eightequal/AstralRinth
1
0
Fork 0
forked from didirus/AstralRinth
Code Pull Requests Activity

fix(labrinth): proper page view ingest URL origin filtering (#4344)

Browse Source
This commit is contained in:
Alejandro González
2025-09-11 01:38:27 +02:00
committed by GitHub
parent 58aac642a9
commit 9361acb78e
1 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
apps/labrinth/src/routes/analytics.rs
View File

@@ -69,17 +69,18 @@ pub async fn page_view_ingest(
let url = Url::parse(&url_input.url).map_err(|_| { let url = Url::parse(&url_input.url).map_err(|_| {
ApiError::InvalidInput("invalid page view URL specified!".to_string()) ApiError::InvalidInput("invalid page view URL specified!".to_string())
})?; })?;
let domain = url.host_str().ok_or_else(|| { let domain = url.host_str().ok_or_else(|| {
ApiError::InvalidInput("invalid page view URL specified!".to_string()) ApiError::InvalidInput("invalid page view URL specified!".to_string())
})?; })?;
let url_origin = url.origin().ascii_serialization();
let allowed_origins = let is_valid_url_origin =
parse_strings_from_var("CORS_ALLOWED_ORIGINS").unwrap_or_default(); parse_strings_from_var("ANALYTICS_ALLOWED_ORIGINS")
if !(domain.ends_with(".modrinth.com") .unwrap_or_default()
|| domain == "modrinth.com" .iter()
|| allowed_origins.contains(&"*".to_string())) .any(|origin| origin == "*" || url_origin == *origin);
{
if !is_valid_url_origin {
return Err(ApiError::InvalidInput( return Err(ApiError::InvalidInput(
"invalid page view URL specified!".to_string(), "invalid page view URL specified!".to_string(),
)); ));