added url validation to all server requests

2022-05-17 18:04:43 +02:00
parent 7fd5fca0cf
commit d48fe26a35
8 changed files with 59 additions and 31 deletions
--- a/cookbook/provider/dropbox.py
+++ b/cookbook/provider/dropbox.py
@ -4,6 +4,8 @@ import os
 from datetime import datetime

 import requests
+import validators
+
 from cookbook.models import Recipe, RecipeImport, SyncLog
 from cookbook.provider.provider import Provider

@ -104,9 +106,11 @@ class Dropbox(Provider):
            recipe.link = Dropbox.get_share_link(recipe)
            recipe.save()

-        response = requests.get(recipe.link.replace('www.dropbox.', 'dl.dropboxusercontent.'))
+        url = recipe.link.replace('www.dropbox.', 'dl.dropboxusercontent.')
+        if validators.url(url, public=True):
+            response = requests.get(url)

-        return io.BytesIO(response.content)
+            return io.BytesIO(response.content)

    @staticmethod
    def rename_file(recipe, new_name):
--- a/cookbook/provider/nextcloud.py
+++ b/cookbook/provider/nextcloud.py
@ -4,6 +4,7 @@ import tempfile
 from datetime import datetime

 import requests
+import validators
 import webdav3.client as wc
 from cookbook.models import Recipe, RecipeImport, SyncLog
 from cookbook.provider.provider import Provider
@ -92,20 +93,21 @@ class Nextcloud(Provider):
            "Content-Type": "application/json"
        }

-        r = requests.get(
-            url,
-            headers=headers,
-            auth=HTTPBasicAuth(
-                recipe.storage.username, recipe.storage.password
+        if validators.url(url, public=True):
+            r = requests.get(
+                url,
+                headers=headers,
+                auth=HTTPBasicAuth(
+                    recipe.storage.username, recipe.storage.password
+                )
            )
-        )

-        response_json = r.json()
-        for element in response_json['ocs']['data']:
-            if element['share_type'] == '3':
-                return element['url']
+            response_json = r.json()
+            for element in response_json['ocs']['data']:
+                if element['share_type'] == '3':
+                    return element['url']

-        return Nextcloud.create_share_link(recipe)
+            return Nextcloud.create_share_link(recipe)

    @staticmethod
    def get_file(recipe):