Return 403 error when origin is not trusted (#310)

This commit is contained in:
Arnaud Peich 2022-10-13 15:13:01 +02:00 committed by GitHub
parent 396153b1eb
commit 5f66a8f298
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 4 deletions

View File

@ -1,3 +1,4 @@
import {ApiError} from 'app/common/ApiError';
import {delay} from 'app/common/delay';
import {DocCreationInfo} from 'app/common/DocListAPI';
import {encodeUrl, getSlugIfNeeded, GristLoadConfig, IGristUrlState, isOrgInPathOnly,
@ -1753,7 +1754,7 @@ function trustOriginHandler(req: express.Request, res: express.Response, next: e
res.header("Access-Control-Allow-Methods", "GET, PATCH, PUT, POST, DELETE, OPTIONS");
res.header("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With");
} else {
throw new Error('Unrecognized origin');
throw new ApiError('Unrecognized origin', 403);
}
if ('OPTIONS' === req.method) {
res.sendStatus(200);

View File

@ -2800,9 +2800,9 @@ function testDocApi() {
error && assert.deepEqual(resp.data, {error});
assert.equal(resp.status, status);
}
await checkOrigin("https://www.toto.com", 500, "Unrecognized origin");
await checkOrigin("https://badexample.com", 500, "Unrecognized origin");
await checkOrigin("https://bad.com/example.com/toto", 500, "Unrecognized origin");
await checkOrigin("https://www.toto.com", 403, "Unrecognized origin");
await checkOrigin("https://badexample.com", 403, "Unrecognized origin");
await checkOrigin("https://bad.com/example.com/toto", 403, "Unrecognized origin");
await checkOrigin("https://example.com/path", 200);
await checkOrigin("https://good.example.com/toto", 200);
});