SECURITY: Use FinalDestination for topic embeds

2025-02-25 18:55:32 -06:00 · 2020-05-27 09:23:55 -06:00
parent 2a4db15544
commit da839e6d26
2 changed files with 17 additions and 8 deletions
--- a/app/models/topic_embed.rb
+++ b/app/models/topic_embed.rb
@@ -109,7 +109,14 @@ class TopicEmbed < ActiveRecord::Base

    url = UrlHelper.escape_uri(url)
    original_uri = URI.parse(url)
-    raise URI::InvalidURIError unless original_uri.is_a?(URI::HTTP)
+    fd = FinalDestination.new(
+      url,
+      validate_uri: true,
+      max_redirects: 5
+    )
+
+    url = fd.resolve
+    raise URI::InvalidURIError if url.blank?

    opts = {
      tags: %w[div p code pre h1 h2 h3 b em i strong a img ul li ol blockquote],