Skip to content

fix: verify link in public link notification ocs api #41214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DeepDiver1975 merged 1 commit into from
Mar 28, 2024
Merged

fix: verify link in public link notification ocs api #41214

DeepDiver1975 merged 1 commit into from
Mar 28, 2024

Conversation

@DeepDiver1975
Copy link
Member

@DeepDiver1975 DeepDiver1975 commented Mar 12, 2024
edited
Loading

Description

The frontend is generating the url to the public link share and submitting it to the server via the ocs share api.

Via the pure usage of this api any url can be sent out to any email address - as long as being logged in (aka have creds at hand)

This change validates that the url is pointing to one of the configured trusted domains to add some hardening.

How Has This Been Tested?

  • 🤖

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Database schema changes (next release will require increase of minor version instead of patch)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:
  • Changelog item, see TEMPLATE

@update-docs
Copy link

update-docs bot commented Mar 12, 2024

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@DeepDiver1975 DeepDiver1975 force-pushed the fix/notify-public-link-by-email branch from 2bdc1a1 to 61734aa Compare March 12, 2024 08:58
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 12, 2024

Quality Gate Passed Quality Gate passed

Issues
Image 1 New issue
Image 0 Accepted issues

Measures
Image 0 Security Hotspots
Image 100.0% Coverage on New Code
Image 0.0% Duplication on New Code

See analysis details on SonarCloud

@IljaN IljaN self-requested a review March 12, 2024 18:58
@DeepDiver1975 DeepDiver1975 merged commit 6c5cdc5 into master Mar 28, 2024
@delete-merged-branch delete-merged-branch bot deleted the fix/notify-public-link-by-email branch March 28, 2024 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@IljaN IljaN IljaN approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

3 - To Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DeepDiver1975 @IljaN