From c43dfe6002ab56056ffc324d6339bf0ec58fdff6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20Garc=C3=ADa=20Montoro?=
 <alejandro.garciamontoro@gmail.com>
Date: Thu, 20 Jan 2022 21:19:48 +0100
Subject: [PATCH] MM-41042: Allow trusted plugin routes (#1956)

* Allow trusted plugin routes

The only allowed plugin route is, for now, the export endpoint for the
channel export plugin.

* Keep it simple
---
 src/common/utils/url.ts                 | 5 +++++
 src/main/views/webContentEvents.test.js | 7 +++++++
 src/main/views/webContentEvents.ts      | 4 ++++
 3 files changed, 16 insertions(+)

diff --git a/src/common/utils/url.ts b/src/common/utils/url.ts
index 48c6ccd6..b7b23fc9 100644
--- a/src/common/utils/url.ts
+++ b/src/common/utils/url.ts
@@ -204,6 +204,10 @@ function isCustomLoginURL(url: URL | string, server: ServerFromURL, teams: TeamW
     return false;
 }
 
+function isChannelExportUrl(serverUrl: URL | string, inputUrl: URL | string): boolean {
+    return isUrlType('plugins/com.mattermost.plugin-channel-export/api/v1/export', serverUrl, inputUrl);
+}
+
 export default {
     isValidURL,
     isValidURI,
@@ -218,4 +222,5 @@ export default {
     getHost,
     isTrustedURL,
     isCustomLoginURL,
+    isChannelExportUrl,
 };
diff --git a/src/main/views/webContentEvents.test.js b/src/main/views/webContentEvents.test.js
index 928736a7..a1f54550 100644
--- a/src/main/views/webContentEvents.test.js
+++ b/src/main/views/webContentEvents.test.js
@@ -55,6 +55,7 @@ jest.mock('common/utils/url', () => ({
     isValidURI: jest.fn(),
     isPluginUrl: jest.fn(),
     isManagedResource: jest.fn(),
+    isChannelExportUrl: jest.fn(),
 }));
 
 jest.mock('../../../electron-builder.json', () => ({
@@ -124,6 +125,12 @@ describe('main/views/webContentsEvents', () => {
             expect(event.preventDefault).not.toBeCalled();
         });
 
+        it('should allow navigation when it isChannelExportUrl', () => {
+            urlUtils.isChannelExportUrl.mockImplementation((serverURL, parsedURL) => parsedURL.toString().includes('/plugins/com.mattermost.plugin-channel-export/api/v1/export'));
+            willNavigate(event, 'http://server-1.com/plugins/com.mattermost.plugin-channel-export/api/v1/export');
+            expect(event.preventDefault).not.toBeCalled();
+        });
+
         it('should not allow navigation under any other circumstances', () => {
             willNavigate(event, 'http://someotherurl.com');
             expect(event.preventDefault).toBeCalled();
diff --git a/src/main/views/webContentEvents.ts b/src/main/views/webContentEvents.ts
index ff84986c..6cff7691 100644
--- a/src/main/views/webContentEvents.ts
+++ b/src/main/views/webContentEvents.ts
@@ -56,6 +56,10 @@ export class WebContentsEventManager {
                 return;
             }
 
+            if (server && urlUtils.isChannelExportUrl(server.url, parsedURL)) {
+                return;
+            }
+
             if (server && urlUtils.isCustomLoginURL(parsedURL, server, configServers)) {
                 return;
             }