From 6b475468fcc5cfccdc62606c050cc64429497795 Mon Sep 17 00:00:00 2001
From: vabene1111 <vabene1234@googlemail.com>
Date: Tue, 20 Jun 2023 13:22:44 +0200
Subject: [PATCH] added some more validation

---
 cookbook/integration/plantoeat.py |  6 ++++--
 cookbook/views/api.py             | 11 ++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/cookbook/integration/plantoeat.py b/cookbook/integration/plantoeat.py
index 8eb4cb0dc..2affd3771 100644
--- a/cookbook/integration/plantoeat.py
+++ b/cookbook/integration/plantoeat.py
@@ -1,6 +1,7 @@
 from io import BytesIO
 
 import requests
+import validators
 
 from cookbook.helper.ingredient_parser import IngredientParser
 from cookbook.integration.integration import Integration
@@ -67,8 +68,9 @@ class Plantoeat(Integration):
 
         if image_url:
             try:
-                response = requests.get(image_url)
-                self.import_recipe_image(recipe, BytesIO(response.content))
+                if validators.url(image_url, public=True):
+                    response = requests.get(image_url)
+                    self.import_recipe_image(recipe, BytesIO(response.content))
             except Exception as e:
                 print('failed to import image ', str(e))
 
diff --git a/cookbook/views/api.py b/cookbook/views/api.py
index a16125b6e..9e428e8ff 100644
--- a/cookbook/views/api.py
+++ b/cookbook/views/api.py
@@ -1274,11 +1274,12 @@ def recipe_from_source(request):
                 serialized_recipe = RecipeExportSerializer(data=recipe_json, context={'request': request})
                 if serialized_recipe.is_valid():
                     recipe = serialized_recipe.save()
-                    recipe.image = File(handle_image(request,
-                                                     File(io.BytesIO(requests.get(recipe_json['image']).content),
-                                                          name='image'),
-                                                     filetype=pathlib.Path(recipe_json['image']).suffix),
-                                        name=f'{uuid.uuid4()}_{recipe.pk}{pathlib.Path(recipe_json["image"]).suffix}')
+                    if validators.url(recipe_json['image'], public=True):
+                        recipe.image = File(handle_image(request,
+                                                         File(io.BytesIO(requests.get(recipe_json['image']).content),
+                                                              name='image'),
+                                                         filetype=pathlib.Path(recipe_json['image']).suffix),
+                                            name=f'{uuid.uuid4()}_{recipe.pk}{pathlib.Path(recipe_json["image"]).suffix}')
                     recipe.save()
                     return Response({
                         'link': request.build_absolute_uri(reverse('view_recipe', args={recipe.pk}))