github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-06 05:01:58 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
discourse/app/services/wildcard_url_checker.rb

24 lines
525 B
Ruby
Raw Normal View History

DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging
2019-05-03 08:17:27 +10:00
# frozen_string_literal: true
FEATURE: Allow wildcard in allowed_user_api_auth_redirects setting (#6779)
2019-02-26 17:03:20 +01:00
module WildcardUrlChecker
SECURITY: vulnerability in WildcardUrlChecker
2019-12-13 13:12:12 +11:00
VALID_PROTOCOLS = %w(http https discourse).freeze
FEATURE: Allow wildcard in allowed_user_api_auth_redirects setting (#6779)
2019-02-26 17:03:20 +01:00
def self.check_url(url, url_to_check)
SECURITY: vulnerability in WildcardUrlChecker
2019-12-13 13:12:12 +11:00
return nil if !valid_url?(url_to_check)
FEATURE: Allow wildcard in allowed_user_api_auth_redirects setting (#6779)
2019-02-26 17:03:20 +01:00
escaped_url = Regexp.escape(url).sub("\\*", '\S*')
SECURITY: vulnerability in WildcardUrlChecker
2019-12-13 13:12:12 +11:00
url_regex = Regexp.new("\\A#{escaped_url}\\z", 'i')
FEATURE: Allow wildcard in allowed_user_api_auth_redirects setting (#6779)
2019-02-26 17:03:20 +01:00
url_to_check.match(url_regex)
end
SECURITY: vulnerability in WildcardUrlChecker
2019-12-13 13:12:12 +11:00
private
def self.valid_url?(url)
uri = URI.parse(url)
VALID_PROTOCOLS.include?(uri&.scheme) && uri&.host.present?
rescue URI::InvalidURIError
false
end
FEATURE: Allow wildcard in allowed_user_api_auth_redirects setting (#6779)
2019-02-26 17:03:20 +01:00
end
Reference in New Issue Copy Permalink