Commit 4298e57
authored
fix(workflow-renderer): validate dropbox host in note embed renderer (#5288)
* fix(workflow-renderer): validate dropbox host in note embed renderer
Replace the bare url.includes('dropbox.com') check with a parsed-hostname
match so attacker-controlled hosts (dropbox.com.evil.com, evil.com/?dropbox.com)
no longer get treated as direct dropbox videos. Resolves CodeQL
js/incomplete-url-substring-sanitization (#430).
* fix(workflow-renderer): rewrite dropbox embed via parsed URL, tolerate scheme-less links
Derive the direct video URL from the parsed URL object (rewrite hostname to
dl.dropboxusercontent.com for any dropbox.com/*.dropbox.com host) instead of a
www-only string replace, and accept scheme-less links. Fixes broken embeds for
m.dropbox.com / bare-host links flagged in review.1 parent e7635db commit 4298e57
1 file changed
Lines changed: 31 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
20 | 48 | | |
21 | 49 | | |
22 | 50 | | |
| |||
250 | 278 | | |
251 | 279 | | |
252 | 280 | | |
253 | | - | |
254 | | - | |
255 | | - | |
256 | | - | |
257 | | - | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
258 | 284 | | |
259 | 285 | | |
260 | 286 | | |
| |||
0 commit comments