Cherry pick Add allowlist for HelpPage

2022-01-26 10:57:49 +01:00
parent 72533d29c8
commit 2f17d766be
3 changed files with 44 additions and 2 deletions
--- a/src/Umbraco.Core/Help/HelpPageSettings.cs
+++ b/src/Umbraco.Core/Help/HelpPageSettings.cs
@@ -0,0 +1,12 @@
+using System.Configuration;
+
+namespace Umbraco.Core.Help
+{
+    public class HelpPageSettings : IHelpPageSettings
+    {
+        public string HelpPageUrlAllowList =>
+            ConfigurationManager.AppSettings.ContainsKey(Constants.AppSettings.HelpPageUrlAllowList)
+                ? ConfigurationManager.AppSettings[Constants.AppSettings.HelpPageUrlAllowList]
+                : null;
+    }
+}
--- a/src/Umbraco.Core/Help/IHelpPageSettings.cs
+++ b/src/Umbraco.Core/Help/IHelpPageSettings.cs
@@ -0,0 +1,10 @@
+namespace Umbraco.Core.Help
+{
+    public interface IHelpPageSettings
+    {
+        /// <summary>
+        /// Gets the allowed addresses to retrieve data for the help page.
+        /// </summary>
+        string HelpPageUrlAllowList { get; }
+    }
+}
--- a/src/Umbraco.Web.BackOffice/Controllers/HelpController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/HelpController.cs
@@ -1,10 +1,11 @@
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.Net.Http;
 using System.Runtime.Serialization;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Core.Help;
 using Constants = Umbraco.Cms.Core.Constants;

 namespace Umbraco.Cms.Web.BackOffice.Controllers
@@ -13,8 +14,10 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
    public class HelpController : UmbracoAuthorizedJsonController
    {
        private readonly ILogger<HelpController> _logger;
+        private readonly IHelpPageSettings _helpPageSettings;

-        public HelpController(ILogger<HelpController> logger)
+        public HelpController(ILogger<HelpController> logger,
+            IHelpPageSettings helpPageSettings)
        {
            _logger = logger;
        }
@@ -22,6 +25,12 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
        private static HttpClient _httpClient;
        public async Task<List<HelpPage>> GetContextHelpForPage(string section, string tree, string baseUrl = "https://our.umbraco.com")
        {
+            if (IsAllowedUrl(baseUrl) is false)
+            {
+                Logger.Error<HelpController>($"The following URL is not listed in the allowlist for HelpPage in web.config: {baseUrl}");
+                throw new HttpResponseException(Request.CreateErrorResponse(HttpStatusCode.BadRequest, "HelpPage source not permitted"));
+            }
+
            var url = string.Format(baseUrl + "/Umbraco/Documentation/Lessons/GetContextHelpDocs?sectionAlias={0}&treeAlias={1}", section, tree);

            try
@@ -44,6 +53,17 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers

            return new List<HelpPage>();
        }
+
+        private bool IsAllowedUrl(string url)
+        {
+            if (string.IsNullOrEmpty(_helpPageSettings.HelpPageUrlAllowList) ||
+                _helpPageSettings.HelpPageUrlAllowList.Contains(url))
+            {
+                return true;
+            }
+
+            return false;
+        }
    }

    [DataContract(Name = "HelpPage")]