curben
/
phishing-filter
mirror of https://gitlab.com/malware-filter/phishing-filter
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(clean_url): extract url from Google ads/search 

https://isc.sans.edu/diary/Its+2025+so+why+are+obviously+malicious+advertising+URLs+still+going+strong/31880
https://isc.sans.edu/diary/Another+day+another+phishing+campaign+abusing+googlecom+open+redirects/31950/
https://www.reddit.com/r/pihole/comments/14mvx4f/comment/lam1oxy/?context=3
This commit is contained in:
MDLeom 2025-05-16 10:06:15 +00:00
parent 80bdbb7e93
commit 0ca4332934
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/clean_url.js
View File

@ -39,6 +39,21 @@ const deSafelink = (urlStr) => {
url = new URL(url.searchParams.get('a'))
}
// Google Ads
if (url.hostname.endsWith('doubleclick.net') || url.hostname.endsWith('googleadservices.com')) {
url = new URL(url.href.replaceAll('&', '&'))
const paramUrl = url.searchParams.getAll('adurl').at(-1) || url.searchParams.getAll('url').at(-1) || url.searchParams.getAll('ds_dest_url').at(-1)
if (paramUrl) url = new URL(paramUrl)
}
// Google Search
// Google AMP does not redirect (e.g. google.com/amp/example.com)
if (url.hostname.endsWith('google.com') && (url.pathname.startsWith('/url') || url.pathname.startsWith('/travel/clk'))) {
url = new URL(url.href.replaceAll('&', '&'))
const paramUrl = url.searchParams.get('q') || url.searchParams.get('url') || url.searchParams.get('pcurl')
if (paramUrl) url = new URL(paramUrl)
}
// "Just have to go deep enough."
if (url.hostname.match(new RegExp(safeLinks.join('|')))) {
return deSafelink(url.href)