From 271f6fc7925d115e688f62dd9cc3024677d8d9db Mon Sep 17 00:00:00 2001 From: denishov Date: Fri, 29 Dec 2023 12:00:58 +0100 Subject: [PATCH] Properly check if content can be embedded (#375) --- controller/project/project.controller.js | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/controller/project/project.controller.js b/controller/project/project.controller.js index aa85e3fd..7f2dadcf 100644 --- a/controller/project/project.controller.js +++ b/controller/project/project.controller.js @@ -712,18 +712,13 @@ const deleteProject = async function (req, res) { } }; +// eslint-disable-next-line max-statements const embed = async function (req, res) { let loggedUser = 'anonymous'; if (req.isAuthenticated()) { loggedUser = req.user.username; } - const refererURL = new URL(req.headers.referer); - const disallowedDomains = req.user.authorizedHostsForEmbedding.split('\n') || []; - if (disallowedDomains.include(refererURL.host)) { - return res.status(403).send('Not authorized to embed this project'); - } - const json = await req.db.get('project').findOne({ shortname: req.params.projectName, backup: { $exists: 0 } }); if (json) { if (!AccessControlService.hasFilesAccess(AccessLevel.VIEW, json, loggedUser)) { @@ -731,6 +726,22 @@ const embed = async function (req, res) { return; } + + const {referer} = req.headers; + let disallowedDomains; + let isEmbeddingDisallowed = true; + + if (referer) { + const refererURL = new URL(req.headers.referer); + const user = await req.db.get('user').findOne({ nickname: json.owner }); + disallowedDomains = user.authorizedHostsForEmbedding ? user.authorizedHostsForEmbedding.split('\n') : []; + isEmbeddingDisallowed = disallowedDomains.includes(refererURL.host); + } + + if (isEmbeddingDisallowed) { + return res.status(403).send('Not authorized to embed this project'); + } + json.files.list = []; res.render('embed', { projectInfo: JSON.stringify(json),