usememos/memos
1
1
Fork 0
mirror of https://github.com/usememos/memos.git synced 2025-01-04 11:33:06 +08:00
Code Issues Projects Releases Packages Wiki Activity

chore: validate external link (#1069)

Browse source
This commit is contained in:
boojack 2023-02-11 17:34:29 +08:00 committed by GitHub
parent e0f4cb06b3
commit b11d2130a0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
server/resource.go
View file

@ -38,6 +38,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
}
resourceCreate.CreatorID = userID
// Only allow those external links with http prefix.
if resourceCreate.ExternalLink != "" && !strings.HasPrefix(resourceCreate.ExternalLink, "http") {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid external link")
}
resource, err := s.Store.CreateResource(ctx, resourceCreate)
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err)
@ -188,13 +192,7 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource").SetInternal(err)
}
c.Response().Writer.WriteHeader(http.StatusOK)
c.Response().Writer.Header().Set("Content-Type", resource.Type)
c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
if _, err := c.Response().Writer.Write(resource.Blob); err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to write resource blob").SetInternal(err)
}
return nil
return c.Stream(http.StatusOK, resource.Type, bytes.NewReader(resource.Blob))
})
g.PATCH("/resource/:resourceId", func(c echo.Context) error {
@ -296,16 +294,15 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
}
resource, err := s.Store.FindResource(ctx, resourceFind)
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to fetch resource ID: %v", resourceID)).SetInternal(err)
return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find resource by ID: %v", resourceID)).SetInternal(err)
}
resourceType := strings.ToLower(resource.Type)
if strings.HasPrefix(resourceType, "text") || (strings.HasPrefix(resourceType, "application") && resourceType != "application/pdf") {
resourceType = echo.MIMETextPlain
}
c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
if strings.HasPrefix(resourceType, "video") || strings.HasPrefix(resourceType, "audio") {
resourceType := strings.ToLower(resource.Type)
if strings.HasPrefix(resourceType, "text") {
resourceType = echo.MIMETextPlainCharsetUTF8
} else if strings.HasPrefix(resourceType, "video") || strings.HasPrefix(resourceType, "audio") {
http.ServeContent(c.Response(), c.Request(), resource.Filename, time.Unix(resource.UpdatedTs, 0), bytes.NewReader(resource.Blob))
return nil
}

2
web/src/components/CreateResourceDialog.tsx
View file

@ -194,7 +194,7 @@ const CreateResourceDialog: React.FC<Props> = (props: Props) => {
</Typography>
<Input
className="mb-2"
placeholder="File link"
placeholder="https://the.link.to/your/resource"
value={resourceCreate.externalLink}
onChange={handleExternalLinkChanged}
fullWidth