Skip to content
Snippets Groups Projects
Unverified Commit 6fafcb34 authored by Jerry Huang's avatar Jerry Huang Committed by GitHub
Browse files

Backend validation for landing-page to disallow external URLs (#37551) 

* landing-page backend validation

* fix spacing
parent 3ef4d5df
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/metabase/public_settings.clj
+ 19
1
View file @ 6fafcb34
(ns metabase.public-settings
(:require
[clojure.java.io :as io]
[clojure.string :as str]
[java-time.api :as t]
[metabase.api.common :as api]
......@@ -257,12 +258,29 @@
:visibility :public
:audit :getter)
(defn- coerce-to-relative-url
"Get the path of a given URL if the URL contains an origin.
Otherwise make the landing-page a relative path."
[landing-page]
(cond
(u/url? landing-page) (-> landing-page io/as-url .getPath)
(empty? landing-page) ""
(not (str/starts-with? landing-page "/")) (str "/" landing-page)
:else landing-page))
(defsetting landing-page
(deferred-tru "Default page to show people when they log in.")
:visibility :public
:type :string
:default ""
:audit :getter)
:audit :getter
:setter (fn [new-landing-page]
(when new-landing-page
;; If the landing page is a valid URL or mailto, sms, or file, then check with if site-url has the same origin.
(when (and (or (re-matches #"^(mailto|sms|file):(.*)" new-landing-page) (u/url? new-landing-page))
(not (str/starts-with? new-landing-page (site-url))))
(throw (ex-info (tru "This field must be a relative URL.") {:status-code 400}))))
(setting/set-value-of-type! :string :landing-page (coerce-to-relative-url new-landing-page))))
(defsetting enable-public-sharing
(deferred-tru "Enable admins to create publicly viewable links (and embeddable iframes) for Questions and Dashboards?")
......
test/metabase/public_settings_test.clj
+ 50
1
View file @ 6fafcb34
......@@ -184,7 +184,6 @@
(is (= false
(public-settings/redirect-all-requests-to-https)))))))))
(deftest cloud-gateway-ips-test
(mt/with-temp-env-var-value [mb-cloud-gateway-ips "1.2.3.4,5.6.7.8"]
(with-redefs [premium-features/is-hosted? (constantly true)]
......@@ -301,3 +300,53 @@
(public-settings/help-link-custom-destination! "http://www.metabase.com")))
(is (= nil (public-settings/help-link-custom-destination))))))
(deftest landing-page-setting-test
(testing "should return relative url for valid inputs"
(public-settings/landing-page! "")
(is (= "" (public-settings/landing-page)))
(public-settings/landing-page! "/")
(is (= "/" (public-settings/landing-page)))
(public-settings/landing-page! "/one/two/three/")
(is (= "/one/two/three/" (public-settings/landing-page)))
(public-settings/landing-page! "no-leading-slash")
(is (= "/no-leading-slash" (public-settings/landing-page)))
(public-settings/landing-page! "/pathname?query=param#hash")
(is (= "/pathname?query=param#hash" (public-settings/landing-page)))
(public-settings/landing-page! "#hash")
(is (= "/#hash" (public-settings/landing-page)))
(with-redefs [public-settings/site-url (constantly "http://localhost")]
(public-settings/landing-page! "http://localhost/absolute/same-origin")
(is (= "/absolute/same-origin" (public-settings/landing-page)))))
(testing "landing-page cannot be set to URLs with external origin"
(is (thrown-with-msg?
Exception
#"This field must be a relative URL."
(public-settings/landing-page! "https://google.com")))
(is (thrown-with-msg?
Exception
#"This field must be a relative URL."
(public-settings/landing-page! "sms://?&body=Hello")))
(is (thrown-with-msg?
Exception
#"This field must be a relative URL."
(public-settings/landing-page! "https://localhost/test")))
(is (thrown-with-msg?
Exception
#"This field must be a relative URL."
(public-settings/landing-page! "mailto:user@example.com")))
(is (thrown-with-msg?
Exception
#"This field must be a relative URL."
(public-settings/landing-page! "file:///path/to/resource")))))
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment