Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-06 22:40:14 -05:00
Code Issues Activity

🐛 Fixes oembed bookmark with whitespaces

Browse source 
refs https://github.com/TryGhost/Team/issues/1200

- The leading/trailing whitespaces are trimmed by `new URL()` but are considered invalid in metascraper. Trimming solves this edge case.
This commit is contained in:
Thibaut Patel 2021-12-01 15:14:59 +01:00 committed by Fabien 'egg' O'Carroll
parent 0367101c87
commit fd9b76c823
2 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
core/server/services/oembed.js
View file

@ -85,6 +85,8 @@ class OEmbed {
}
async fetchBookmarkData(url) {
// Metascraper doesn't handle leading/trailing whitespace
url = url.trim();
const metascraper = require('metascraper')([
require('metascraper-url')(),
require('metascraper-title')(),
@ -154,6 +156,10 @@ class OEmbed {
}
fetchOembedData(_url, cardType) {
// Trimming solves the difference of url validation between `new URL(url)`
// and metascraper.
_url = _url.trim();
// parse the url then validate the protocol and host to make sure it's
// http(s) and not an IP address or localhost to avoid potential access to
// internal network endpoints

2
test/api-acceptance/admin/oembed_spec.js
View file

@ -70,7 +70,7 @@ describe('Oembed API', function () {
{'content-type': 'text/html'}
);
const url = encodeURIComponent('http://example.com');
const url = encodeURIComponent(' http://example.com\t '); // Whitespaces are to make sure urls are trimmed
const res = await request.get(localUtils.API.getApiQuery(`oembed/?url=${url}&type=bookmark`))
.set('Origin', config.get('url'))
.expect('Content-Type', /json/)