Skip to content

Commit

Permalink
Merge pull request #487 from vimeo/fixing-path-traversal-bugs
Browse files Browse the repository at this point in the history 
Allow prepopulated query parameters while disallowing path traversal and other hosts
  • Loading branch information
@anthonycr
anthonycr authored May 13, 2021
2 parents 350ead2 + 0011a84 commit 0caddf3
Show file tree
Hide file tree
Showing 4 changed files with 244 additions and 217 deletions.
2 changes: 2 additions & 0 deletions api-core/src/main/java/com/vimeo/networking2/config/RetrofitSetupModule.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import com.vimeo.networking2.ApiConstants
import com.vimeo.networking2.internal.ErrorHandlingCallAdapterFactory
import com.vimeo.networking2.internal.interceptor.AcceptHeaderInterceptor
import com.vimeo.networking2.internal.interceptor.CacheControlHeaderInterceptor
import com.vimeo.networking2.internal.interceptor.HostValidationInterceptor
import com.vimeo.networking2.internal.interceptor.LanguageHeaderInterceptor
import com.vimeo.networking2.internal.interceptor.UserAgentHeaderInterceptor
import com.vimeo.networking2.internal.params.StringValueJsonAdapterFactory
Expand Down Expand Up @@ -62,6 +63,7 @@ object RetrofitSetupModule {
@JvmStatic
fun retrofit(vimeoApiConfiguration: VimeoApiConfiguration): Retrofit {
val interceptors = mutableListOf(
HostValidationInterceptor(vimeoApiConfiguration),
UserAgentHeaderInterceptor(vimeoApiConfiguration.compositeUserAgent),
AcceptHeaderInterceptor(),
LanguageHeaderInterceptor(vimeoApiConfiguration.locales)
Expand Down
25 changes: 25 additions & 0 deletions ...ore/src/main/java/com/vimeo/networking2/internal/interceptor/HostValidationInterceptor.kt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package com.vimeo.networking2.internal.interceptor

import com.vimeo.networking2.config.VimeoApiConfiguration
import okhttp3.HttpUrl
import okhttp3.Interceptor
import okhttp3.Response
import okio.IOException

/**
* An interceptor that ensures that only requests to the host specified in the [VimeoApiConfiguration] are made. This
* prevents unexpected requests from being made to other hosts.
*
* @param vimeoApiConfiguration The configuration used to determine the expected host.
*/
class HostValidationInterceptor(private val vimeoApiConfiguration: VimeoApiConfiguration) : Interceptor {
private val httpUrl = HttpUrl.parse(vimeoApiConfiguration.baseUrl)

override fun intercept(chain: Interceptor.Chain): Response =
if (chain.request().url().host() != httpUrl?.host()) {
throw IOException("Host must match specified base URL, was ${chain.request().url().host()}, " +
"expected ${httpUrl?.host()}")
} else {
chain.proceed(chain.request())
}
}
Loading

0 comments on commit 0caddf3

Please sign in to comment.