • The user should see an appropriate error message such as:
    "You cannot shorten a link that redirects to itself."
  • The link should not be stored in the database.

Impact

  • User Experience Issue: Infinite redirects can cause browser crashes.
  • SEO Concerns: Search engines might flag the site for improper redirections.
  • Potential Exploits: Users might misuse this for phishing attacks or abuse.
  • Performance Overhead: Unnecessary redirects increase server load.
  • Browser Stability Issues: Some browsers do not handle infinite redirects well and may crash, leading to a poor user experience for end users.

Proposed Solution

I would add a new check in apps/web/lib/api/links/process-link.ts, specifically in the processLink function, to detect circular URLs and return a proper error message before storing the link.

Would this be the right place to implement the fix, or would you recommend another approach?

If this issue is validated, I would be happy to submit a pull request with a fix. Let me know if this change is necessary, and I will proceed accordingly.

Zingzy avatar Feb 20 '25 08:02 Zingzy

ENG-1118 Circular Links Not Blocked – Causes Infinite Redirects

linear[bot] avatar Feb 20 '25 08:02 linear[bot]

@Zingzy

I am also interested in this issue. Can we discuss the approach to solve it?

AbhiArya20 avatar Feb 24 '25 11:02 AbhiArya20

@Zingzy

I thought about it, and regarding brute force, I initially considered using cycle detection in a directed graph or maintaining a set of links. However, retrieving millions of data nodes from the database is not an efficient approach, even with pagination.

I checked on Bitly, and they treat https://bit.ly/something as a reserved domain. Short.io and Rebrandly allow you to create short links that redirect to themselves.

If you're working on it or have an efficient solution, let me know, or should I think more about it to find a more efficient solution?"

AbhiArya20 avatar Mar 04 '25 20:03 AbhiArya20

Is it still open? Can i work on this?

sidhhantPr avatar Mar 16 '25 08:03 sidhhantPr

Yes @sidhhantPr this issue is still open, I'm just looking for the approval by maintainers to raise a PR

Zingzy avatar Mar 16 '25 12:03 Zingzy

Is this issue still open. I'm working on it.

souvikjs01 avatar Apr 02 '25 05:04 souvikjs01

Is this issue still open. I'm working on it.

@souvikjs01 did you try to read the full thread? We are waiting for approval from the admins.

Zingzy avatar Apr 02 '25 06:04 Zingzy