github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-25 18:41:58 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Restrict allowed URL patterns

Browse Source 
Restrict allowed URL patterns for oneboxes.
This commit is contained in:
Blake Erickson
2024-12-19 11:01:54 -07:00
committed by Roman Rizzi
parent 17e1bfe069
commit 17116c440b
86 changed files with 1131 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/onebox/engine/github_commit_onebox.rb
View File

@ -12,9 +12,13 @@ module Onebox
include Onebox::Mixins::GithubBody
include Onebox::Mixins::GithubAuthHeader
matches_regexp(%r{^https?://(?:www\.)?(?:(?:\w)+\.)?(github)\.com(?:/)?(?:.)*/commit/})
matches_domain("github.com", "www.github.com")
always_https
def self.matches_path(path)
path.match?(%r{^/[\w\-]+/[\w\-]+/commit/[a-f0-9]{40}$})
end
def url
"https://api.github.com/repos/#{match[:org]}/#{match[:repository]}/commits/#{match[:sha]}"
end