Merge pull request #11909 from umbraco/v9/feature/allowlist-for-help-page

V9: Add allowlist for HelpPage

Author: nikolajlauridsen

src/JsonSchema/AppSettings.cs

@@ -89,6 +89,8 @@ public class CmsDefinition
                 public LegacyPasswordMigrationSettings LegacyPasswordMigration { get; set; }
 
                 public ContentDashboardSettings ContentDashboard { get; set; }
+
+                public HelpPageSettings HelpPage { get; set; }
             }
 
             /// <summary>

src/Umbraco.Core/Configuration/Models/HelpPageSettings.cs

@@ -0,0 +1,11 @@
+namespace Umbraco.Cms.Core.Configuration.Models
+{
+    [UmbracoOptions(Constants.Configuration.ConfigHelpPage)]
+    public class HelpPageSettings
+    {
+        /// <summary>
+        /// Gets or sets the allowed addresses to retrieve data for the content dashboard.
+        /// </summary>
+        public string[] HelpPageUrlAllowList { get; set; }
+    }
+}

src/Umbraco.Core/Constants-Configuration.cs

@@ -55,6 +55,7 @@ public static class Configuration
             public const string ConfigRichTextEditor = ConfigPrefix + "RichTextEditor";
             public const string ConfigPackageMigration = ConfigPrefix + "PackageMigration";
             public const string ConfigContentDashboard = ConfigPrefix + "ContentDashboard";
+            public const string ConfigHelpPage = ConfigPrefix + "HelpPage";
         }
     }
 }

src/Umbraco.Core/DependencyInjection/UmbracoBuilder.Configuration.cs

@@ -87,7 +87,8 @@ public static IUmbracoBuilder AddConfiguration(this IUmbracoBuilder builder)
                 .AddUmbracoOptions<RuntimeMinificationSettings>()
                 .AddUmbracoOptions<LegacyPasswordMigrationSettings>()
                 .AddUmbracoOptions<PackageMigrationSettings>()
-                .AddUmbracoOptions<ContentDashboardSettings>();
+                .AddUmbracoOptions<ContentDashboardSettings>()
+                .AddUmbracoOptions<HelpPageSettings>();
 
             builder.Services.Configure<RequestHandlerSettings>(options => options.MergeReplacements(builder.Config));
 

src/Umbraco.Web.BackOffice/Controllers/HelpController.cs

@@ -1,10 +1,17 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
 using System.Net.Http;
 using System.Runtime.Serialization;
 using System.Threading.Tasks;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using Newtonsoft.Json;
+using Umbraco.Cms.Core.Configuration.Models;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.DependencyInjection;
 using Constants = Umbraco.Cms.Core.Constants;
 
 namespace Umbraco.Cms.Web.BackOffice.Controllers
@@ -13,15 +20,44 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
     public class HelpController : UmbracoAuthorizedJsonController
     {
         private readonly ILogger<HelpController> _logger;
+        private HelpPageSettings _helpPageSettings;
 
+        [Obsolete("Use constructor that takes IOptions<HelpPageSettings>")]
         public HelpController(ILogger<HelpController> logger)
+            : this(logger, StaticServiceProvider.Instance.GetRequiredService<IOptionsMonitor<HelpPageSettings>>())
+        {
+        }
+
+        [ActivatorUtilitiesConstructor]
+        public HelpController(
+            ILogger<HelpController> logger,
+            IOptionsMonitor<HelpPageSettings> helpPageSettings)
         {
             _logger = logger;
+
+            ResetHelpPageSettings(helpPageSettings.CurrentValue);
+            helpPageSettings.OnChange(ResetHelpPageSettings);
+        }
+
+        private void ResetHelpPageSettings(HelpPageSettings settings)
+        {
+            _helpPageSettings = settings;
         }
 
         private static HttpClient _httpClient;
+
         public async Task<List<HelpPage>> GetContextHelpForPage(string section, string tree, string baseUrl = "https://our.umbraco.com")
         {
+            if (IsAllowedUrl(baseUrl) is false)
+            {
+                _logger.LogError($"The following URL is not listed in the allowlist for HelpPage in web.config: {baseUrl}");
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
+
+                // Ideally we'd want to return a BadRequestResult here,
+                // however, since we're not returning ActionResult this is not possible and changing it would be a breaking change.
+                return new List<HelpPage>();
+            }
+
             var url = string.Format(baseUrl + "/Umbraco/Documentation/Lessons/GetContextHelpDocs?sectionAlias={0}&treeAlias={1}", section, tree);
 
             try
@@ -44,6 +80,17 @@ public async Task<List<HelpPage>> GetContextHelpForPage(string section, string t
 
             return new List<HelpPage>();
         }
+
+        private bool IsAllowedUrl(string url)
+        {
+            if (_helpPageSettings.HelpPageUrlAllowList is null ||
+                _helpPageSettings.HelpPageUrlAllowList.Contains(url))
+            {
+                return true;
+            }
+
+            return false;
+        }
     }
 
     [DataContract(Name = "HelpPage")]