IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Limit /inline-onebox to 10 URLs at a time

Browse Source
This commit is contained in:
OsamaSayegh
2024-11-26 23:04:39 +03:00
committed by Roman Rizzi
parent 6d0173c9bd
commit 416ec83ae5
6 changed files with 228 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
app/controllers/inline_onebox_controller.rb
View File

@@ -1,10 +1,30 @@
# frozen_string_literal: true
class InlineOneboxController < ApplicationController
MAX_URLS_LIMIT = 10
requires_login
def show
urls = params[:urls] || []
if urls.size > MAX_URLS_LIMIT
render json: failed_json.merge(errors: [I18n.t("inline_oneboxer.too_many_urls")]), status: 413
return
end
current_user_id = current_user.id
if InlineOneboxer.is_previewing?(current_user_id)
response.headers["Retry-After"] = "60"
render json: failed_json.merge(errors: [I18n.t("inline_oneboxer.concurrency_not_allowed")]),
status: 429
return
end
hijack do
InlineOneboxer.preview!(current_user_id)
oneboxes =
InlineOneboxer.new(
params[:urls] || [],
@@ -12,6 +32,8 @@ class InlineOneboxController < ApplicationController
category_id: params[:category_id].to_i,
topic_id: params[:topic_id].to_i,
).process
InlineOneboxer.finish_preview!(current_user_id)
render json: { "inline-oneboxes" => oneboxes }
end
end