From ed0fb617ef629a39d27441336951c098b13324d0 Mon Sep 17 00:00:00 2001 From: Martin Kraft Date: Fri, 24 Aug 2018 08:49:31 -0400 Subject: MM-11786: Adds API endpoint to retrieve redirect locations. (#9284) --- api4/system.go | 32 ++++++++++++++++++++++++++++++++ api4/system_test.go | 34 ++++++++++++++++++++++++++++++++++ model/client4.go | 15 +++++++++++++++ 3 files changed, 81 insertions(+) diff --git a/api4/system.go b/api4/system.go index 9177b8940..65d3b424b 100644 --- a/api4/system.go +++ b/api4/system.go @@ -40,6 +40,8 @@ func (api *API) InitSystem() { api.BaseRoutes.ApiRoot.Handle("/logs", api.ApiHandler(postLog)).Methods("POST") api.BaseRoutes.ApiRoot.Handle("/analytics/old", api.ApiSessionRequired(getAnalytics)).Methods("GET") + + api.BaseRoutes.ApiRoot.Handle("/redirect_location", api.ApiSessionRequiredTrustRequester(getRedirectLocation)).Methods("GET") } func getSystemPing(c *Context, w http.ResponseWriter, r *http.Request) { @@ -447,3 +449,33 @@ func testS3(c *Context, w http.ResponseWriter, r *http.Request) { ReturnStatusOK(w) } + +func getRedirectLocation(c *Context, w http.ResponseWriter, r *http.Request) { + url := r.URL.Query().Get("url") + if len(url) == 0 { + c.SetInvalidParam("url") + return + } + + client := &http.Client{ + CheckRedirect: func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse + }, + } + + m := make(map[string]string) + m["location"] = "" + + res, err := client.Head(url) + if err != nil { + // Always return a success status and a JSON string to limit the amount of information returned to a + // hacker attempting to use Mattermost to probe a private network. + w.Write([]byte(model.MapToJson(m))) + return + } + + m["location"] = res.Header.Get("Location") + + w.Write([]byte(model.MapToJson(m))) + return +} diff --git a/api4/system_test.go b/api4/system_test.go index 205572cf6..c66e08976 100644 --- a/api4/system_test.go +++ b/api4/system_test.go @@ -3,6 +3,7 @@ package api4 import ( "fmt" "net/http" + "net/http/httptest" "os" "strings" "testing" @@ -700,3 +701,36 @@ func TestSupportedTimezones(t *testing.T) { CheckNoError(t, resp) assert.Equal(t, supportedTimezonesFromConfig, supportedTimezones) } + +func TestRedirectLocation(t *testing.T) { + expected := "https://mattermost.com/wp-content/themes/mattermostv2/img/logo-light.svg" + + testServer := httptest.NewServer(http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) { + res.Header().Set("Location", expected) + res.WriteHeader(http.StatusFound) + res.Write([]byte("body")) + })) + defer func() { testServer.Close() }() + + mockBitlyLink := testServer.URL + + th := Setup().InitBasic().InitSystemAdmin() + defer th.TearDown() + Client := th.Client + + _, resp := th.SystemAdminClient.GetRedirectLocation("https://mattermost.com/", "") + CheckNoError(t, resp) + + _, resp = th.SystemAdminClient.GetRedirectLocation("", "") + CheckBadRequestStatus(t, resp) + + actual, resp := th.SystemAdminClient.GetRedirectLocation(mockBitlyLink, "") + CheckNoError(t, resp) + if actual != expected { + t.Errorf("Expected %v but got %v.", expected, actual) + } + + Client.Logout() + _, resp = Client.GetRedirectLocation("", "") + CheckUnauthorizedStatus(t, resp) +} diff --git a/model/client4.go b/model/client4.go index 48627c4b0..4f651b976 100644 --- a/model/client4.go +++ b/model/client4.go @@ -397,6 +397,10 @@ func (c *Client4) GetTotalUsersStatsRoute() string { return fmt.Sprintf(c.GetUsersRoute() + "/stats") } +func (c *Client4) GetRedirectLocationRoute() string { + return fmt.Sprintf("/redirect_location") +} + func (c *Client4) DoApiGet(url string, etag string) (*http.Response, *AppError) { return c.DoApiRequest(http.MethodGet, c.ApiUrl+url, "", etag) } @@ -3771,3 +3775,14 @@ func (c *Client4) UpdateTeamScheme(teamId, schemeId string) (bool, *Response) { return CheckStatusOK(r), BuildResponse(r) } } + +// GetRedirectLocation retrieves the value of the 'Location' header of an HTTP response for a given URL. +func (c *Client4) GetRedirectLocation(urlParam, etag string) (string, *Response) { + url := fmt.Sprintf("%s?url=%s", c.GetRedirectLocationRoute(), url.QueryEscape(urlParam)) + if r, err := c.DoApiGet(url, etag); err != nil { + return "", BuildErrorResponse(r, err) + } else { + defer closeBody(r) + return MapFromJson(r.Body)["location"], BuildResponse(r) + } +} -- cgit v1.2.3-1-g7c22