From 0ca433293442ee6a43044021c206d9da9a21c25a Mon Sep 17 00:00:00 2001
From: MDLeom <2809763-curben@users.noreply.gitlab.com>
Date: Fri, 16 May 2025 10:06:15 +0000
Subject: [PATCH] feat(clean_url): extract url from Google ads/search

https://isc.sans.edu/diary/Its+2025+so+why+are+obviously+malicious+advertising+URLs+still+going+strong/31880
https://isc.sans.edu/diary/Another+day+another+phishing+campaign+abusing+googlecom+open+redirects/31950/
https://www.reddit.com/r/pihole/comments/14mvx4f/comment/lam1oxy/?context=3
---
 src/clean_url.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/clean_url.js b/src/clean_url.js
index 7d4ff79f..cb9cb77c 100644
--- a/src/clean_url.js
+++ b/src/clean_url.js
@@ -39,6 +39,21 @@ const deSafelink = (urlStr) => {
     url = new URL(url.searchParams.get('a'))
   }
 
+  // Google Ads
+  if (url.hostname.endsWith('doubleclick.net') || url.hostname.endsWith('googleadservices.com')) {
+    url = new URL(url.href.replaceAll('&amp;', '&'))
+    const paramUrl = url.searchParams.getAll('adurl').at(-1) || url.searchParams.getAll('url').at(-1) || url.searchParams.getAll('ds_dest_url').at(-1)
+    if (paramUrl) url = new URL(paramUrl)
+  }
+
+  // Google Search
+  // Google AMP does not redirect (e.g. google.com/amp/example.com)
+  if (url.hostname.endsWith('google.com') && (url.pathname.startsWith('/url') || url.pathname.startsWith('/travel/clk'))) {
+    url = new URL(url.href.replaceAll('&amp;', '&'))
+    const paramUrl = url.searchParams.get('q') || url.searchParams.get('url') || url.searchParams.get('pcurl')
+    if (paramUrl) url = new URL(paramUrl)
+  }
+
   // "Just have to go deep enough."
   if (url.hostname.match(new RegExp(safeLinks.join('|')))) {
     return deSafelink(url.href)