Use url.hostname instead of url.host to allow host from environment variable (#326)

Co-authored-by <yohan.boniface@free.fr>
2 years ago · eea2ef5cfb
parent caef8bae22
commit eea2ef5cfb
2 changed files with 3 additions and 2 deletions
--- a/app/server/lib/requestUtils.ts
+++ b/app/server/lib/requestUtils.ts
@ -117,7 +117,7 @@ export function matchesBaseDomain(domain: string, baseDomain: string) {
 }

 export function isEnvironmentAllowedHost(url: string|URL) {
-  const urlHost = (typeof url === 'string') ? url : url.host;
+  const urlHost = (typeof url === 'string') ? url : url.hostname;
  return (process.env.GRIST_ALLOWED_HOSTS || "").split(",").some(domain =>
    domain && matchesBaseDomain(urlHost, domain)
  );
--- a/test/server/lib/DocApi.ts
+++ b/test/server/lib/DocApi.ts
@ -3035,6 +3035,7 @@ function testDocApi() {
      await checkOrigin("https://www.toto.com", 403, "Unrecognized origin");
      await checkOrigin("https://badexample.com", 403, "Unrecognized origin");
      await checkOrigin("https://bad.com/example.com/toto", 403, "Unrecognized origin");
+      await checkOrigin("https://example.com:3000/path", 200);
      await checkOrigin("https://example.com/path", 200);
      await checkOrigin("https://good.example.com/toto", 200);
    });
@ -3133,7 +3134,7 @@ class TestServer {
      REDIS_URL: process.env.TEST_REDIS_URL,
      APP_HOME_URL: _homeUrl,
      ALLOWED_WEBHOOK_DOMAINS: `example.com,localhost:${webhooksTestPort}`,
-      GRIST_ALLOWED_HOSTS: `example.com,localhost:${webhooksTestPort}`,
+      GRIST_ALLOWED_HOSTS: `example.com,localhost`,
      ...process.env
    };