github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-30 00:27:58 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Restrict allowed URL patterns

Browse Source 
Restrict allowed URL patterns for oneboxes.
This commit is contained in:
Blake Erickson
2024-12-19 11:01:54 -07:00
committed by Roman Rizzi
parent 17e1bfe069
commit 17116c440b
86 changed files with 1131 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/onebox/engine/github_repo_onebox.rb
View File

@ -13,9 +13,13 @@ module Onebox
GITHUB_COMMENT_REGEX = /(<!--.*?-->\r\n)/m
matches_regexp(%r{^https?:\/\/(?:www\.)?(?!gist\.)[^\/]*github\.com\/[^\/]+\/[^\/]+\/?$})
matches_domain("github.com", "www.github.com")
always_https
def self.matches_path(path)
path.match?(%r{^/[^/]+/[^/]+/?$})
end
def url
"https://api.github.com/repos/#{match[:org]}/#{match[:repository]}"
end