Validate urls are from expected sources. (#14866) (#14869)

Author: mdbitz

class.jetpack-gutenberg.php

@@ -859,4 +859,71 @@ public static function get_extensions_preset_for_variation( $preset_extensions_m
 
 		return $preset_extensions;
 	}
+
+	/**
+	 * Validate a URL used in a SSR block.
+	 *
+	 * @since 8.3.0
+	 *
+	 * @param string $url      URL saved as an attribute in block.
+	 * @param array  $allowed  Array of allowed hosts for that block, or regexes to check against.
+	 * @param bool   $is_regex Array of regexes matching the URL that could be used in block.
+	 *
+	 * @return bool|string
+	 */
+	public static function validate_block_embed_url( $url, $allowed = array(), $is_regex = false ) {
+		if (
+			empty( $url )
+			|| ! is_array( $allowed )
+			|| empty( $allowed )
+		) {
+			return false;
+		}
+
+		$url_components = wp_parse_url( $url );
+
+		// Bail early if we cannot find a host.
+		if ( empty( $url_components['host'] ) ) {
+			return false;
+		}
+
+		// Normalize URL.
+		$url = sprintf(
+			'%s://%s%s%s',
+			$url_components['scheme'],
+			$url_components['host'],
+			$url_components['path'] ? $url_components['path'] : '/',
+			$url_components['query'] ? '?' . $url_components['query'] : ''
+		);
+
+		if ( ! empty( $url_components['fragment'] ) ) {
+			$url = $url . '#' . rawurlencode( $url_components['fragment'] );
+		}
+
+		/*
+		 * If we're using a whitelist of hosts,
+		 * check if the URL belongs to one of the domains allowed for that block.
+		 */
+		if (
+			false === $is_regex
+			&& in_array( $url_components['host'], $allowed, true )
+		) {
+			return $url;
+		}
+
+		/*
+		 * If we are using an array of regexes to check against,
+		 * loop through that.
+		 */
+		if ( true === $is_regex ) {
+			foreach ( $allowed as $regex ) {
+				if ( 1 === preg_match( $regex, $url ) ) {
+					return $url;
+				}
+			}
+		}
+
+		return false;
+	}
+
 }

extensions/blocks/calendly/calendly.php

@@ -82,7 +82,10 @@ function load_assets( $attr, $content ) {
 	if ( is_admin() ) {
 		return;
 	}
-	$url = get_attribute( $attr, 'url' );
+	$url = \Jetpack_Gutenberg::validate_block_embed_url(
+		get_attribute( $attr, 'url' ),
+		array( 'calendly.com' )
+	);
 	if ( empty( $url ) ) {
 		return;
 	}

extensions/blocks/eventbrite/eventbrite.php

@@ -27,6 +27,12 @@ function jetpack_render_eventbrite_block( $attr, $content ) {
 		return '';
 	}
 
+	$attr['url'] = Jetpack_Gutenberg::validate_block_embed_url(
+		$attr['url'],
+		array( '#^https?:\/\/(?:[0-9a-z]+\.)?eventbrite\.(?:com|co\.uk|com\.ar|com\.au|be|com\.br|ca|cl|co|dk|de|es|fi|fr|hk|ie|it|com\.mx|nl|co\.nz|at|com\.pe|pt|ch|sg|se)\/e\/[^\/]*?(?:\d+)\/?(?:\?[^\/]*)?$#' ),
+		true
+	);
+
 	$widget_id = wp_unique_id( 'eventbrite-widget-' );
 
 	wp_enqueue_script( 'eventbrite-widget', 'https://www.eventbrite.com/static/widgets/eb_widgets.js', array(), JETPACK__VERSION, true );

extensions/blocks/gif/gif.php

@@ -24,7 +24,9 @@
 function jetpack_gif_block_render( $attr ) {
 	$padding_top = isset( $attr['paddingTop'] ) ? $attr['paddingTop'] : 0;
 	$style       = 'padding-top:' . $padding_top;
-	$giphy_url   = isset( $attr['giphyUrl'] ) ? $attr['giphyUrl'] : null;
+	$giphy_url   = isset( $attr['giphyUrl'] )
+		? Jetpack_Gutenberg::validate_block_embed_url( $attr['giphyUrl'], array( 'giphy.com' ) )
+		: null;
 	$search_text = isset( $attr['searchText'] ) ? $attr['searchText'] : '';
 	$caption     = isset( $attr['caption'] ) ? $attr['caption'] : null;
 

extensions/blocks/google-calendar/google-calendar.php

@@ -37,7 +37,9 @@ function register_block() {
 function load_assets( $attr ) {
 	$width   = isset( $attr['width'] ) ? $attr['width'] : '800';
 	$height  = isset( $attr['height'] ) ? $attr['height'] : '600';
-	$url     = isset( $attr['url'] ) ? $attr['url'] : '';
+	$url     = isset( $attr['url'] )
+		? \Jetpack_Gutenberg::validate_block_embed_url( $attr['url'], array( 'calendar.google.com' ) ) :
+		'';
 	$classes = \Jetpack_Gutenberg::block_classes( 'google-calendar', $attr );
 
 	if ( empty( $url ) ) {