Better onion validation.

s-rah / onionscan

OnionScan is a free and open source tool for investigating the Dark Web.

https://twitter.com/OnionScan

Other

2.89k stars 599 forks source link

Better onion validation. #95

Closed s-rah closed 8 years ago

s-rah commented 8 years ago

I just had a run attempt to scan "blablahbal.com/onion" because of a bad source regex - however instead of returning an error, OnionScan went through the motions and only failed because it couldn't create the file needed for the report (because of the forward slash) - we should add extra validation on incoming onions.

laanwj commented 8 years ago

What do we want to allow here?

The strictest possible check would be:

^[a-z2-7]{16}\.onion$

However I remember seeing some subdomains of onions used as well, e.g. antiscambrasil.torpress2sarn7xw.onion in the master list here. I guess any valid (combination of) subdomains should be accepted as well?

s-rah commented 8 years ago

I guess any valid (combination of) subdomains should be accepted as well?

Yes. It should validate that it is a correct URL and (for now) that the tld is .onion.