Merge pull request #49 from pbrown-d2l/pbrown/DE34994

Adding rudimentary whitelist support in lieu of globally available ge…

package.json

@@ -30,7 +30,7 @@
     "wct-browser-legacy": "^1.0.1",
     "whatwg-fetch": "^2.0.0"
   },
-  "version": "1.1.0",
+  "version": "1.1.1",
   "resolutions": {
     "inherits": "2.0.3",
     "samsam": "1.1.3",

store/entity-store.js

@@ -1,5 +1,6 @@
 import 'd2l-fetch/d2l-fetch.js';
 import SirenParse from 'siren-parser';
+import './whitelist-behavior.js';
 
 function noop() {}
 
@@ -126,6 +127,9 @@ window.D2L.Siren.EntityStore = {
 		if (!entityId) {
 			return Promise.reject(new Error('Cannot fetch undefined entityId'));
 		}
+		if (!window.D2L.Siren.WhitelistBehavior.isWhitelisted(entityId)) {
+			return Promise.reject(new Error('Invalid request url; must be a valid whitelisted domain.'));
+		}
 		return this.getToken(token).then(function(resolved) {
 
 			const cacheKey = resolved.cacheKey;

store/siren-action-behavior.js

@@ -1,6 +1,7 @@
 import SirenParse from 'siren-parser';
 import './entity-store.js';
 import './action-queue.js';
+import './whitelist-behavior.js';
 
 window.D2L = window.D2L || {};
 window.D2L.PolymerBehaviors = window.D2L.PolymerBehaviors || {};
@@ -149,6 +150,9 @@ D2L.PolymerBehaviors.Siren.SirenActionBehaviorImpl = {
 		tokenValue && headers.append('Authorization', 'Bearer ' + tokenValue);
 
 		var url = this.getEntityUrl(action, fields);
+		if (!window.D2L.Siren.WhitelistBehavior.isWhitelisted(url)) {
+			return Promise.reject(new Error('Invalid request url; must be a valid whitelisted domain.'));
+		}
 		var body;
 
 		if (fields) {

store/whitelist-behavior.js

@@ -0,0 +1,56 @@
+// 'use strict';
+
+window.D2L = window.D2L || {};
+window.D2L.Siren = window.D2L.Siren || {};
+
+window.D2L.Siren.WhitelistBehavior = {
+	properties: {
+		_inTestMode: {
+			type: Boolean,
+			value: false
+		}
+	},
+
+	_testMode: function(isTestMode) {
+		this._inTestMode = isTestMode;
+	},
+
+	isWhitelisted: function(url) {
+		if (this._inTestMode) {
+			return true;
+		}
+		const whitelistedDomains = [
+			'api.proddev.d2l',
+			'api.dev.brightspace.com',
+			'api.brightspace.com',
+			'bff.dev.brightspace.com'
+		];
+		/* expression taken from URI spec parsing section: https://tools.ietf.org/html/rfc3986#appendix-B
+		   useful groups:
+			 protocol  = $2
+			 host	  = $4
+			 path	  = $5
+			 query	 = $6
+			 fragment  = $7
+		*/
+		var uriExpression = /^(([^:\/?#]+):)?(\/\/([^\/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?/; //eslint-disable-line no-useless-escape
+		var match_protocol  = 2;
+		var match_host  = 4;
+
+		var matches = url.match(uriExpression);
+		if (matches[match_protocol] !== 'https') {
+			return false;
+		}
+		var host = matches[match_host];
+		if (!host) {
+			return false;
+		}
+		return 0 <= whitelistedDomains
+			.findIndex(function(domain) {
+				if (domain === host) {
+					return true;
+				}
+				return host.endsWith('.' + domain);
+			});
+	}
+};

test/entity-behavior.js

@@ -9,6 +9,7 @@ suite('entity-behavior', function() {
 	setup(function(done) {
 		sandbox = sinon.sandbox.create();
 		element = fixture('basic');
+		window.D2L.Siren.WhitelistBehavior._testMode(true);
 
 		function waitForLoad(e) {
 			if (e.detail.entity.getLinkByRel('self').href === 'static-data/199.json') {
@@ -23,6 +24,7 @@ suite('entity-behavior', function() {
 	});
 
 	teardown(function() {
+		window.D2L.Siren.WhitelistBehavior._testMode(false);
 		sandbox.restore();
 	});
 

test/entity-store.js

@@ -9,9 +9,11 @@ suite('entity-store', function() {
 	setup(function() {
 		sandbox = sinon.sandbox.create();
 		window.D2L.Siren.EntityStore.clear();
+		window.D2L.Siren.WhitelistBehavior._testMode(true);
 	});
 
 	teardown(function() {
+		window.D2L.Siren.WhitelistBehavior._testMode(false);
 		sandbox.restore();
 	});
 

test/siren-action-behavior.js

@@ -76,10 +76,12 @@ suite('siren-action-behavior', function() {
 		sandbox = sinon.sandbox.create();
 		element = fixture('basic');
 		element.token = 'foozleberries';
+		window.D2L.Siren.WhitelistBehavior._testMode(true);
 		stubWhitelist();
 	});
 
 	teardown(function() {
+		window.D2L.Siren.WhitelistBehavior._testMode(false);
 		sandbox.restore();
 	});