From 6e4e8bf74deb07eb54b662719569c389418f7d22 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Thu, 6 Oct 2022 19:35:07 +0200
Subject: [PATCH] Add applink upstreamUri validation

---
 src/applinks.js | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/applinks.js b/src/applinks.js
index 06b662f4d..5de73ff0e 100644
--- a/src/applinks.js
+++ b/src/applinks.js
@@ -40,6 +40,18 @@ function postProcess(result) {
     result.icon = result.icon ? result.icon : null;
 }
 
+function validateUpstreamUri(upstreamUri) {
+    assert.strictEqual(typeof upstreamUri, 'string');
+
+    if (!upstreamUri) return new BoxError(BoxError.BAD_FIELD, 'upstreamUri cannot be empty');
+
+    const uri = safe(() => new URL(upstreamUri));
+    if (!uri) return new BoxError(BoxError.BAD_FIELD, `upstreamUri is invalid: ${safe.error.message}`);
+    if (uri.protocol !== 'http:' && uri.protocol !== 'https:') return new BoxError(BoxError.BAD_FIELD, 'upstreamUri has an unsupported scheme');
+
+    return null;
+}
+
 async function list() {
     const results = await database.query(`SELECT ${APPLINKS_FIELDS} FROM applinks ORDER BY upstreamUri`);
 
@@ -115,6 +127,9 @@ async function add(applink) {
 
     debug(`add: ${applink.upstreamUri}`, applink);
 
+    let error = validateUpstreamUri(applink.upstreamUri);
+    if (error) throw error;
+
     if (applink.icon) {
         if (!validator.isBase64(applink.icon)) throw new BoxError(BoxError.BAD_FIELD, 'icon is not base64');
         applink.icon = Buffer.from(applink.icon, 'base64');
@@ -134,7 +149,7 @@ async function add(applink) {
     const query = 'INSERT INTO applinks (id, accessRestrictionJson, label, tagsJson, icon, upstreamUri) VALUES (?, ?, ?, ?, ?, ?)';
     const args = [ data.id, data.accessRestrictionJson, data.label, data.tagsJson, data.icon, data.upstreamUri ];
 
-    const [error] = await safe(database.query(query, args));
+    [error] = await safe(database.query(query, args));
     if (error) throw error;
 
     return data.id;
@@ -156,6 +171,11 @@ async function update(applinkId, applink) {
     assert.strictEqual(typeof applink, 'object');
     assert.strictEqual(typeof applink.upstreamUri, 'string');
 
+    debug(`update: ${applink.upstreamUri}`, applink);
+
+    let error = validateUpstreamUri(applink.upstreamUri);
+    if (error) throw error;
+
     if (applink.icon) {
         if (!validator.isBase64(applink.icon)) throw new BoxError(BoxError.BAD_FIELD, 'icon is not base64');
         applink.icon = Buffer.from(applink.icon, 'base64');