SECURITY: Remove ember-cli specific response from application routes (#15155)

Under some conditions, these varied responses could lead to cache poisoning, hence the 'security' label. Previously the Rails application would serve JSON data in place of HTML whenever Ember CLI requested an `application.html.erb`-rendered page. This commit removes that logic, and instead parses the HTML out of the standard response. This means that Rails doesn't need to customize its response for Ember CLI.
2025-05-23 11:41:03 +08:00 · 2021-12-01 16:10:40 +00:00
parent f37375f582
commit 1fa7a87f86
11 changed files with 265 additions and 77 deletions
--- a/spec/requests/bootstrap_controller_spec.rb
+++ b/spec/requests/bootstrap_controller_spec.rb
@ -93,4 +93,38 @@ describe BootstrapController do
      expect(bootstrap['authentication_data']).to eq(cookie_data)
    end
  end
+
+  context 'with a plugin asset filter' do
+    let :plugin do
+      plugin = Plugin::Instance.new
+      plugin.path = "#{Rails.root}/spec/fixtures/plugins/my_plugin/plugin.rb"
+      plugin.register_asset_filter do |type, request|
+        next true if request.path == "/mypluginroute"
+        false
+      end
+      plugin
+    end
+
+    before do
+      Discourse.plugins << plugin
+      plugin.activate!
+    end
+
+    after do
+      Discourse.plugins.delete plugin
+    end
+
+    it "filters assets using the given path" do
+      get "/bootstrap.json"
+      expect(response.status).to eq(200)
+      plugin_assets = response.parsed_body.dig("bootstrap", "plugin_js")
+      expect(plugin_assets).not_to include(a_string_matching "my_plugin")
+
+      get "/bootstrap.json?for_url=/mypluginroute"
+      expect(response.status).to eq(200)
+      plugin_assets = response.parsed_body.dig("bootstrap", "plugin_js")
+      expect(plugin_assets).to include(a_string_matching "my_plugin")
+    end
+
+  end
 end