From 5f66a8f298de5bfc40d7e80361bb80cb72e589b3 Mon Sep 17 00:00:00 2001 From: Arnaud Peich <3766352+arnaudpeich@users.noreply.github.com> Date: Thu, 13 Oct 2022 15:13:01 +0200 Subject: [PATCH] Return 403 error when origin is not trusted (#310) --- app/server/lib/FlexServer.ts | 3 ++- test/server/lib/DocApi.ts | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/app/server/lib/FlexServer.ts b/app/server/lib/FlexServer.ts index 4d1a3f66..9da2fb2e 100644 --- a/app/server/lib/FlexServer.ts +++ b/app/server/lib/FlexServer.ts @@ -1,3 +1,4 @@ +import {ApiError} from 'app/common/ApiError'; import {delay} from 'app/common/delay'; import {DocCreationInfo} from 'app/common/DocListAPI'; import {encodeUrl, getSlugIfNeeded, GristLoadConfig, IGristUrlState, isOrgInPathOnly, @@ -1753,7 +1754,7 @@ function trustOriginHandler(req: express.Request, res: express.Response, next: e res.header("Access-Control-Allow-Methods", "GET, PATCH, PUT, POST, DELETE, OPTIONS"); res.header("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With"); } else { - throw new Error('Unrecognized origin'); + throw new ApiError('Unrecognized origin', 403); } if ('OPTIONS' === req.method) { res.sendStatus(200); diff --git a/test/server/lib/DocApi.ts b/test/server/lib/DocApi.ts index a1f7bc52..f1f1d71a 100644 --- a/test/server/lib/DocApi.ts +++ b/test/server/lib/DocApi.ts @@ -2800,9 +2800,9 @@ function testDocApi() { error && assert.deepEqual(resp.data, {error}); assert.equal(resp.status, status); } - await checkOrigin("https://www.toto.com", 500, "Unrecognized origin"); - await checkOrigin("https://badexample.com", 500, "Unrecognized origin"); - await checkOrigin("https://bad.com/example.com/toto", 500, "Unrecognized origin"); + await checkOrigin("https://www.toto.com", 403, "Unrecognized origin"); + await checkOrigin("https://badexample.com", 403, "Unrecognized origin"); + await checkOrigin("https://bad.com/example.com/toto", 403, "Unrecognized origin"); await checkOrigin("https://example.com/path", 200); await checkOrigin("https://good.example.com/toto", 200); });