From ed0fb617ef629a39d27441336951c098b13324d0 Mon Sep 17 00:00:00 2001
From: Martin Kraft <martinkraft@gmail.com>
Date: Fri, 24 Aug 2018 08:49:31 -0400
Subject: MM-11786: Adds API endpoint to retrieve redirect locations. (#9284)

---
 api4/system.go | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

(limited to 'api4/system.go')

diff --git a/api4/system.go b/api4/system.go
index 9177b8940..65d3b424b 100644
--- a/api4/system.go
+++ b/api4/system.go
@@ -40,6 +40,8 @@ func (api *API) InitSystem() {
 	api.BaseRoutes.ApiRoot.Handle("/logs", api.ApiHandler(postLog)).Methods("POST")
 
 	api.BaseRoutes.ApiRoot.Handle("/analytics/old", api.ApiSessionRequired(getAnalytics)).Methods("GET")
+
+	api.BaseRoutes.ApiRoot.Handle("/redirect_location", api.ApiSessionRequiredTrustRequester(getRedirectLocation)).Methods("GET")
 }
 
 func getSystemPing(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -447,3 +449,33 @@ func testS3(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	ReturnStatusOK(w)
 }
+
+func getRedirectLocation(c *Context, w http.ResponseWriter, r *http.Request) {
+	url := r.URL.Query().Get("url")
+	if len(url) == 0 {
+		c.SetInvalidParam("url")
+		return
+	}
+
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
+	m := make(map[string]string)
+	m["location"] = ""
+
+	res, err := client.Head(url)
+	if err != nil {
+		// Always return a success status and a JSON string to limit the amount of information returned to a
+		// hacker attempting to use Mattermost to probe a private network.
+		w.Write([]byte(model.MapToJson(m)))
+		return
+	}
+
+	m["location"] = res.Header.Get("Location")
+
+	w.Write([]byte(model.MapToJson(m)))
+	return
+}
-- 
cgit v1.2.3-1-g7c22