From 71084afe5dc62d625a89b74aa004f20df879afbb Mon Sep 17 00:00:00 2001 From: Zachary Keeping Date: Wed, 8 Nov 2023 10:15:43 +1100 Subject: [PATCH 1/3] Add error handling and response messages to viewsource --- api/functions/index.js | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/api/functions/index.js b/api/functions/index.js index 0a822ec9..37f65493 100644 --- a/api/functions/index.js +++ b/api/functions/index.js @@ -146,9 +146,15 @@ app.get('/allscans', async (req, res) => { }); app.get('/viewsource', async (req, res) => { - const resp = await fetch(req.query.url); - const source = await resp.text(); - res.send(source); + const resp = await fetch(req.query.url).catch((err) => { + res.send(`Failed to load source: ${err.message}`); + }); + if (resp.ok) { + const source = await resp.text(); + res.send(source); + } else { + res.send(`Failed to load source: ${resp.status} - ${resp.statusText}`); + } }); app.get('/run/:runId', async (req, res) => { From b29edc46844747c2980cbacf7f47a7d26fe5f1a5 Mon Sep 17 00:00:00 2001 From: Zachary Keeping Date: Wed, 8 Nov 2023 11:20:26 +1100 Subject: [PATCH 2/3] Resolve request forgery alert --- api/functions/index.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/api/functions/index.js b/api/functions/index.js index 37f65493..b1519918 100644 --- a/api/functions/index.js +++ b/api/functions/index.js @@ -146,7 +146,16 @@ app.get('/allscans', async (req, res) => { }); app.get('/viewsource', async (req, res) => { - const resp = await fetch(req.query.url).catch((err) => { + const target = new URL(req.query.url); + const functionHost = '-sswlinkauditor-c1131.cloudfunctions.net'; + + // Prevent fetching from same host to prevent request forgery + if (target.hostname.includes(functionHost) || target.hostname === 'localhost') { + res.send('Cannot fetch from internal URL'); + return; + } + + const resp = await fetch(target.href).catch((err) => { res.send(`Failed to load source: ${err.message}`); }); if (resp.ok) { From d4f4c41e7ade5030ce739569f4e5ef4de6f4da61 Mon Sep 17 00:00:00 2001 From: Zachary Keeping Date: Wed, 8 Nov 2023 11:24:01 +1100 Subject: [PATCH 3/3] Update text --- api/functions/index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/functions/index.js b/api/functions/index.js index b1519918..67ce71d8 100644 --- a/api/functions/index.js +++ b/api/functions/index.js @@ -149,9 +149,9 @@ app.get('/viewsource', async (req, res) => { const target = new URL(req.query.url); const functionHost = '-sswlinkauditor-c1131.cloudfunctions.net'; - // Prevent fetching from same host to prevent request forgery + // Disallow fetching from same host to prevent request forgery if (target.hostname.includes(functionHost) || target.hostname === 'localhost') { - res.send('Cannot fetch from internal URL'); + res.send('Cannot fetch from internal host'); return; }