Merge pull request #11909 from umbraco/v9/feature/allowlist-for-help-page

V9: Add allowlist for HelpPage
2022-01-26 13:25:45 +01:00
parent 4d4aff4c67 d4c43b69f7
commit de6824dfa0
5 changed files with 64 additions and 2 deletions
--- a/src/JsonSchema/AppSettings.cs
+++ b/src/JsonSchema/AppSettings.cs
@@ -89,6 +89,8 @@ namespace JsonSchema
                public LegacyPasswordMigrationSettings LegacyPasswordMigration { get; set; }

                public ContentDashboardSettings ContentDashboard { get; set; }
+
+                public HelpPageSettings HelpPage { get; set; }
            }

            /// <summary>
--- a/src/Umbraco.Core/Configuration/Models/HelpPageSettings.cs
+++ b/src/Umbraco.Core/Configuration/Models/HelpPageSettings.cs
@@ -0,0 +1,11 @@
+namespace Umbraco.Cms.Core.Configuration.Models
+{
+    [UmbracoOptions(Constants.Configuration.ConfigHelpPage)]
+    public class HelpPageSettings
+    {
+        /// <summary>
+        /// Gets or sets the allowed addresses to retrieve data for the content dashboard.
+        /// </summary>
+        public string[] HelpPageUrlAllowList { get; set; }
+    }
+}
--- a/src/Umbraco.Core/Constants-Configuration.cs
+++ b/src/Umbraco.Core/Constants-Configuration.cs
@@ -55,6 +55,7 @@ namespace Umbraco.Cms.Core
            public const string ConfigRichTextEditor = ConfigPrefix + "RichTextEditor";
            public const string ConfigPackageMigration = ConfigPrefix + "PackageMigration";
            public const string ConfigContentDashboard = ConfigPrefix + "ContentDashboard";
+            public const string ConfigHelpPage = ConfigPrefix + "HelpPage";
        }
    }
 }
--- a/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.Configuration.cs
+++ b/src/Umbraco.Core/DependencyInjection/UmbracoBuilder.Configuration.cs
@@ -87,7 +87,8 @@ namespace Umbraco.Cms.Core.DependencyInjection
                .AddUmbracoOptions<RuntimeMinificationSettings>()
                .AddUmbracoOptions<LegacyPasswordMigrationSettings>()
                .AddUmbracoOptions<PackageMigrationSettings>()
-                .AddUmbracoOptions<ContentDashboardSettings>();
+                .AddUmbracoOptions<ContentDashboardSettings>()
+                .AddUmbracoOptions<HelpPageSettings>();

            builder.Services.Configure<RequestHandlerSettings>(options => options.MergeReplacements(builder.Config));

--- a/src/Umbraco.Web.BackOffice/Controllers/HelpController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/HelpController.cs
@@ -1,10 +1,17 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
 using System.Net.Http;
 using System.Runtime.Serialization;
 using System.Threading.Tasks;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using Newtonsoft.Json;
+using Umbraco.Cms.Core.Configuration.Models;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.DependencyInjection;
 using Constants = Umbraco.Cms.Core.Constants;

 namespace Umbraco.Cms.Web.BackOffice.Controllers
@@ -13,15 +20,44 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
    public class HelpController : UmbracoAuthorizedJsonController
    {
        private readonly ILogger<HelpController> _logger;
+        private HelpPageSettings _helpPageSettings;

+        [Obsolete("Use constructor that takes IOptions<HelpPageSettings>")]
        public HelpController(ILogger<HelpController> logger)
+            : this(logger, StaticServiceProvider.Instance.GetRequiredService<IOptionsMonitor<HelpPageSettings>>())
+        {
+        }
+
+        [ActivatorUtilitiesConstructor]
+        public HelpController(
+            ILogger<HelpController> logger,
+            IOptionsMonitor<HelpPageSettings> helpPageSettings)
        {
            _logger = logger;
+
+            ResetHelpPageSettings(helpPageSettings.CurrentValue);
+            helpPageSettings.OnChange(ResetHelpPageSettings);
+        }
+
+        private void ResetHelpPageSettings(HelpPageSettings settings)
+        {
+            _helpPageSettings = settings;
        }

        private static HttpClient _httpClient;
+
        public async Task<List<HelpPage>> GetContextHelpForPage(string section, string tree, string baseUrl = "https://our.umbraco.com")
        {
+            if (IsAllowedUrl(baseUrl) is false)
+            {
+                _logger.LogError($"The following URL is not listed in the allowlist for HelpPage in web.config: {baseUrl}");
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
+
+                // Ideally we'd want to return a BadRequestResult here,
+                // however, since we're not returning ActionResult this is not possible and changing it would be a breaking change.
+                return new List<HelpPage>();
+            }
+
            var url = string.Format(baseUrl + "/Umbraco/Documentation/Lessons/GetContextHelpDocs?sectionAlias={0}&treeAlias={1}", section, tree);

            try
@@ -44,6 +80,17 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers

            return new List<HelpPage>();
        }
+
+        private bool IsAllowedUrl(string url)
+        {
+            if (_helpPageSettings.HelpPageUrlAllowList is null ||
+                _helpPageSettings.HelpPageUrlAllowList.Contains(url))
+            {
+                return true;
+            }
+
+            return false;
+        }
    }

    [DataContract(Name = "HelpPage")]