Item15099: deprecate expand and render REST handler

whitelist allowed macros to tag handler
foswiki · Apr 29, 2022 · 91e355e · 91e355e
1 parent ad93a98
commit 91e355e
Show file tree

Hide file tree

Showing 7 changed files with 151 additions and 67 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
+*.jslint
 *.gz
 *.swp
 /RenderPlugin.md5

diff --git a/data/System/RenderPlugin.txt b/data/System/RenderPlugin.txt
@@ -38,6 +38,11 @@ a parametrized =INCLUDE=, as it is used on server side <nop>WikiApplications (se
 The available REST handlers are:
 
 | *Handler* | *Parameters* | *Description* |
+| =template= | =name=, %BR% =expand=, %BR% =render=, %BR% =filename= | this handler loads the template =name= and expands the macro \
+  given in =expand=; the =render= flag indicates whether the result is to be rendered in addition to common tags being interpreted |
+| =jsonTemplate= | =name=, %BR%, =expand=, %BR% =render= | same as =template= handler, but returns a json object holding css and js zones required to properly format the template; used via =foswiki.loadTemplate()= |
+
+| *Deprecated Handler* | *Parameters* | *Description* |
 | =expand= | =text= | expands common variables in the submitted =text= fragment, =filename= |
 | =render= | =text= | same as =expand= but also renders <nop>TopicMarkup converting it to HTML |
 | =tag= | =name=, %BR% =param=, %BR% =<named-params>*=, %BR% =render=, %BR% =filename= | this is a convenience function to expand one specific \
@@ -46,12 +51,11 @@ The available REST handlers are:
   named parameters; the =render= flag indicates if the result is to be expanded only \
   or if it should be renderd into HTML; default is off, that is only expand common tags but don't interpret \
   <nop>TopicMarkup |
-| =template= | =name=, %BR% =expand=, %BR% =render=, %BR% =filename= | this handler loads the template =name= and expands the macro \
-  given in =expand=; the =render= flag indicates whether the result is to be rendered in addition to common tags being interpreted |
-| =jsonTemplate= | =name=, %BR%, =expand=, %BR% =render= | same as =template= handler, but returns a json object holding css and js zones required to properly format the template; used via =foswiki.loadTemplate()= |
 
 ---++ Usage
 
+TODO: come up with some examples for the non-deprecated handlers
+
 The REST handlers are called like this:
 
 <verbatim class="tml">
@@ -243,6 +247,7 @@ Okay, your turn to create an example calling SEARCH.
 
 ---++ Change History
 %TABLE{columnwidths="7em" tablewidth="100%"}%
+|  29 Apr 2022: | deprecated =expand= and =render= REST handler, added whitelist of allowed macros to =tag= REST handler |
 |  14 Oct 2020: | improved cacheability of rest handlers; \
                   new class =foswikiDialogLink= to ease creating dialogs |
 |  14 Feb 2019: | make template loader available to javascript as a proper jQuery module | 
@@ -265,7 +270,7 @@ Okay, your turn to create an example calling SEARCH.
 %META:FIELD{name="Release" title="Release" value="%25$RELEASE%25"}%
 %META:FIELD{name="Description" title="Description" value="%25$SHORTDESCRIPTION%25"}%
 %META:FIELD{name="Repository" title="Repository" value="https://github.com/foswiki/RenderPlugin"}%
-%META:FIELD{name="Copyright" title="Copyright" value="2006-2020, Michael Daum"}%
+%META:FIELD{name="Copyright" title="Copyright" value="2006-2022, Michael Daum"}%
 %META:FIELD{name="License" title="License" value="GPL ([[http://www.gnu.org/copyleft/gpl.html][GNU General Public License]])"}%
 %META:FIELD{name="Home" title="Home" value="Foswiki:Extensions/%25TOPIC%25"}%
 %META:FIELD{name="Support" title="Support" value="Foswiki:Support/%25TOPIC%25"}%
diff --git a/lib/Foswiki/Plugins/RenderPlugin.pm b/lib/Foswiki/Plugins/RenderPlugin.pm
@@ -1,6 +1,6 @@
 # Plugin for Foswiki - The Free and Open Source Wiki, http://foswiki.org/
 #
-# Copyright (C) 2008-2019 Michael Daum http://michaeldaumconsulting.com
+# Copyright (C) 2008-2022 Michael Daum http://michaeldaumconsulting.com
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -24,8 +24,8 @@ use Foswiki::Attrs() ;
 use Foswiki::Plugins::JQueryPlugin ();
 use Encode ();
 
-our $VERSION = '6.30';
-our $RELEASE = '14 Oct 2019';
+our $VERSION = '7.00';
+our $RELEASE = '29 Apr 2022';
 our $SHORTDESCRIPTION = 'Render <nop>WikiApplications asynchronously';
 our $NO_PREFS_IN_TOPIC = 1;
 our $core;
@@ -34,14 +34,29 @@ sub initPlugin {
 
   Foswiki::Plugins::JQueryPlugin::registerPlugin('FoswikiTemplate', 'Foswiki::Plugins::RenderPlugin::FoswikiTemplate');
 
-  Foswiki::Func::registerRESTHandler('tag', 
-    sub {
-      return getCore(shift)->restTag(@_);
-    }, 
-    authenticate => 0,
-    validate => 0,
-    http_allow => 'GET,POST',
-  );
+  # deprecated handler
+  if ($Foswiki::cfg{RenderPlugin}{ExpandHandler}{Enabled}) {
+    Foswiki::Func::registerRESTHandler('expand', 
+      sub {
+        return getCore(shift)->restExpand(@_);
+      },
+      authenticate => 0,
+      validate => 0,
+      http_allow => 'GET,POST',
+    );
+  }
+
+  # deprecated handler
+  if ($Foswiki::cfg{RenderPlugin}{RenderHandler}{Enabled}) {
+    Foswiki::Func::registerRESTHandler('render', 
+      sub {
+        return getCore(shift)->restRender(@_);
+      },
+      authenticate => 0,
+      validate => 0,
+      http_allow => 'GET,POST',
+    );
+  }
 
   Foswiki::Func::registerRESTHandler('template', 
     sub {
@@ -52,28 +67,20 @@ sub initPlugin {
     http_allow => 'GET,POST',
   );
 
-  Foswiki::Func::registerRESTHandler('expand', 
-    sub {
-      return getCore(shift)->restExpand(@_);
-    },
-    authenticate => 0,
-    validate => 0,
-    http_allow => 'GET,POST',
-  );
 
-  Foswiki::Func::registerRESTHandler('render', 
+  Foswiki::Func::registerRESTHandler('jsonTemplate', 
     sub {
-      return getCore(shift)->restRender(@_);
+      return getCore(shift)->restJsonTemplate(@_);
     },
     authenticate => 0,
     validate => 0,
     http_allow => 'GET,POST',
   );
 
-  Foswiki::Func::registerRESTHandler('jsonTemplate', 
+  Foswiki::Func::registerRESTHandler('tag', 
     sub {
-      return getCore(shift)->restJsonTemplate(@_);
-    },
+      return getCore(shift)->restTag(@_);
+    }, 
     authenticate => 0,
     validate => 0,
     http_allow => 'GET,POST',
@@ -102,4 +109,9 @@ sub finishPlugin {
   undef $core;
 }
 
+# api
+sub registerAllowedTag {
+  return getCore()->registerAllowedTag(@_);
+}
+
 1;
diff --git a/lib/Foswiki/Plugins/RenderPlugin/Config.spec b/lib/Foswiki/Plugins/RenderPlugin/Config.spec
@@ -2,10 +2,22 @@
 # ---++ RenderPlugin
 # This is the configuration used by the <b>RenderPlugin</b>.
 
-# **BOOLEAN EXPERT CHECK="undefok emptyok"**
+# **BOOLEAN EXPERT LABEL="Cache Control" CHECK="undefok emptyok"**
 # cache control for all rest handlers. seconds for the browser to cache the response. set to 0 to disable client side caching.
 # the default is 8 hours in seconds.
 $Foswiki::cfg{RenderPlugin}{CacheControl} = 28800;
 
+# **STRING LABEL="Macros allowed for the tag handler" CHECK="undefok emptyok"**
+# list of allowed macros to be expanded by the "tag" REST handler. note that additional macros can be registered automatically by other plugins.
+$Foswiki::cfg{RenderPlugin}{TagHandler}{AllowedMacros} = "";
+
+# **BOOLEAN LABEL="Enable expand handler" CHECK="undefok emptyok"**
+# enable/disable deprecated "expand" REST handler
+$Foswiki::cfg{RenderPlugin}{ExpandHandler}{Enabled} = 0;
+
+# **BOOLEAN LABEL="Enable render handler" CHECK="undefok emptyok"**
+# enable/disable deprecated "render" REST handler
+$Foswiki::cfg{RenderPlugin}{RenderHandler}{Enabled} = 0;
+
 1;
 
diff --git a/lib/Foswiki/Plugins/RenderPlugin/Core.pm b/lib/Foswiki/Plugins/RenderPlugin/Core.pm
@@ -1,6 +1,6 @@
 # Plugin for Foswiki - The Free and Open Source Wiki, http://foswiki.org/
 #
-# Copyright (C) 2008-2020 Michael Daum http://michaeldaumconsulting.com
+# Copyright (C) 2008-2022 Michael Daum http://michaeldaumconsulting.com
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -33,12 +33,16 @@ sub new {
 
   my $this = bless({
     session => $session,
+    allowedTags => $Foswiki::cfg{RenderPlugin}{TagHandler}{AllowedMacros} // '',
     cacheControl => $Foswiki::cfg{RenderPlugin}{CacheControl} // 28800,  # 8 hours in seconds
     @_
   }, $class);
 
   $this->{_doModifyHeaders} = 0;
 
+  my %allowedTags = map { $_=> 1 } split(/\s*,\s*/, $this->{allowedTags});
+  $this->{allowedTags} = \%allowedTags;
+
   return $this;
 }
 
@@ -117,18 +121,40 @@ sub getZoneItems {
   return @result;
 }
 
+sub registerAllowedTag {
+  my ($this, $name) = @_;
+
+  return unless $name;
+
+  $this->{allowedTags}{$name} = 1;
+}
+
+sub isAllowedTag {
+  my ($this, $name) = @_;
+
+  return 1 if $this->{allowedTags}{all};
+  return 1 if $this->{allowedTags}{$name};
+  return 0;
+}
+
 sub restTag {
   my ($this, $subject, $verb) = @_;
 
   #writeDebug("called restTag($subject, $verb)");
 
   # get params
   my $request = Foswiki::Func::getRequestObject();
-
+  my $response = $this->{session}{response};
   my $theTag = $request->param('name') || 'INCLUDE';
+
+  unless ($this->isAllowedTag($theTag)) {
+    Foswiki::Func::writeWarning("tag REST handler called with forbidden macro");
+    $response->header( -type => 'text/html', -status => '404' );
+    return '404 Not Found';
+  }
+
   my $theDefault = $request->param('param') || '';
   my $theRender = $request->param('render') || 0;
-
   $theRender = ($theRender =~ /^\s*(1|on|yes|true)\s*$/) ? 1:0;
 
   my $theTopic = $request->param('topic') || $this->{session}{topicName};
@@ -164,7 +190,7 @@ sub restTag {
   my $contentType = $request->param("contenttype");
   my $fileName = $request->param("filename");
   if ($fileName) {
-    $this->{session}{response}->header(
+    $response->header(
       -type => $contentType || "text/html",
       -content_disposition => "attachment; filename=\"$fileName\"",
     );
@@ -274,11 +300,11 @@ sub restTemplate {
     $result = Foswiki::Func::renderText($result, $web, $topic);
   }
 
-  my $contentType = $request->param("contenttype");
+  my $contentType = $request->param("contenttype") || "text/html";
   my $fileName = $request->param("filename");
   if ($fileName) {
     $this->{session}{response}->header(
-      -type => $contentType || "text/html",
+      -type => $contentType,
       -content_disposition => "attachment; filename=\"$fileName\"",
     );
   }
@@ -364,7 +390,8 @@ sub modifyHeaderHandler {
   return unless $this->{_doModifyHeaders};
 
   my $request = Foswiki::Func::getRequestObject();
-  my $cacheControl = 'max-age='. ($request->param("cachecontrol") // $this->{cacheControl});
+  my $cacheControl = $request->param("cachecontrol") // $request->param("cache_expire") // $this->{cacheControl};
+  $cacheControl = "max-age=$cacheControl" if $cacheControl =~ /^\d+$/;
 
   # set a better cache control
   $headers->{"Cache-Control"} = $cacheControl if $cacheControl;

diff --git a/lib/Foswiki/Plugins/RenderPlugin/FoswikiTemplate.pm b/lib/Foswiki/Plugins/RenderPlugin/FoswikiTemplate.pm
@@ -1,6 +1,6 @@
 # Plugin for Foswiki - The Free and Open Source Wiki, http://foswiki.org/
 #
-# Copyright (C) 2019 Michael Daum, http://michaeldaumconsulting.com
+# Copyright (C) 2019-2022 Michael Daum, http://michaeldaumconsulting.com
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -28,7 +28,7 @@ sub new {
     $class->SUPER::new(
       $session,
       name => 'FoswikiTemplate',
-      version => '2.2',
+      version => '3.0',
       author => 'Michael Daum',
       homepage => 'https://foswiki.org/Extensions/RenderPlugin',
       puburl => '%PUBURLPATH%/%SYSTEMWEB%/RenderPlugin',