match direct link with regex, close #248 #251

2022-01-10 19:21:28 +08:00 · 2022-01-10 19:21:28 +08:00 · 03e1772d38
parent 07f4a61aaa
commit 03e1772d38
2 changed files with 12 additions and 4 deletions
--- a/config/api.json
+++ b/config/api.json
@ -5,5 +5,5 @@
  "authApi": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
  "driveApi": "https://graph.microsoft.com/v1.0/me/drive",
  "scope": "user.read files.read.all offline_access",
-  "directLink": "https://public.dm.files.1drv.com"
+  "directLinkRegex": "public[.].*[.]files[.]1drv[.]com"
 }
--- a/pages/api/proxy.ts
+++ b/pages/api/proxy.ts
@ -7,10 +7,18 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
  // 'inline' is used for previewing PDF files inside the browser directly
  const { url, inline = false } = req.query

+  if (!url || typeof url !== 'string') {
+    res.status(400).json({ error: 'Bad request, URL is not valid.' })
+    return
+  }
+
  // Only handle urls that start with OneDrive's own direct link (or SharePoint's):
-  // https://public.dm.files.1drv.com/y4m0G_0GPeS8AXGrux-lVV79eU1F38VbWxtCSi-8-aUkBLeZH1H6...
-  if (!url || !(url as string).startsWith(apiConfig.directLink)) {
-    res.status(400).json({ error: 'Invalid URL' })
+  // https://public.*.files.1drv.com/y4m0G_0GPeS8AXGrux-lVV79eU1F38VbWxtCSi-8-aUkBLeZH1H6...
+  const hostname = new URL(url).hostname
+  if (hostname.match(new RegExp(apiConfig.directLinkRegex)) === null) {
+    res
+      .status(400)
+      .json({ error: `URL forbidden, only OneDrive direct links that match ${apiConfig.directLinkRegex} are allowed.` })
    return
  }