fix: url schema validation

app/controllers/api/avatars.php

@@ -144,7 +144,7 @@
     ->label('sdk.description', '/docs/references/avatars/get-image.md')
     ->label('sdk.response.code', Response::STATUS_CODE_OK)
     ->label('sdk.response.type', Response::CONTENT_TYPE_IMAGE)
-    ->param('url', '', new URL(), 'Image URL which you want to crop.')
+    ->param('url', '', new URL(['http', 'https']), 'Image URL which you want to crop.')
     ->param('width', 400, new Range(0, 2000), 'Resize preview image width, Pass an integer between 0 to 2000.', true)
     ->param('height', 400, new Range(0, 2000), 'Resize preview image height, Pass an integer between 0 to 2000.', true)
     ->inject('response')
@@ -213,7 +213,7 @@
     ->label('sdk.description', '/docs/references/avatars/get-favicon.md')
     ->label('sdk.response.code', Response::STATUS_CODE_OK)
     ->label('sdk.response.type', Response::CONTENT_TYPE_IMAGE)
-    ->param('url', '', new URL(), 'Website URL which you want to fetch the favicon from.')
+    ->param('url', '', new URL(['http', 'https']), 'Website URL which you want to fetch the favicon from.')
     ->inject('response')
     ->action(function ($url, $response) {
         /** @var Appwrite\Utopia\Response $response */

app/controllers/api/projects.php

@@ -582,7 +582,7 @@
     ->param('projectId', null, new UID(), 'Project unique ID.')
     ->param('name', null, new Text(128), 'Webhook name. Max length: 128 chars.')
     ->param('events', null, new ArrayList(new WhiteList(array_keys(Config::getParam('events'), true), true)), 'Events list.')
-    ->param('url', null, new URL(), 'Webhook URL.')
+    ->param('url', null, new URL(['http', 'https']), 'Webhook URL.')
     ->param('security', false, new Boolean(true), 'Certificate verification, false for disabled or true for enabled.')
     ->param('httpUser', '', new Text(256), 'Webhook HTTP user. Max length: 256 chars.', true)
     ->param('httpPass', '', new Text(256), 'Webhook HTTP password. Max length: 256 chars.', true)
@@ -704,7 +704,7 @@
     ->param('webhookId', null, new UID(), 'Webhook unique ID.')
     ->param('name', null, new Text(128), 'Webhook name. Max length: 128 chars.')
     ->param('events', null, new ArrayList(new WhiteList(array_keys(Config::getParam('events'), true), true)), 'Events list.')
-    ->param('url', null, new URL(), 'Webhook URL.')
+    ->param('url', null, new URL(['http', 'https']), 'Webhook URL.')
     ->param('security', false, new Boolean(true), 'Certificate verification, false for disabled or true for enabled.')
     ->param('httpUser', '', new Text(256), 'Webhook HTTP user. Max length: 256 chars.', true)
     ->param('httpPass', '', new Text(256), 'Webhook HTTP password. Max length: 256 chars.', true)

src/Appwrite/Network/Validator/URL.php

@@ -9,10 +9,20 @@
  *
  * Validate that an variable is a valid URL
  *
- * @package Utopia\Validator
+ * @package Appwrite\Network\Validator
  */
 class URL extends Validator
 {
+    protected array $allowedSchemes;
+
+    /**
+     * @param array $allowedSchemes
+     */
+    public function __construct(array $allowedSchemes = [])
+    {
+        $this->allowedSchemes = $allowedSchemes;
+    }
+
     /**
      * Get Description
      *
@@ -22,6 +32,10 @@ class URL extends Validator
      */
     public function getDescription(): string
     {
+        if (!empty($this->allowedSchemes)) {
+            return 'Value must be a valid URL with following schemes (' . \implode(', ', $this->allowedSchemes) . ')';
+        }
+
         return 'Value must be a valid URL';
     }
 
@@ -39,6 +53,10 @@ public function isValid($value): bool
             return false;
         }
 
+        if (!empty($this->allowedSchemes) && !\in_array(\parse_url($value, PHP_URL_SCHEME), $this->allowedSchemes)) {
+            return false;
+        }
+
         return true;
     }
 
@@ -65,4 +83,4 @@ public function getType(): string
     {
         return self::TYPE_STRING;
     }
-}
+}