Enhance embed URL handling and validation system#7
Conversation
|
cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
||
| function postMessageReceived(e) { | ||
| if (!e) { return; } | ||
| if (discourseUrl.indexOf(e.origin) === -1) { return; } |
There was a problem hiding this comment.
Bug: Origin Validation Flaw: Domain Spoofing Risk
The origin validation uses indexOf which allows substring matches, enabling messages from malicious domains. For example, if discourseUrl is "http://discourse.example.com", a message from "example.com" would pass validation since indexOf returns a non-negative value. The check needs to verify exact origin matching rather than substring presence.
| def self.import(user, url, title, contents) | ||
| return unless url =~ /^https?\:\/\// | ||
|
|
||
| contents << "\n<hr>\n<small>#{I18n.t('embed.imported_from', link: "<a href='#{url}'>#{url}</a>")}</small>\n" |
There was a problem hiding this comment.
Bug: Dangerous URLs: Code Injection Vulnerability
The url parameter is directly interpolated into HTML without escaping, creating an XSS vulnerability. A malicious URL containing characters like <script> or " could break out of the HTML context and execute arbitrary JavaScript when the embedded content is rendered.
| window.onload = function() { | ||
| if (parent) { | ||
| // Send a post message with our loaded height | ||
| parent.postMessage({type: 'discourse-resize', height: document['body'].offsetHeight}, '<%= request.referer %>'); |
There was a problem hiding this comment.
Bug: Referer Header: A Gateway to XSS
The request.referer value is directly interpolated into JavaScript without escaping, creating an XSS vulnerability. A malicious referer header containing a single quote could break out of the string literal and execute arbitrary JavaScript in the parent window context.
2 participants
Test 4
Replicated from ai-code-review-evaluation/discourse-cursor#4
Note
Introduces an embeddable comments iframe and a backend pipeline to import external articles/RSS into topics using Readability, with new model/jobs, routes, settings, and raw_html cooking.
embed.js,embed.css.scss, and views/layout to render best replies in an iframe and auto-resize.GET /embed/bestandEmbedController#bestwith referer/host checks.TopicEmbedmodel for linking externalembed_urlto topics; imports content (absolutizes URLs) and updates on change.TopicRetrieverservice andJobs::RetrieveTopicto fetch/import on demand; scheduledJobs::PollFeedto parse RSS/Atom via SimpleRSS.TopicEmbed.import_remote.Post.cook_methodsandraw_htmlsupport; skips pipeline when set.PostCreatorand validation control inPostRevisor.topic_embedstable; addposts.cook_method(default), adjusttop_topicscreation options.embedding(embeddable_host,feed_polling_enabled,feed_polling_url,embed_by_username) and client category.ruby-readabilityandsimple-rssgems (and lockfile updates).TopicRetriever,EmbedController,PollFeed, andTopicEmbedbehavior.Written by Cursor Bugbot for commit 4f8aed2. Configure here.