mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-15 19:52:01 +03:00
94a4e08809
refs #6644 - urls specified in config.js should be considered whitelisted/trusted - this is not quite straightforward because config.js is not ready at the point the middleware is required - tests have been updated to cover these new cases + use rewire to override the internal whitelist cache
85 lines
2.0 KiB
JavaScript
85 lines
2.0 KiB
JavaScript
var cors = require('cors'),
|
|
_ = require('lodash'),
|
|
url = require('url'),
|
|
os = require('os'),
|
|
config = require('../config'),
|
|
whitelist = [],
|
|
ENABLE_CORS = {origin: true, maxAge: 86400},
|
|
DISABLE_CORS = {origin: false};
|
|
|
|
/**
|
|
* Gather a list of local ipv4 addresses
|
|
* @return {Array<String>}
|
|
*/
|
|
function getIPs() {
|
|
var ifaces = os.networkInterfaces(),
|
|
ips = [
|
|
'localhost'
|
|
];
|
|
|
|
Object.keys(ifaces).forEach(function (ifname) {
|
|
ifaces[ifname].forEach(function (iface) {
|
|
// only support IPv4
|
|
if (iface.family !== 'IPv4') {
|
|
return;
|
|
}
|
|
|
|
ips.push(iface.address);
|
|
});
|
|
});
|
|
|
|
return ips;
|
|
}
|
|
|
|
function getUrls() {
|
|
var urls = [url.parse(config.url).hostname];
|
|
|
|
if (config.urlSSL) {
|
|
urls.push(url.parse(config.urlSSL).hostname);
|
|
}
|
|
|
|
return urls;
|
|
}
|
|
|
|
function getWhitelist() {
|
|
// This needs doing just one time after init
|
|
if (_.isEmpty(whitelist)) {
|
|
// origins that always match: localhost, local IPs, etc.
|
|
whitelist = whitelist.concat(getIPs());
|
|
// Trusted urls from config.js
|
|
whitelist = whitelist.concat(getUrls());
|
|
}
|
|
|
|
return whitelist;
|
|
}
|
|
|
|
/**
|
|
* Checks the origin and enables/disables CORS headers in the response.
|
|
* @param {Object} req express request object.
|
|
* @param {Function} cb callback that configures CORS.
|
|
* @return {null}
|
|
*/
|
|
function handleCORS(req, cb) {
|
|
var origin = req.get('origin'),
|
|
trustedDomains = req.client && req.client.trustedDomains;
|
|
|
|
// Request must have an Origin header
|
|
if (!origin) {
|
|
return cb(null, DISABLE_CORS);
|
|
}
|
|
|
|
// Origin matches a client_trusted_domain
|
|
if (_.some(trustedDomains, {trusted_domain: origin})) {
|
|
return cb(null, ENABLE_CORS);
|
|
}
|
|
|
|
// Origin matches whitelist
|
|
if (getWhitelist().indexOf(url.parse(origin).hostname) > -1) {
|
|
return cb(null, ENABLE_CORS);
|
|
}
|
|
|
|
return cb(null, DISABLE_CORS);
|
|
}
|
|
|
|
module.exports = cors(handleCORS);
|