Add handling of posts with unsafe links. (#26129)

* Add handling of posts with unsafe links. * Lint * Add some tests. * Remove interal links exception * Add exception for links that start with siteurl, except image proxy * Allow only permalinks * Don't interperate regex in siteURL * Negate the external requests helper * Modify prop check to only check for 'true' * Move regex outside function.
2025-02-25 18:55:24 -06:00 · 2024-02-13 09:28:30 -08:00 · 2024-02-13 09:28:30 -08:00 · 3bf8574b0d
commit 3bf8574b0d
parent daab9d5ff5
7 changed files with 80 additions and 2 deletions
--- a/webapp/channels/src/components/markdown_image/index.ts
+++ b/webapp/channels/src/components/markdown_image/index.ts
@ -5,9 +5,23 @@ import {connect} from 'react-redux';
 import {bindActionCreators} from 'redux';
 import type {Dispatch} from 'redux';

+import {getPost} from 'mattermost-redux/selectors/entities/posts';
+
 import {openModal} from 'actions/views/modals';

+import type {GlobalState} from 'types/store';
+
 import MarkdownImage from './markdown_image';
+import type {Props} from './markdown_image';
+
+function mapStateToProps(state: GlobalState, ownProps: Props) {
+    const post = getPost(state, ownProps.postId);
+    const isUnsafeLinksPost = post?.props?.unsafe_links === 'true';
+
+    return {
+        isUnsafeLinksPost,
+    };
+}

 function mapDispatchToProps(dispatch: Dispatch) {
    return {
@ -17,6 +31,6 @@ function mapDispatchToProps(dispatch: Dispatch) {
    };
 }

-const connector = connect(null, mapDispatchToProps);
+const connector = connect(mapStateToProps, mapDispatchToProps);

 export default connector(MarkdownImage);
--- a/webapp/channels/src/components/markdown_image/markdown_image.test.tsx
+++ b/webapp/channels/src/components/markdown_image/markdown_image.test.tsx
@ -332,4 +332,12 @@ describe('components/MarkdownImage', () => {

        expect(childrenWrapper).toMatchSnapshot();
    });
+
+    test('should render a alt text if the link is unsafe', () => {
+        const props = {...baseProps, isUnsafeLinksPost: true};
+        const wrapper = shallow(
+            <MarkdownImage {...props}/>,
+        );
+        expect(wrapper.text()).toBe(props.alt);
+    });
 });
--- a/webapp/channels/src/components/markdown_image/markdown_image.tsx
+++ b/webapp/channels/src/components/markdown_image/markdown_image.tsx
@ -36,6 +36,7 @@ export type Props = {
        openModal: <P>(modalData: ModalData<P>) => void;
    };
    hideUtilities?: boolean;
+    isUnsafeLinksPost: boolean;
 };

 type State = {
@ -156,6 +157,9 @@ export default class MarkdownImage extends PureComponent<Props, State> {
                </div>
            );
        }
+        if (this.props.isUnsafeLinksPost) {
+            return <>{alt}</>;
+        }
        return (
            <ExternalImage
                src={src}
--- a/webapp/channels/src/utils/markdown/index.test.ts
+++ b/webapp/channels/src/utils/markdown/index.test.ts
@ -163,4 +163,23 @@ this is long text this is long text this is long text this is long text this is
            });
        }
    });
+
+    test('unsafe mode links are rendered as text : link', () => {
+        const testCases = [
+            {input: '[link text](http://markdownlink.com)', expected: '<p>link text : http://markdownlink.com</p>'},
+            {input: '[link text](//markdownlink.com/test)', expected: '<p>link text : //markdownlink.com/test</p>'},
+            {input: '[link text](http://my.site.com/whatever)', expected: '<p>link text : http://my.site.com/whatever</p>'},
+            {input: '[link text](http://my.site.com/api/v4/image?url=ohno)', expected: '<p>link text : http://my.site.com/api/v4/image?url=ohno</p>'},
+            {input: '[link text](http://my.site.com/_redirect/pl/c18xpcpusjd88en1g4j7us31ur)', expected: '<p><a class="theme markdown__link" href="http://my.site.com/_redirect/pl/c18xpcpusjd88en1g4j7us31ur" rel="noreferrer" data-link="/_redirect/pl/c18xpcpusjd88en1g4j7us31ur">link text</a></p>'},
+            {input: '[link text](http://my.site.com/someteam/pl/c18xpcpusjd88en1g4j7us31ur)', expected: '<p><a class="theme markdown__link" href="http://my.site.com/someteam/pl/c18xpcpusjd88en1g4j7us31ur" rel="noreferrer" data-link="/someteam/pl/c18xpcpusjd88en1g4j7us31ur">link text</a></p>'},
+            {input: '[link text](http://my.site.com/_redirect/pl/c18xpcpusjd88en1g4j7us31ur/ohno)', expected: '<p>link text : http://my.site.com/_redirect/pl/c18xpcpusjd88en1g4j7us31ur/ohno</p>'},
+            {input: '[link text](http://my.site.com/more/stuff/here/pl/c18xpcpusjd88en1g4j7us31ur)', expected: '<p>link text : http://my.site.com/more/stuff/here/pl/c18xpcpusjd88en1g4j7us31ur</p>'},
+            {input: '[link text](http://myqsite.com/someteam/pl/c18xpcpusjd88en1g4j7us31ur)', expected: '<p>link text : http://myqsite.com/someteam/pl/c18xpcpusjd88en1g4j7us31ur</p>'},
+
+        ];
+        for (const testCase of testCases) {
+            const output = format(testCase.input, {unsafeLinks: true, siteURL: 'http://my.site.com'});
+            expect(output).toEqual(testCase.expected);
+        }
+    });
 });
--- a/webapp/channels/src/utils/markdown/renderer.tsx
+++ b/webapp/channels/src/utils/markdown/renderer.tsx
@ -7,7 +7,7 @@ import type {MarkedOptions} from 'marked';
 import EmojiMap from 'utils/emoji_map';
 import * as PostUtils from 'utils/post_utils';
 import * as TextFormatting from 'utils/text_formatting';
-import {getScheme, isUrlSafe, shouldOpenInNewTab} from 'utils/url';
+import {mightTriggerExternalRequest, getScheme, isUrlSafe, shouldOpenInNewTab} from 'utils/url';

 import {parseImageDimensions} from './helpers';

@ -136,6 +136,13 @@ export default class Renderer extends marked.Renderer {
    public link(href: string, title: string, text: string, isUrl = false) {
        let outHref = href;

+        if (this.formattingOptions.unsafeLinks && mightTriggerExternalRequest(href, this.formattingOptions.siteURL)) {
+            if (text === href) {
+                return text;
+            }
+            return text + ' : ' + href;
+        }
+
        if (!href.startsWith('/')) {
            const scheme = getScheme(href);
            if (!scheme) {
--- a/webapp/channels/src/utils/text_formatting.tsx
+++ b/webapp/channels/src/utils/text_formatting.tsx
@ -200,6 +200,13 @@ export interface TextFormattingOptionsBase {
     * Defaults to `false`.
     */
    atPlanMentions: boolean;
+
+    /**
+     * If true, the renderer will assume links are not safe.
+     *
+     * Defaults to `false`.
+     */
+    unsafeLinks: boolean;
 }

 export type TextFormattingOptions = Partial<TextFormattingOptionsBase>;
@ -227,6 +234,7 @@ const DEFAULT_OPTIONS: TextFormattingOptions = {
    proxyImages: false,
    editedAt: 0,
    postId: '',
+    unsafeLinks: false,
 };

 /**
--- a/webapp/channels/src/utils/url.tsx
+++ b/webapp/channels/src/utils/url.tsx
@ -168,6 +168,24 @@ export function validateChannelUrl(url: string, intl?: IntlShape): Array<React.R
    return errors;
 }

+// Returns true when the URL could possibly cause any external requests.
+// Currently returns false only for permalinks
+const permalinkPath = new RegExp('^/[0-9a-z_-]{1,64}/pl/[0-9a-z_-]{26}$');
+export function mightTriggerExternalRequest(url: string, siteURL?: string): boolean {
+    if (siteURL && siteURL !== '') {
+        let standardSiteURL = siteURL;
+        if (standardSiteURL[standardSiteURL.length - 1] === '/') {
+            standardSiteURL = standardSiteURL.substring(0, standardSiteURL.length - 1);
+        }
+        if (!url.startsWith(standardSiteURL)) {
+            return true;
+        }
+        const afterSiteURL = url.substring(standardSiteURL.length);
+        return !permalinkPath.test(afterSiteURL);
+    }
+    return true;
+}
+
 export function isInternalURL(url: string, siteURL?: string): boolean {
    return url.startsWith(siteURL || '') || url.startsWith('/');
 }