From 659542fa95a544c92346a5d837cf5164fc019895 Mon Sep 17 00:00:00 2001
From: Hector Sanjuan <code@hector.link>
Date: Thu, 26 Jun 2025 15:40:55 +0200
Subject: [PATCH 1/2] bitswap/httpnet: Sanitize allow/denylist inputs

---
 bitswap/network/httpnet/httpnet.go | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/bitswap/network/httpnet/httpnet.go b/bitswap/network/httpnet/httpnet.go
index 85252163d..36c146926 100644
--- a/bitswap/network/httpnet/httpnet.go
+++ b/bitswap/network/httpnet/httpnet.go
@@ -127,7 +127,17 @@ func WithAllowlist(hosts []string) Option {
 		log.Infof("HTTP retrieval allowlist: %s", strings.Join(hosts, ", "))
 		net.allowlist = make(map[string]struct{})
 		for _, h := range hosts {
-			net.allowlist[h] = struct{}{}
+			if h == "" {
+				log.Error("empty string in allowlist. Ignoring...")
+				continue
+			}
+			if strings.Contains(h, " ") {
+				log.Errorf("allowlist item '%s' contains a whitespace. Ignoring...")
+				continue
+			}
+
+			// trim newlines
+			net.allowlist[strings.TrimSpace(h)] = struct{}{}
 		}
 	}
 }
@@ -137,7 +147,17 @@ func WithDenylist(hosts []string) Option {
 		log.Infof("HTTP retrieval denylist: %s", strings.Join(hosts, ", "))
 		net.denylist = make(map[string]struct{})
 		for _, h := range hosts {
-			net.denylist[h] = struct{}{}
+			if h == "" {
+				log.Error("empty string in denylist. Ignoring...")
+				continue
+			}
+			if strings.Contains(h, " ") {
+				log.Errorf("denylist item '%s' contains a whitespace. Ignoring...")
+				continue
+			}
+
+			// trim newlines
+			net.denylist[strings.TrimSpace(h)] = struct{}{}
 		}
 	}
 }

From 8deebe5d2143b6614ed029bed1e2f65a92c0a18a Mon Sep 17 00:00:00 2001
From: Hector Sanjuan <code@hector.link>
Date: Fri, 27 Jun 2025 10:25:58 +0200
Subject: [PATCH 2/2] bitswap/httpnet: trimspaces first in allowlist/denylists

---
 bitswap/network/httpnet/httpnet.go | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/bitswap/network/httpnet/httpnet.go b/bitswap/network/httpnet/httpnet.go
index 36c146926..417f91709 100644
--- a/bitswap/network/httpnet/httpnet.go
+++ b/bitswap/network/httpnet/httpnet.go
@@ -120,13 +120,13 @@ func WithInsecureSkipVerify(b bool) Option {
 }
 
 // WithAllowlist sets the hostnames that we are allowed to connect to via
-// HTTP. Additionally, http response status metrics are tagged for each of
-// these hosts.
+// HTTP.
 func WithAllowlist(hosts []string) Option {
 	return func(net *Network) {
 		log.Infof("HTTP retrieval allowlist: %s", strings.Join(hosts, ", "))
 		net.allowlist = make(map[string]struct{})
 		for _, h := range hosts {
+			h = strings.TrimSpace(h)
 			if h == "" {
 				log.Error("empty string in allowlist. Ignoring...")
 				continue
@@ -136,17 +136,19 @@ func WithAllowlist(hosts []string) Option {
 				continue
 			}
 
-			// trim newlines
-			net.allowlist[strings.TrimSpace(h)] = struct{}{}
+			net.allowlist[h] = struct{}{}
 		}
 	}
 }
 
+// WithDenylist sets the hostnames that we are prohibited to connect to via
+// HTTP.
 func WithDenylist(hosts []string) Option {
 	return func(net *Network) {
 		log.Infof("HTTP retrieval denylist: %s", strings.Join(hosts, ", "))
 		net.denylist = make(map[string]struct{})
 		for _, h := range hosts {
+			h = strings.TrimSpace(h)
 			if h == "" {
 				log.Error("empty string in denylist. Ignoring...")
 				continue
@@ -156,8 +158,7 @@ func WithDenylist(hosts []string) Option {
 				continue
 			}
 
-			// trim newlines
-			net.denylist[strings.TrimSpace(h)] = struct{}{}
+			net.denylist[h] = struct{}{}
 		}
 	}
 }