YourSelfHosted/memos
1
0
Fork 0
mirror of https://github.com/usememos/memos.git synced 2025-03-20 20:50:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

chore: validate external link (#1069)

Browse Source
This commit is contained in:
boojack 2023-02-11 17:34:29 +08:00 committed by GitHub
parent e0f4cb06b3
commit b11d2130a0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
server/resource.go
View File

@ -38,6 +38,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
} }
resourceCreate.CreatorID = userID resourceCreate.CreatorID = userID
// Only allow those external links with http prefix.
if resourceCreate.ExternalLink != "" && !strings.HasPrefix(resourceCreate.ExternalLink, "http") {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid external link")
}
resource, err := s.Store.CreateResource(ctx, resourceCreate) resource, err := s.Store.CreateResource(ctx, resourceCreate)
if err != nil { if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err) return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err)
@ -188,13 +192,7 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource").SetInternal(err) return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource").SetInternal(err)
} }
c.Response().Writer.WriteHeader(http.StatusOK) return c.Stream(http.StatusOK, resource.Type, bytes.NewReader(resource.Blob))
c.Response().Writer.Header().Set("Content-Type", resource.Type)
c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
if _, err := c.Response().Writer.Write(resource.Blob); err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to write resource blob").SetInternal(err)
}
return nil
}) })
g.PATCH("/resource/:resourceId", func(c echo.Context) error { g.PATCH("/resource/:resourceId", func(c echo.Context) error {
@ -296,16 +294,15 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
} }
resource, err := s.Store.FindResource(ctx, resourceFind) resource, err := s.Store.FindResource(ctx, resourceFind)
if err != nil { if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err) return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find resource by ID: %v", resourceID)).SetInternal(err)
} }
resourceType := strings.ToLower(resource.Type)
if strings.HasPrefix(resourceType, "text") || (strings.HasPrefix(resourceType, "application") && resourceType != "application/pdf") {
resourceType = echo.MIMETextPlain
}
c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable") c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'") c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
if strings.HasPrefix(resourceType, "video") || strings.HasPrefix(resourceType, "audio") { resourceType := strings.ToLower(resource.Type)
if strings.HasPrefix(resourceType, "text") {
resourceType = echo.MIMETextPlainCharsetUTF8
} else if strings.HasPrefix(resourceType, "video") || strings.HasPrefix(resourceType, "audio") {
http.ServeContent(c.Response(), c.Request(), resource.Filename, time.Unix(resource.UpdatedTs, 0), bytes.NewReader(resource.Blob)) http.ServeContent(c.Response(), c.Request(), resource.Filename, time.Unix(resource.UpdatedTs, 0), bytes.NewReader(resource.Blob))
return nil return nil
} }

2
web/src/components/CreateResourceDialog.tsx
View File

@ -194,7 +194,7 @@ const CreateResourceDialog: React.FC<Props> = (props: Props) => {
</Typography> </Typography>
<Input <Input
className="mb-2" className="mb-2"
placeholder="File link" placeholder="https://the.link.to/your/resource"
value={resourceCreate.externalLink} value={resourceCreate.externalLink}
onChange={handleExternalLinkChanged} onChange={handleExternalLinkChanged}
fullWidth fullWidth