scottk/chatwoot
1
0
Fork 0
mirror of https://github.com/lingble/chatwoot.git synced 2025-10-30 02:32:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5c25596dad53010908768b0dc7852b026773a12a
chatwoot/enterprise/app/models/concerns/safe_endpoint_validatable.rb
Shivam Mishra 8bbb8ba5a4 feat(ee): Captain custom http tools (#12584) 
To test this out, use the following PR:
https://github.com/chatwoot/chatwoot/pull/12585

---------

Co-authored-by: Pranav <pranavrajs@gmail.com>
2025-10-06 07:53:15 -07:00

85 lines
2.1 KiB
Ruby
Raw Blame History

module Concerns::SafeEndpointValidatable
extend ActiveSupport::Concern
FRONTEND_HOST = URI.parse(ENV.fetch('FRONTEND_URL', 'http://localhost:3000')).host.freeze
DISALLOWED_HOSTS = ['localhost', /\.local\z/i].freeze
included do
validate :validate_safe_endpoint_url
end
private
def validate_safe_endpoint_url
return if endpoint_url.blank?
uri = parse_endpoint_uri
return errors.add(:endpoint_url, 'must be a valid URL') unless uri
validate_endpoint_scheme(uri)
validate_endpoint_host(uri)
validate_not_ip_address(uri)
validate_no_unicode_chars(uri)
end
def parse_endpoint_uri
# Strip Liquid template syntax for validation
# Replace {{ variable }} with a placeholder value
sanitized_url = endpoint_url.gsub(/\{\{[^}]+\}\}/, 'placeholder')
URI.parse(sanitized_url)
rescue URI::InvalidURIError
nil
end
def validate_endpoint_scheme(uri)
return if uri.scheme == 'https'
errors.add(:endpoint_url, 'must use HTTPS protocol')
end
def validate_endpoint_host(uri)
if uri.host.blank?
errors.add(:endpoint_url, 'must have a valid hostname')
return
end
if uri.host == FRONTEND_HOST
errors.add(:endpoint_url, 'cannot point to the application itself')
return
end
DISALLOWED_HOSTS.each do |pattern|
matched = if pattern.is_a?(Regexp)
uri.host =~ pattern
else
uri.host.downcase == pattern
end
next unless matched
errors.add(:endpoint_url, 'cannot use disallowed hostname')
break
end
end
def validate_not_ip_address(uri)
# Check for IPv4
if /\A\d+\.\d+\.\d+\.\d+\z/.match?(uri.host)
errors.add(:endpoint_url, 'cannot be an IP address, must be a hostname')
return
end
# Check for IPv6
return unless uri.host.include?(':')
errors.add(:endpoint_url, 'cannot be an IP address, must be a hostname')
end
def validate_no_unicode_chars(uri)
return unless uri.host
return if /\A[\x00-\x7F]+\z/.match?(uri.host)
errors.add(:endpoint_url, 'hostname cannot contain non-ASCII characters')
end
end
Reference in New Issue View Git Blame Copy Permalink