added toggable security check to only allow loading of Raml Urls which reside under a pre-configured basepath. Adjusted the raml-console-initializer and the raml-console-loader.

grumpyovi · grumpyovi · commit 20cf063bda39 · 2016-06-20T16:57:45.000+02:00
diff --git a/src/app/directives/raml-console-loader.js b/src/app/directives/raml-console-loader.js
@@ -40,21 +40,25 @@
         $scope.vm.loaded = false;
         $scope.vm.error  = void(0);
 
-        return ramlParser.loadPath($window.resolveUrl(url), null, $scope.options)
-          .then(function (raml) {
-            $scope.vm.raml = raml;
-          })
-          .catch(function (error) {
-            $scope.vm.error = angular.extend(error, {
-              /*jshint camelcase: false */
-              buffer: (error.context_mark || error.problem_mark).buffer
-              /*jshint camelcase: true */
-            });
-          })
-          .finally(function () {
-            $scope.vm.loaded = true;
-          })
-        ;
+        if(RAML.LoaderUtils.ramlOriginValidate(url, $scope.options)) {
+          $scope.vm.error = {buffer : 'RAML origin check failed. Raml does not reside underneath the path:' + RAML.LoaderUtils.allowedRamlOrigin($scope.options)};
+        } else {
+          return ramlParser.loadPath($window.resolveUrl(url), null, $scope.options)
+            .then(function (raml) {
+              $scope.vm.raml = raml;
+            })
+            .catch(function (error) {
+              $scope.vm.error = angular.extend(error, {
+                /*jshint camelcase: false */
+                buffer: (error.context_mark || error.problem_mark).buffer
+                /*jshint camelcase: true */
+              });
+            })
+            .finally(function () {
+              $scope.vm.loaded = true;
+            })
+          ;
+        }
       }
     })
   ;
diff --git a/src/app/directives/raml-initializer.js b/src/app/directives/raml-initializer.js
@@ -7,7 +7,10 @@
         restrict:    'E',
         templateUrl: 'directives/raml-initializer.tpl.html',
         replace:     true,
-        controller:  'RamlInitializerController'
+        controller:  'RamlInitializerController',
+        scope:       {
+          options: '='
+        }
       };
     })
     .controller('RamlInitializerController', function RamlInitializerController(
@@ -46,7 +49,13 @@
 
       function loadFromUrl(url) {
         $scope.vm.ramlUrl = url;
-        return loadFromPromise(ramlParser.loadPath($window.resolveUrl(url)), {isLoadingFromUrl: true});
+
+        if(RAML.LoaderUtils.ramlOriginValidate(url, $scope.options)) {
+          $scope.vm.isLoadedFromUrl = true;
+          $scope.vm.error = {message : 'RAML origin check failed. Raml does not reside underneath the path:' + RAML.LoaderUtils.allowedRamlOrigin($scope.options)};
+        } else {
+          return loadFromPromise(ramlParser.loadPath($window.resolveUrl(url)), {isLoadingFromUrl: true});
+        }
       }
 
       function loadFromString(string) {
diff --git a/src/common/loader_utils.js b/src/common/loader_utils.js
@@ -0,0 +1,34 @@
+(function() {
+  'use strict';
+
+  RAML.LoaderUtils = {
+
+    allowedRamlOrigin : function(options) {
+      var basepath='../';
+      if(typeof options.ramlOriginCheck === 'string') {
+        basepath = options.ramlOriginCheck;
+      }
+      return basepath;
+    },
+
+    // prevent loading stuff from other hosts and/or services
+    ramlOriginValidate: function (url, options) {
+      var absolutePath = function(href) {
+          var link = document.createElement('a');
+          link.href = href;
+          return link.href;
+      };
+
+      var isSameBasePath = function(href, basepath) {
+          var absoluteBasepath=absolutePath(basepath);
+          var absoluteRamlPath=absolutePath(href);
+          return absoluteRamlPath.indexOf(absoluteBasepath, 0) === 0;
+      };
+
+      var decodedRamlUrl=decodeURIComponent(url);
+      return options && options.ramlOriginCheck && !isSameBasePath(decodedRamlUrl, RAML.LoaderUtils.allowedRamlOrigin(options));
+    }
+
+
+  };
+})();
