SECURITY: ensure embed_url contains valid http(s) uri

2020-05-22 14:54:37 -06:00 · 2020-05-22 14:54:37 -06:00 · 03d26cd6f0
parent bf8085e436
commit 03d26cd6f0
4 changed files with 25 additions and 0 deletions
--- a/app/models/topic_embed.rb
+++ b/app/models/topic_embed.rb
@ -109,6 +109,8 @@ class TopicEmbed < ActiveRecord::Base

    url = UrlHelper.escape_uri(url)
    original_uri = URI.parse(url)
+    raise URI::InvalidURIError unless original_uri.is_a?(URI::HTTP)
+
    opts = {
      tags: %w[div p code pre h1 h2 h3 b em i strong a img ul li ol blockquote],
      attributes: %w[href src class],
--- a/lib/post_creator.rb
+++ b/lib/post_creator.rb
@ -374,6 +374,10 @@ class PostCreator
  # discourse post.
  def create_embedded_topic
    return unless @opts[:embed_url].present?
+
+    original_uri = URI.parse(@opts[:embed_url])
+    raise Discourse::InvalidParameters.new(:embed_url) unless original_uri.is_a?(URI::HTTP)
+
    embed = TopicEmbed.new(topic_id: @post.topic_id, post_id: @post.id, embed_url: @opts[:embed_url])
    rollback_from_errors!(embed) unless embed.save
  end
--- a/spec/models/topic_embed_spec.rb
+++ b/spec/models/topic_embed_spec.rb
@ -308,6 +308,14 @@ describe TopicEmbed do
      end
    end

+    context "non-http URL" do
+      let(:url) { '/test.txt' }
+
+      it "throws an error" do
+        expect { TopicEmbed.find_remote(url) }.to raise_error(URI::InvalidURIError)
+      end
+    end
+
    context "emails" do
      let(:url) { 'http://example.com/foo' }
      let(:contents) { '<p><a href="mailto:foo%40example.com">URL encoded @ symbol</a></p><p><a href="mailto:bar@example.com">normal mailto link</a></p>' }
--- a/spec/requests/posts_controller_spec.rb
+++ b/spec/requests/posts_controller_spec.rb
@ -675,6 +675,17 @@ describe PostsController do
          I18n.t("invalid_params", message: "category")
        )
      end
+
+      it 'will raise an error if specified embed_url is invalid' do
+        user = Fabricate(:admin)
+        master_key = Fabricate(:api_key).key
+
+        post "/posts.json",
+          params: { title: 'this is a test title', raw: 'this is test body', embed_url: '/test.txt' },
+          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }
+
+        expect(response.status).to eq(422)
+      end
    end

    describe "when logged in" do