From 19fb53336a308a00ee7d87df97f5ac27d24671db Mon Sep 17 00:00:00 2001 From: denishov Date: Fri, 29 Dec 2023 12:00:58 +0100 Subject: [PATCH] Properly check if content can be embedded (#385) --- controller/project/project.controller.js | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/controller/project/project.controller.js b/controller/project/project.controller.js index aa85e3fd..e7954713 100644 --- a/controller/project/project.controller.js +++ b/controller/project/project.controller.js @@ -712,18 +712,13 @@ const deleteProject = async function (req, res) { } }; +// eslint-disable-next-line max-statements const embed = async function (req, res) { let loggedUser = 'anonymous'; if (req.isAuthenticated()) { loggedUser = req.user.username; } - const refererURL = new URL(req.headers.referer); - const disallowedDomains = req.user.authorizedHostsForEmbedding.split('\n') || []; - if (disallowedDomains.include(refererURL.host)) { - return res.status(403).send('Not authorized to embed this project'); - } - const json = await req.db.get('project').findOne({ shortname: req.params.projectName, backup: { $exists: 0 } }); if (json) { if (!AccessControlService.hasFilesAccess(AccessLevel.VIEW, json, loggedUser)) { @@ -731,6 +726,21 @@ const embed = async function (req, res) { return; } + + const {referer} = req.headers; + let isEmbeddingDisallowed = true; + + if (referer) { + const refererURL = new URL(req.headers.referer); + const user = await req.db.get('user').findOne({ nickname: json.owner }); + const disallowedDomains = user.authorizedHostsForEmbedding ? user.authorizedHostsForEmbedding.split('\n') : []; + isEmbeddingDisallowed = disallowedDomains.includes(refererURL.host); + } + + if (isEmbeddingDisallowed) { + return res.status(403).send('Not authorized to embed this project'); + } + json.files.list = []; res.render('embed', { projectInfo: JSON.stringify(json),