Skip to content
Snippets Groups Projects

fixed url injection by means of starting an url with "." and turning the prefix into a subdomain

Open fixed url injection by means of starting an url with "." and turning the prefix into a subdomain
75389691-a67c-422a-91e9-aa58bfb5-main-patch-32205 into main
1 open thread
Open
jonathanrequested to merge
75389691-a67c-422a-91e9-aa58bfb5-main-patch-32205 into main
1 open thread
Viewing commit b816da37
Prev Next
Show latest version
3 files
+ 32
13
Compare changes
  • Side-by-side
  • Inline

Files

lib/Properties.hs
+ 9
3
@@ -44,7 +44,7 @@ import LintWriter (LintWriter, adjust, askContext,
import Paths (PathResult (..), RelPath (..), getExtension,
isOldStyle, parsePath)
import Types (Dep (Link, Local, LocalMap, MapLink))
import Uris (SubstError (..), applySubsts, parseUri)
import Uris (SubstError (..), applySubsts, parseUri, extractDomain)
@@ -142,7 +142,7 @@ checkMapProperty p@(Property name _) = case name of
-- scripts can be used by one map
_ | T.toLower name == "script" ->
unwrapString p $ \str ->
unless (("https://static.rc3.world/scripts" `isPrefixOf` str) &&
unless ((checkIsRc3Url str) &&
(not $ "/../" `isInfixOf` str) &&
(not $ "%" `isInfixOf` str) &&
(not $ "@" `isInfixOf` str))
@@ -338,6 +338,12 @@ checkObjectGroupProperty (Property name _) = case name of
\not the object layer."
_ -> warn $ "unknown property " <> prettyprint name <> " for objectgroup layers"
checkIsRc3Url :: Text -> Bool
checkIsRc3Url text= case extractDomain text of
Nothing -> False
Just domain -> do
domain == "https://static.rc3.world"
-- | Checks a single (custom) property of a "normal" tile layer
checkTileLayerProperty :: Property -> LintWriter Layer
@@ -480,7 +486,7 @@ checkTileLayerProperty p@(Property name _value) = case name of
-> do
properties <- askContext <&> getProperties
unless (all (\(Property name value) -> case value of
StrProp str -> name /= "openWebsite" || "https://static.rc3.world/" `isPrefixOf` str
StrProp str -> name /= "openWebsite" || checkIsRc3Url str
_ -> True
) properties)
$ complain "\"openWebsiteAllowApi\" can only be used with websites hosted \

Impressum - Datenschutzerklärung