mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
Introduce isOwnInternalUrlHost for more clarity
This commit is contained in:
parent
c061e49216
commit
afa7aa2e6b
@ -185,18 +185,24 @@ export interface OrgUrlInfo {
|
|||||||
orgInPath?: string; // If /o/{orgInPath} should be used to access the requested org.
|
orgInPath?: string; // If /o/{orgInPath} should be used to access the requested org.
|
||||||
}
|
}
|
||||||
|
|
||||||
function isInternalUrl(host: string, envValue?: string) {
|
export function hostMatchesUrl(host?: string, url?: string) {
|
||||||
if (!envValue) { return false; }
|
return host !== undefined && url !== undefined && new URL(url).host === host;
|
||||||
const internalUrl = new URL('/', envValue);
|
|
||||||
return internalUrl.host === host;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function isDocInternalUrl(host: string) {
|
/**
|
||||||
return isInternalUrl(host, process.env.APP_DOC_INTERNAL_URL);
|
* Returns true if:
|
||||||
|
* - the server is a home worker and the host matches APP_HOME_INTERNAL_URL;
|
||||||
|
* - or the server is a doc worker and the host matches APP_DOC_INTERNAL_URL;
|
||||||
|
*
|
||||||
|
* @param {string?} host The host to check
|
||||||
|
*/
|
||||||
|
export function isOwnInternalUrlHost(host?: string) {
|
||||||
|
if (process.env.APP_HOME_INTERNAL_URL) {
|
||||||
|
return hostMatchesUrl(host, process.env.APP_HOME_INTERNAL_URL);
|
||||||
|
} else if (process.env.APP_DOC_INTERNAL_URL) {
|
||||||
|
return hostMatchesUrl(host, process.env.APP_DOC_INTERNAL_URL);
|
||||||
}
|
}
|
||||||
|
return false;
|
||||||
function isHomeInternalUrl(host: string) {
|
|
||||||
return isInternalUrl(host, process.env.APP_HOME_INTERNAL_URL);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -218,9 +224,8 @@ export function getHostType(host: string, options: {
|
|||||||
if (!options.baseDomain) { return 'native'; }
|
if (!options.baseDomain) { return 'native'; }
|
||||||
if (
|
if (
|
||||||
hostname === 'localhost' ||
|
hostname === 'localhost' ||
|
||||||
isDocInternalUrl(host) ||
|
isOwnInternalUrlHost(host) ||
|
||||||
hostname.endsWith(options.baseDomain) ||
|
hostname.endsWith(options.baseDomain)
|
||||||
isHomeInternalUrl(host)
|
|
||||||
) {
|
) {
|
||||||
return 'native';
|
return 'native';
|
||||||
}
|
}
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
import {ApiError} from 'app/common/ApiError';
|
import {ApiError} from 'app/common/ApiError';
|
||||||
import {DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, parseSubdomain, sanitizePathTail} from 'app/common/gristUrls';
|
import {
|
||||||
|
DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, isOwnInternalUrlHost, parseSubdomain, sanitizePathTail
|
||||||
|
} from 'app/common/gristUrls';
|
||||||
import * as gutil from 'app/common/gutil';
|
import * as gutil from 'app/common/gutil';
|
||||||
import {DocScope, QueryResult, Scope} from 'app/gen-server/lib/HomeDBManager';
|
import {DocScope, QueryResult, Scope} from 'app/gen-server/lib/HomeDBManager';
|
||||||
import {getUserId, RequestWithLogin} from 'app/server/lib/Authorizer';
|
import {getUserId, RequestWithLogin} from 'app/server/lib/Authorizer';
|
||||||
@ -88,12 +90,7 @@ export function trustOrigin(req: IncomingMessage, resp?: Response): boolean {
|
|||||||
const origin = req.headers.origin;
|
const origin = req.headers.origin;
|
||||||
if (!origin) { return true; } // Not a CORS request.
|
if (!origin) { return true; } // Not a CORS request.
|
||||||
|
|
||||||
if (
|
if (isOwnInternalUrlHost(req.get('Host'))) { return true; }
|
||||||
(process.env.APP_HOME_INTERNAL_URL && req.hostname === new URL(process.env.APP_HOME_INTERNAL_URL).hostname) ||
|
|
||||||
(process.env.APP_DOC_INTERNAL_URL && req.hostname === new URL(process.env.APP_DOC_INTERNAL_URL).hostname)
|
|
||||||
) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!allowHost(req, new URL(origin))) { return false; }
|
if (!allowHost(req, new URL(origin))) { return false; }
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user