Add filter hook to forbid embed access

author: Chocobozzz <me@florianbigard.com> 2021-03-23 17:18:18 +0100
committer: Chocobozzz <me@florianbigard.com> 2021-03-24 18:18:41 +0100
commit: eebd9838f067369031af9770b899f75f30810549 (patch)
tree: b7ce9668e6a653a097b6790ac944eaa1d78d2032 /server/controllers
parent: 4bc45da342597fb49593fc14c40f8dc5a97bb64e (diff)
download: PeerTube-eebd9838f067369031af9770b899f75f30810549.tar.gz
PeerTube-eebd9838f067369031af9770b899f75f30810549.tar.zst
PeerTube-eebd9838f067369031af9770b899f75f30810549.zip
2 files changed, 29 insertions, 1 deletions
diff --git a/server/controllers/client.ts b/server/controllers/client.ts
index 557cbfdfb..022a17ff4 100644
--- a/server/controllers/client.ts
+++ b/server/controllers/client.ts
@@ -2,7 +2,9 @@ import * as express from 'express'
 import { constants, promises as fs } from 'fs'
 import { readFile } from 'fs-extra'
 import { join } from 'path'
+import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
+import { Hooks } from '@server/lib/plugins/hooks'
 import { HttpStatusCode } from '@shared/core-utils'
 import { buildFileLocale, getCompleteLocale, is18nLocale, LOCALE_FILES } from '@shared/core-utils/i18n'
 import { root } from '../helpers/core-utils'
@@ -27,6 +29,7 @@ const embedMiddlewares = [
    ? embedCSP
    : (req: express.Request, res: express.Response, next: express.NextFunction) => next(),
+  // Set headers
  (req: express.Request, res: express.Response, next: express.NextFunction) => {
    res.removeHeader('X-Frame-Options')
@@ -105,6 +108,24 @@ function serveServerTranslations (req: express.Request, res: express.Response) {
 }
 async function generateEmbedHtmlPage (req: express.Request, res: express.Response) {
+  const hookName = req.originalUrl.startsWith('/video-playlists/')
+    ? 'filter:html.embed.video-playlist.allowed.result'
+    : 'filter:html.embed.video.allowed.result'
+  const allowParameters = { req }
+  const allowedResult = await Hooks.wrapFun(
+    isEmbedAllowed,
+    allowParameters,
+    hookName
+  )
+  if (!allowedResult || allowedResult.allowed !== true) {
+    logger.info('Embed is not allowed.', { allowedResult })
+    return sendHTML(allowedResult?.html || '', res)
+  }
  const html = await ClientHtml.getEmbedHTML()
  return sendHTML(html, res)
@@ -158,3 +179,10 @@ function serveClientOverride (path: string) {
    }
  }
 }
+type AllowedResult = { allowed: boolean, html?: string }
+function isEmbedAllowed (_object: {
+  req: express.Request
+}): AllowedResult {
+  return { allowed: true }
+}
diff --git a/server/controllers/download.ts b/server/controllers/download.ts
index fd44f10e9..9a8194c5c 100644
--- a/server/controllers/download.ts
+++ b/server/controllers/download.ts
@@ -132,7 +132,7 @@ function checkAllowResult (res: express.Response, allowParameters: any, result?:
  if (!result || result.allowed !== true) {
    logger.info('Download is not allowed.', { result, allowParameters })
    res.status(HttpStatusCode.FORBIDDEN_403)
-       .json({ error: result.errorMessage || 'Refused download' })
+       .json({ error: result?.errorMessage || 'Refused download' })
    return false
  }
author	Chocobozzz <me@florianbigard.com>	2021-03-23 17:18:18 +0100
committer	Chocobozzz <me@florianbigard.com>	2021-03-24 18:18:41 +0100
commit	eebd9838f067369031af9770b899f75f30810549 (patch)
tree	b7ce9668e6a653a097b6790ac944eaa1d78d2032 /server/controllers
parent	4bc45da342597fb49593fc14c40f8dc5a97bb64e (diff)
download	PeerTube-eebd9838f067369031af9770b899f75f30810549.tar.gz PeerTube-eebd9838f067369031af9770b899f75f30810549.tar.zst PeerTube-eebd9838f067369031af9770b899f75f30810549.zip