Add filter hook to forbid embed access

author: Chocobozzz <me@florianbigard.com> 2021-03-23 17:18:18 +0100
committer: Chocobozzz <me@florianbigard.com> 2021-03-24 18:18:41 +0100
commit: eebd9838f067369031af9770b899f75f30810549 (patch)
tree: b7ce9668e6a653a097b6790ac944eaa1d78d2032 /server/controllers/client.ts
parent: 4bc45da342597fb49593fc14c40f8dc5a97bb64e (diff)
download: PeerTube-eebd9838f067369031af9770b899f75f30810549.tar.gz
PeerTube-eebd9838f067369031af9770b899f75f30810549.tar.zst
PeerTube-eebd9838f067369031af9770b899f75f30810549.zip
1 files changed, 28 insertions, 0 deletions
diff --git a/server/controllers/client.ts b/server/controllers/client.ts
index 557cbfdfb..022a17ff4 100644
--- a/server/controllers/client.ts
+++ b/server/controllers/client.ts
@@ -2,7 +2,9 @@ import * as express from 'express'
 import { constants, promises as fs } from 'fs'
 import { readFile } from 'fs-extra'
 import { join } from 'path'
+import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
+import { Hooks } from '@server/lib/plugins/hooks'
 import { HttpStatusCode } from '@shared/core-utils'
 import { buildFileLocale, getCompleteLocale, is18nLocale, LOCALE_FILES } from '@shared/core-utils/i18n'
 import { root } from '../helpers/core-utils'
@@ -27,6 +29,7 @@ const embedMiddlewares = [
    ? embedCSP
    : (req: express.Request, res: express.Response, next: express.NextFunction) => next(),
+  // Set headers
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    res.removeHeader('X-Frame-Options')
@@ -105,6 +108,24 @@ function serveServerTranslations (req: express.Request, res: express.Response) {
 }
 async function generateEmbedHtmlPage (req: express.Request, res: express.Response) {
+  const hookName = req.originalUrl.startsWith('/video-playlists/')
+    ? 'filter:html.embed.video-playlist.allowed.result'
+    : 'filter:html.embed.video.allowed.result'
+  const allowParameters = { req }
+  const allowedResult = await Hooks.wrapFun(
+    isEmbedAllowed,
+    allowParameters,
+    hookName
+  )
+  if (!allowedResult || allowedResult.allowed !== true) {
+    logger.info('Embed is not allowed.', { allowedResult })
+    return sendHTML(allowedResult?.html || '', res)
+  }
  const html = await ClientHtml.getEmbedHTML()
  return sendHTML(html, res)
@@ -158,3 +179,10 @@ function serveClientOverride (path: string) {
    }
  }
 }
+type AllowedResult = { allowed: boolean, html?: string }
+function isEmbedAllowed (_object: {
+  req: express.Request
+}): AllowedResult {
+  return { allowed: true }
+}
author	Chocobozzz <me@florianbigard.com>	2021-03-23 17:18:18 +0100
committer	Chocobozzz <me@florianbigard.com>	2021-03-24 18:18:41 +0100
commit	eebd9838f067369031af9770b899f75f30810549 (patch)
tree	b7ce9668e6a653a097b6790ac944eaa1d78d2032 /server/controllers/client.ts
parent	4bc45da342597fb49593fc14c40f8dc5a97bb64e (diff)
download	PeerTube-eebd9838f067369031af9770b899f75f30810549.tar.gz PeerTube-eebd9838f067369031af9770b899f75f30810549.tar.zst PeerTube-eebd9838f067369031af9770b899f75f30810549.zip

diff --git a/server/controllers/client.ts b/server/controllers/client.ts index 557cbfdfb..022a17ff4 100644 --- a/server/controllers/client.ts +++ b/server/controllers/client.ts
@@ -2,7 +2,9 @@ import * as express from 'express'
2	import { constants, promises as fs } from 'fs'	2	import { constants, promises as fs } from 'fs'
3	import { readFile } from 'fs-extra'	3	import { readFile } from 'fs-extra'
4	import { join } from 'path'	4	import { join } from 'path'
		5	import { logger } from '@server/helpers/logger'
5	import { CONFIG } from '@server/initializers/config'	6	import { CONFIG } from '@server/initializers/config'
		7	import { Hooks } from '@server/lib/plugins/hooks'
6	import { HttpStatusCode } from '@shared/core-utils'	8	import { HttpStatusCode } from '@shared/core-utils'
7	import { buildFileLocale, getCompleteLocale, is18nLocale, LOCALE_FILES } from '@shared/core-utils/i18n'	9	import { buildFileLocale, getCompleteLocale, is18nLocale, LOCALE_FILES } from '@shared/core-utils/i18n'
8	import { root } from '../helpers/core-utils'	10	import { root } from '../helpers/core-utils'
@@ -27,6 +29,7 @@ const embedMiddlewares = [
27	? embedCSP	29	? embedCSP
28	: (req: express.Request, res: express.Response, next: express.NextFunction) => next(),	30	: (req: express.Request, res: express.Response, next: express.NextFunction) => next(),
29		31
		32	// Set headers
30	(req: express.Request, res: express.Response, next: express.NextFunction) => {	33	(req: express.Request, res: express.Response, next: express.NextFunction) => {
31	res.removeHeader('X-Frame-Options')	34	res.removeHeader('X-Frame-Options')
32		35
@@ -105,6 +108,24 @@ function serveServerTranslations (req: express.Request, res: express.Response) {
105	}	108	}
106		109
107	async function generateEmbedHtmlPage (req: express.Request, res: express.Response) {	110	async function generateEmbedHtmlPage (req: express.Request, res: express.Response) {
		111	const hookName = req.originalUrl.startsWith('/video-playlists/')
		112	? 'filter:html.embed.video-playlist.allowed.result'
		113	: 'filter:html.embed.video.allowed.result'
		114
		115	const allowParameters = { req }
		116
		117	const allowedResult = await Hooks.wrapFun(
		118	isEmbedAllowed,
		119	allowParameters,
		120	hookName
		121	)
		122
		123	if (!allowedResult \|\| allowedResult.allowed !== true) {
		124	logger.info('Embed is not allowed.', { allowedResult })
		125
		126	return sendHTML(allowedResult?.html \|\| '', res)
		127	}
		128
108	const html = await ClientHtml.getEmbedHTML()	129	const html = await ClientHtml.getEmbedHTML()
109		130
110	return sendHTML(html, res)	131	return sendHTML(html, res)
@@ -158,3 +179,10 @@ function serveClientOverride (path: string) {
158	}	179	}
159	}	180	}
160	}	181	}
		182
		183	type AllowedResult = { allowed: boolean, html?: string }
		184	function isEmbedAllowed (_object: {
		185	req: express.Request
		186	}): AllowedResult {
		187	return { allowed: true }
		188	}