I'm working on a website that will rebuild data as an RSS feed based on a custom path.
For example: You have a video on youtube that you want an rss feed of comments, you can add -rss to the url (making it youtube-rss.com/asdasdasd) and the web app will parse the path and kick out the RSS feed.
How do you lock the path handler down and avoid malicious input? String sanitation? Validation? Anything else?
There are certain URLs that are given special meaning to certain web services and client software that you need to make sure can't be used to lead to arbitrary content. (Flash's "/crossdomain.xml", LetsEncrypt's "/.well-known/<...>", Google domain verification's "google<...>.html", etc.) Imagine if someone makes a YouTube video named "crossdomain.xml" with valid xml content within the video's description set up to trick the Flash plugin of visitors into thinking the attacker's site can freely make ajax connections to your domain, and then accessing "youtube-rss.com/crossdomain.xml" triggered a YouTube search for "crossdomain.xml" and displayed the first result's description. That exact attack may not work out depending on details about Flash and your website, but there are tons of possibilities like this that may work if you allow any URL to include user-controlled content.
An easy and effective way to defend against this without needing to enumerate all the possible special URLs would be to have a strict whitelist of patterns you support in the URL. If the YouTube URLs you are interested in mimicking always follow a format like "/video?id=[a-z0-9_]+" and "/[a-z0-9_]+", then only process those kinds of URLs, and make sure you correctly limit the allowed symbols in the identifiers. Do not specifically blacklist these URLs (because there are surely many other similar ones too), but double check that these do not pass your whitelist: "youtube-rss.com/crossdomain.xml", "youtube-rss.com/.well-known/abc", and "youtube-rss.com/google123.html".
