Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: ensure embed_url contains valid http(s) uri

This commit is contained in:
Blake Erickson 2020-05-22 14:54:37 -06:00
parent bf8085e436
commit 03d26cd6f0
4 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/topic_embed.rb
View File

@ -109,6 +109,8 @@ class TopicEmbed < ActiveRecord::Base
url = UrlHelper.escape_uri(url) url = UrlHelper.escape_uri(url)
original_uri = URI.parse(url) original_uri = URI.parse(url)
raise URI::InvalidURIError unless original_uri.is_a?(URI::HTTP)
opts = { opts = {
tags: %w[div p code pre h1 h2 h3 b em i strong a img ul li ol blockquote], tags: %w[div p code pre h1 h2 h3 b em i strong a img ul li ol blockquote],
attributes: %w[href src class], attributes: %w[href src class],

4
lib/post_creator.rb
View File

@ -374,6 +374,10 @@ class PostCreator
# discourse post. # discourse post.
def create_embedded_topic def create_embedded_topic
return unless @opts[:embed_url].present? return unless @opts[:embed_url].present?
original_uri = URI.parse(@opts[:embed_url])
raise Discourse::InvalidParameters.new(:embed_url) unless original_uri.is_a?(URI::HTTP)
embed = TopicEmbed.new(topic_id: @post.topic_id, post_id: @post.id, embed_url: @opts[:embed_url]) embed = TopicEmbed.new(topic_id: @post.topic_id, post_id: @post.id, embed_url: @opts[:embed_url])
rollback_from_errors!(embed) unless embed.save rollback_from_errors!(embed) unless embed.save
end end

8
spec/models/topic_embed_spec.rb
View File

@ -308,6 +308,14 @@ describe TopicEmbed do
end end
end end
context "non-http URL" do
let(:url) { '/test.txt' }
it "throws an error" do
expect { TopicEmbed.find_remote(url) }.to raise_error(URI::InvalidURIError)
end
end
context "emails" do context "emails" do
let(:url) { 'http://example.com/foo' } let(:url) { 'http://example.com/foo' }
let(:contents) { '<p><a href="mailto:foo%40example.com">URL encoded @ symbol</a></p><p><a href="mailto:bar@example.com">normal mailto link</a></p>' } let(:contents) { '<p><a href="mailto:foo%40example.com">URL encoded @ symbol</a></p><p><a href="mailto:bar@example.com">normal mailto link</a></p>' }

11
spec/requests/posts_controller_spec.rb
View File

@ -675,6 +675,17 @@ describe PostsController do
I18n.t("invalid_params", message: "category") I18n.t("invalid_params", message: "category")
) )
end end
it 'will raise an error if specified embed_url is invalid' do
user = Fabricate(:admin)
master_key = Fabricate(:api_key).key
post "/posts.json",
params: { title: 'this is a test title', raw: 'this is test body', embed_url: '/test.txt' },
headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }
expect(response.status).to eq(422)
end
end end
describe "when logged in" do describe "when logged in" do