Enhance embed URL handling and validation system #7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
adamsaimi
commented
Oct 25, 2025
| return if user.blank? | ||
|
|
||
| require 'simple-rss' | ||
| rss = SimpleRSS.parse open(SiteSetting.feed_polling_url) |
Owner
Author
There was a problem hiding this comment.
[Security] Server-Side Request Forgery (SSRF) in poll_feed
- Problem: The
open(SiteSetting.feed_polling_url)call lacks URL validation, making it vulnerable to SSRF if the URL is attacker-controlled. - Fix: Implement strict URL validation (whitelist schemes, restrict public IP ranges, prevent internal network access) before calling
open.
adamsaimi
commented
Oct 25, 2025
| def cook(*args) | ||
| # For some posts, for example those imported via RSS, we support raw HTML. In that | ||
| # case we can skip the rendering pipeline. | ||
| return raw if cook_method == Post.cook_methods[:raw_html] |
Owner
Author
There was a problem hiding this comment.
[Security] Cross-Site Scripting (XSS) via raw_html cook method
- Problem: The
raw_htmlcook method bypasses sanitization, allowing malicious HTML/JavaScript from imported content to be rendered directly, leading to XSS. - Fix: Apply robust HTML sanitization (e.g.,
Sanitizegem) to all externalcontentsbefore saving and rendering, even whencook_methodisraw_html.
adamsaimi
commented
Oct 25, 2025
| require 'ruby-readability' | ||
|
|
||
| opts = opts || {} | ||
| doc = Readability::Document.new(open(url).read, |
Owner
Author
There was a problem hiding this comment.
[Security] Server-Side Request Forgery (SSRF) in import_remote
- Problem: The
open(url).readcall inimport_remotelacks URL validation, making it vulnerable to SSRF ifurlis attacker-controlled. - Fix: Implement strict URL validation (whitelist schemes, restrict public IP ranges, prevent internal network access) before calling
open.
adamsaimi
commented
Oct 25, 2025
| <img src='<%= post.user.small_avatar_url %>'> | ||
| <h3><%= post.user.username %></h3> | ||
| </div> | ||
| <div class='cooked'><%= raw post.cooked %></div> |
Owner
Author
There was a problem hiding this comment.
[Security] Cross-Site Scripting (XSS) via raw post.cooked rendering
- Problem: Directly rendering
raw post.cookedfrom untrusted external sources allows malicious HTML/JavaScript to execute, leading to XSS. - Fix: Ensure all
raw_htmlcontent is thoroughly sanitized against XSS before storage or rendering, or apply a strict sanitization filter at the rendering stage.
adamsaimi
commented
Oct 25, 2025
|
|
||
| function postMessageReceived(e) { | ||
| if (!e) { return; } | ||
| if (discourseUrl.indexOf(e.origin) === -1) { return; } |
Owner
Author
There was a problem hiding this comment.
[Security] Weak postMessage Origin Validation
- Problem: The
indexOfcheck fore.originis insufficient, allowing attackers to bypass validation with crafted domains and receive sensitivepostMessagedata. - Fix: Implement robust origin validation using exact equality (
e.origin === discourseUrl) or by parsing and comparingURL.hostproperties.
adamsaimi
commented
Oct 25, 2025
| validates_presence_of :content_sha1 | ||
|
|
||
| # Import an article from a source (RSS/Atom/Other) | ||
| def self.import(user, url, title, contents) |
Owner
Author
There was a problem hiding this comment.
[Architecture] Service Logic in TopicEmbed Model
- Problem:
TopicEmbed.importandTopicEmbed.import_remotecontain extensive business logic, violating the Single Responsibility Principle and making the model bloated and less maintainable. - Fix: Extract complex service-like logic (content fetching, parsing, orchestration) into dedicated service objects or modules.
adamsaimi
commented
Oct 25, 2025
| window.onload = function() { | ||
| if (parent) { | ||
| // Send a post message with our loaded height | ||
| parent.postMessage({type: 'discourse-resize', height: document['body'].offsetHeight}, '<%= request.referer %>'); |
Owner
Author
There was a problem hiding this comment.
[Security] Weak postMessage Target Origin
- Problem: Using
request.refererastargetOriginforpostMessageis insecure, asReferercan be spoofed, leading to information leakage to malicious origins. - Fix: Set
targetOriginto a fixed, known, and trusted origin (e.g.,SiteSetting.embeddable_host) instead of relying onrequest.referer.
adamsaimi
commented
Oct 25, 2025
| end | ||
|
|
||
| def cook(*args) | ||
| # For some posts, for example those imported via RSS, we support raw HTML. In that |
Owner
Author
There was a problem hiding this comment.
[Architecture] Divergent Post Processing Pipeline for raw_html
- Problem:
raw_htmlposts bypass the standardPlugin::Filter.apply(:after_post_cook)step, creating inconsistencies and potential missed plugin functionality. - Fix: Re-evaluate the
raw_htmlcook method to ensure it integrates with or explicitly handles the standard post-cooking pipeline, or document the divergence clearly.
adamsaimi
commented
Oct 25, 2025
|
|
||
| # First check RSS if that is enabled | ||
| if SiteSetting.feed_polling_enabled? | ||
| Jobs::PollFeed.new.execute({}) |
Owner
Author
There was a problem hiding this comment.
[Architecture] Synchronous Job Execution in TopicRetriever
- Problem:
TopicRetrieverdirectly callsJobs::PollFeed.new.execute({}), bypassing the asynchronous job queue and potentially blocking the retriever. - Fix: Enqueue
Jobs::PollFeedproperly for background execution to leverage asynchronous processing and avoid blockingTopicRetriever.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Test 4