diff --git a/core/server/api/canary/oembed.js b/core/server/api/canary/oembed.js index 0b47646cd7..1c0e02affb 100644 --- a/core/server/api/canary/oembed.js +++ b/core/server/api/canary/oembed.js @@ -1,10 +1,11 @@ -const {i18n} = require('../../lib/common'); const errors = require('@tryghost/errors'); const {extract, hasProvider} = require('oembed-parser'); const Promise = require('bluebird'); -const externalRequest = require('../../lib/request-external'); const cheerio = require('cheerio'); const _ = require('lodash'); +const config = require('../../../shared/config'); +const {i18n} = require('../../lib/common'); +const externalRequest = require('../../lib/request-external'); async function fetchBookmarkData(url, html) { const metascraper = require('metascraper')([ @@ -97,7 +98,13 @@ function isIpOrLocalhost(url) { const IPV6_REGEX = /:/; // fqdns will not have colons const HTTP_REGEX = /^https?:/i; - const {protocol, hostname} = new URL(url); + const siteUrl = new URL(config.get('url')); + const {protocol, hostname, host} = new URL(url); + + // allow requests to Ghost's own url through + if (siteUrl.host === host) { + return false; + } if (!HTTP_REGEX.test(protocol) || hostname === 'localhost' || IPV4_REGEX.test(hostname) || IPV6_REGEX.test(hostname)) { return true; diff --git a/core/server/api/v2/oembed.js b/core/server/api/v2/oembed.js index 0f4b7414c2..cfa2007978 100644 --- a/core/server/api/v2/oembed.js +++ b/core/server/api/v2/oembed.js @@ -1,10 +1,11 @@ -const {i18n} = require('../../lib/common'); const errors = require('@tryghost/errors'); const {extract, hasProvider} = require('oembed-parser'); const Promise = require('bluebird'); -const externalRequest = require('../../lib/request-external'); const cheerio = require('cheerio'); const _ = require('lodash'); +const config = require('../../../shared/config'); +const {i18n} = require('../../lib/common'); +const externalRequest = require('../../lib/request-external'); const findUrlWithProvider = (url) => { let provider; @@ -51,7 +52,13 @@ function isIpOrLocalhost(url) { const IPV6_REGEX = /:/; // fqdns will not have colons const HTTP_REGEX = /^https?:/i; - const {protocol, hostname} = new URL(url); + const siteUrl = new URL(config.get('url')); + const {protocol, hostname, host} = new URL(url); + + // allow requests to Ghost's own url through + if (siteUrl.host === host) { + return false; + } if (!HTTP_REGEX.test(protocol) || hostname === 'localhost' || IPV4_REGEX.test(hostname) || IPV6_REGEX.test(hostname)) { return true;