phlux/mattermostest
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

MM-41042: Allow trusted plugin routes (#1956)

Browse Source 
* Allow trusted plugin routes

The only allowed plugin route is, for now, the export endpoint for the
channel export plugin.

* Keep it simple
This commit is contained in:
Alejandro García Montoro
2022-01-20 21:19:48 +01:00
committed by GitHub
parent e446b13b34
commit c43dfe6002
3 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/common/utils/url.ts
View File

@@ -204,6 +204,10 @@ function isCustomLoginURL(url: URL | string, server: ServerFromURL, teams: TeamW
return false; return false;
} }
function isChannelExportUrl(serverUrl: URL | string, inputUrl: URL | string): boolean {
return isUrlType('plugins/com.mattermost.plugin-channel-export/api/v1/export', serverUrl, inputUrl);
}
export default { export default {
isValidURL, isValidURL,
isValidURI, isValidURI,
@@ -218,4 +222,5 @@ export default {
getHost, getHost,
isTrustedURL, isTrustedURL,
isCustomLoginURL, isCustomLoginURL,
isChannelExportUrl,
}; };

7
src/main/views/webContentEvents.test.js
View File

@@ -55,6 +55,7 @@ jest.mock('common/utils/url', () => ({
isValidURI: jest.fn(), isValidURI: jest.fn(),
isPluginUrl: jest.fn(), isPluginUrl: jest.fn(),
isManagedResource: jest.fn(), isManagedResource: jest.fn(),
isChannelExportUrl: jest.fn(),
})); }));
jest.mock('../../../electron-builder.json', () => ({ jest.mock('../../../electron-builder.json', () => ({
@@ -124,6 +125,12 @@ describe('main/views/webContentsEvents', () => {
expect(event.preventDefault).not.toBeCalled(); expect(event.preventDefault).not.toBeCalled();
}); });
it('should allow navigation when it isChannelExportUrl', () => {
urlUtils.isChannelExportUrl.mockImplementation((serverURL, parsedURL) => parsedURL.toString().includes('/plugins/com.mattermost.plugin-channel-export/api/v1/export'));
willNavigate(event, 'http://server-1.com/plugins/com.mattermost.plugin-channel-export/api/v1/export');
expect(event.preventDefault).not.toBeCalled();
});
it('should not allow navigation under any other circumstances', () => { it('should not allow navigation under any other circumstances', () => {
willNavigate(event, 'http://someotherurl.com'); willNavigate(event, 'http://someotherurl.com');
expect(event.preventDefault).toBeCalled(); expect(event.preventDefault).toBeCalled();

4
src/main/views/webContentEvents.ts
View File

@@ -56,6 +56,10 @@ export class WebContentsEventManager {
return; return;
} }
if (server && urlUtils.isChannelExportUrl(server.url, parsedURL)) {
return;
}
if (server && urlUtils.isCustomLoginURL(parsedURL, server, configServers)) { if (server && urlUtils.isCustomLoginURL(parsedURL, server, configServers)) {
return; return;
} }