Use url.hostname instead of url.host to allow host from environment variable (#326)

Co-authored-by <yohan.boniface@free.fr>
This commit is contained in:
Louis Delbosc 2022-10-25 20:59:17 +02:00 committed by GitHub
parent caef8bae22
commit eea2ef5cfb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 2 deletions

View File

@ -117,7 +117,7 @@ export function matchesBaseDomain(domain: string, baseDomain: string) {
} }
export function isEnvironmentAllowedHost(url: string|URL) { export function isEnvironmentAllowedHost(url: string|URL) {
const urlHost = (typeof url === 'string') ? url : url.host; const urlHost = (typeof url === 'string') ? url : url.hostname;
return (process.env.GRIST_ALLOWED_HOSTS || "").split(",").some(domain => return (process.env.GRIST_ALLOWED_HOSTS || "").split(",").some(domain =>
domain && matchesBaseDomain(urlHost, domain) domain && matchesBaseDomain(urlHost, domain)
); );

View File

@ -3035,6 +3035,7 @@ function testDocApi() {
await checkOrigin("https://www.toto.com", 403, "Unrecognized origin"); await checkOrigin("https://www.toto.com", 403, "Unrecognized origin");
await checkOrigin("https://badexample.com", 403, "Unrecognized origin"); await checkOrigin("https://badexample.com", 403, "Unrecognized origin");
await checkOrigin("https://bad.com/example.com/toto", 403, "Unrecognized origin"); await checkOrigin("https://bad.com/example.com/toto", 403, "Unrecognized origin");
await checkOrigin("https://example.com:3000/path", 200);
await checkOrigin("https://example.com/path", 200); await checkOrigin("https://example.com/path", 200);
await checkOrigin("https://good.example.com/toto", 200); await checkOrigin("https://good.example.com/toto", 200);
}); });
@ -3133,7 +3134,7 @@ class TestServer {
REDIS_URL: process.env.TEST_REDIS_URL, REDIS_URL: process.env.TEST_REDIS_URL,
APP_HOME_URL: _homeUrl, APP_HOME_URL: _homeUrl,
ALLOWED_WEBHOOK_DOMAINS: `example.com,localhost:${webhooksTestPort}`, ALLOWED_WEBHOOK_DOMAINS: `example.com,localhost:${webhooksTestPort}`,
GRIST_ALLOWED_HOSTS: `example.com,localhost:${webhooksTestPort}`, GRIST_ALLOWED_HOSTS: `example.com,localhost`,
...process.env ...process.env
}; };