Implement security restriction options to allow limiting demo app

Author: kimmobrunfeldt

README.md

@@ -59,8 +59,12 @@ and requests are direct connections to it.
 
 ## Examples
 
-*Note: the demo Heroku app runs on a free dyno which sleep after idle.
-A request to sleeping dyno may take even 30 seconds.*
+**⚠️ Restrictions ⚠️:**
+
+* For security reasons the urls have been restricted and HTML rendering is disabled. For full demo, run this app locally or deploy to Heroku.
+* The demo Heroku app runs on a free dyno which sleep after idle. A request to sleeping dyno may take even 30 seconds.
+
+
 
 **The most minimal example, render google.com**
 
@@ -106,14 +110,18 @@ https://url-to-pdf-api.herokuapp.com/api/render?url=http://google.com&waitFor=in
 
 **Render HTML sent in JSON body**
 
+*NOTE: Demo app has disabled html rendering for security reasons.*
+
 ```bash
-curl -o html.pdf -XPOST -d'{"html": "<body>test</body>"}' -H"content-type: application/json" https://url-to-pdf-api.herokuapp.com/api/render
+curl -o html.pdf -XPOST -d'{"html": "<body>test</body>"}' -H"content-type: application/json" http://localhost:9000/api/render
 ```
 
 **Render HTML sent as text body**
 
+*NOTE: Demo app has disabled html rendering for security reasons.*
+
 ```bash
-curl -o html.pdf -XPOST -d@page.html -H"content-type: text/html" https://url-to-pdf-api.herokuapp.com/api/render
+curl -o html.pdf -XPOST -d@test/resources/large.html -H"content-type: text/html" http://localhost:9000/api/render
 ```
 
 ## API
@@ -264,11 +272,11 @@ The only required parameter is `url`.
 **Example:**
 
 ```bash
-curl -o google.pdf -XPOST -d'{"url": "http://google.com"}' -H"content-type: application/json" https://url-to-pdf-api.herokuapp.com/api/render
+curl -o google.pdf -XPOST -d'{"url": "http://google.com"}' -H"content-type: application/json" http://localhost:9000/api/render
 ```
 
 ```bash
-curl -o html.pdf -XPOST -d'{"html": "<body>test</body>"}' -H"content-type: application/json" https://url-to-pdf-api.herokuapp.com/api/render
+curl -o html.pdf -XPOST -d'{"html": "<body>test</body>"}' -H"content-type: application/json" http://localhost:9000/api/render
 ```
 
 ### POST /api/render - (HTML)
@@ -283,7 +291,7 @@ paremeter.
 
 ```bash
 curl -o receipt.html https://rawgit.com/wildbit/postmark-templates/master/templates_inlined/receipt.html
-curl -o html.pdf -XPOST [email protected] -H"content-type: text/html" https://url-to-pdf-api.herokuapp.com/api/render?pdf.scale=1
+curl -o html.pdf -XPOST [email protected] -H"content-type: text/html" http://localhost:9000/api/render?pdf.scale=1
 ```
 
 ## Development

package-lock.json

@@ -31,6 +31,7 @@
     "joi": "^11.1.1",
     "lodash": "^4.17.15",
     "morgan": "^1.9.1",
+    "normalize-url": "^5.0.0",
     "pdf-parse": "^1.1.1",
     "puppeteer": "^2.0.0",
     "server-destroy": "^1.0.1",

package.json

@@ -28,6 +28,14 @@ function createApp() {
     logger.info('ALLOW_HTTP=true, unsafe requests are allowed. Don\'t use this in production.');
   }
 
+  if (config.ALLOW_URLS) {
+    logger.info(`ALLOW_URLS set! Allowed urls patterns are: ${config.ALLOW_URLS.join(' ')}`);
+  }
+
+  if (config.DISABLE_HTML_INPUT) {
+    logger.info('DISABLE_HTML_INPUT=true! Input HTML is disabled!');
+  }
+
   const corsOpts = {
     origin: config.CORS_ORIGIN,
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'HEAD', 'PATCH'],

src/app.js

@@ -7,14 +7,20 @@ const config = {
   LOG_LEVEL: process.env.LOG_LEVEL,
   ALLOW_HTTP: process.env.ALLOW_HTTP === 'true',
   DEBUG_MODE: process.env.DEBUG_MODE === 'true',
+  DISABLE_HTML_INPUT: process.env.DISABLE_HTML_INPUT === 'true',
   CORS_ORIGIN: process.env.CORS_ORIGIN || '*',
   BROWSER_WS_ENDPOINT: process.env.BROWSER_WS_ENDPOINT,
   BROWSER_EXECUTABLE_PATH: process.env.BROWSER_EXECUTABLE_PATH,
   API_TOKENS: [],
+  ALLOW_URLS: [],
 };
 
 if (process.env.API_TOKENS) {
   config.API_TOKENS = process.env.API_TOKENS.split(',');
 }
 
+if (process.env.ALLOW_URLS) {
+  config.ALLOW_URLS = process.env.ALLOW_URLS.split(',');
+}
+
 module.exports = config;

src/config.js

@@ -1,6 +1,10 @@
+const { URL } = require('url');
 const _ = require('lodash');
+const normalizeUrl = require('normalize-url');
 const ex = require('../util/express');
 const renderCore = require('../core/render-core');
+const logger = require('../util/logger')(__filename);
+const config = require('../config');
 
 function getMimeType(opts) {
   if (opts.output === 'pdf') {
@@ -19,6 +23,8 @@ function getMimeType(opts) {
 
 const getRender = ex.createRoute((req, res) => {
   const opts = getOptsFromQuery(req.query);
+
+  assertOptionsAllowed(opts);
   return renderCore.render(opts)
     .then((data) => {
       if (opts.attachmentName) {
@@ -53,6 +59,7 @@ const postRender = ex.createRoute((req, res) => {
     opts.html = req.body;
   }
 
+  assertOptionsAllowed(opts);
   return renderCore.render(opts)
     .then((data) => {
       if (opts.attachmentName) {
@@ -63,6 +70,70 @@ const postRender = ex.createRoute((req, res) => {
     });
 });
 
+function isHostMatch(host1, host2) {
+  return {
+    match: host1.toLowerCase() === host2.toLowerCase(),
+    type: 'host',
+    part1: host1.toLowerCase(),
+    part2: host2.toLowerCase(),
+  };
+}
+
+function isRegexMatch(urlPattern, inputUrl) {
+  const re = new RegExp(`${urlPattern}`);
+
+  return {
+    match: re.test(inputUrl),
+    type: 'regex',
+    part1: inputUrl,
+    part2: urlPattern,
+  };
+}
+
+function isNormalizedMatch(url1, url2) {
+  return {
+    match: normalizeUrl(url1) === normalizeUrl(url2),
+    type: 'normalized url',
+    part1: url1,
+    part2: url2,
+  };
+}
+
+function isUrlAllowed(inputUrl) {
+  const urlParts = new URL(inputUrl);
+
+  const matchInfos = _.map(config.ALLOW_URLS, (urlPattern) => {
+    if (_.startsWith(urlPattern, 'host:')) {
+      return isHostMatch(urlPattern.split(':')[1], urlParts.host);
+    } else if (_.startsWith(urlPattern, 'regex:')) {
+      return isRegexMatch(urlPattern.split(':')[1], inputUrl);
+    }
+
+    return isNormalizedMatch(urlPattern, inputUrl);
+  });
+
+  const isAllowed = _.some(matchInfos, info => info.match);
+  if (!isAllowed) {
+    logger.info('The url was not allowed because:');
+    _.forEach(matchInfos, (info) => {
+      logger.info(`${info.part1} !== ${info.part2} (with ${info.type} matching)`);
+    });
+  }
+
+  return isAllowed;
+}
+
+function assertOptionsAllowed(opts) {
+  const isDisallowedHtmlInput = !_.isString(opts.url) && config.DISABLE_HTML_INPUT;
+  if (isDisallowedHtmlInput) {
+    ex.throwStatus(403, 'Rendering HTML input is disabled.');
+  }
+
+  if (_.isString(opts.url) && config.ALLOW_URLS.length > 0 && !isUrlAllowed(opts.url)) {
+    ex.throwStatus(403, 'Url not allowed.');
+  }
+}
+
 function getOptsFromQuery(query) {
   const opts = {
     url: query.url,