Add limits to the avatar endpoint

[tilosp]

Currently it's basically a proxy for arbitrary urls, which seems quite dangerous.

Possible solutions:

• Instead of taking a url as an argument, use the github username, and let the nextcloud server figure out where to get the avatar from
• check the url against a list of allowed domains
• instead of proxying the avatars, download the avatars directly from github in the browser
• keep the current behaviour, but add a warning for admin letting them know that they now also provide a proxy for their users

@eneiluj should i also open similar issues for the other integration_* apps that have the same behaviour?

[julien-nc]

Very right. Thanks for the feedback.

It was in my todo list. There might be some cases where it's not obvious to build the url. I'll check that out.

I prefer your first and second solutions to the others. I want to avoid changing the CSP.

should i also open similar issues for the other integration_* apps that have the same behaviour?

I'll do them all at once 😁.

Thanks again!

[julien-nc]

After a second thought, I'm not sure generating the URL is a good solution because avatar location (or URL parameters) could change. So let's just check the hostname ends with githubusercontent.com. So now the only problem is if the hostname changes...

[tilosp]

After a second thought, I'm not sure generating the URL is a good solution because avatar location (or URL parameters) could change. So let's just check the hostname ends with githubusercontent.com. So now the only problem is if the hostname changes...

well https://api.github.com/users/<some user> could be used, to get the avatar url of a user

but if it is done using hostname checks, checking for avatars*.githubusercontent.com seems better since it doesn’t allow proxying of github repo content.

[julien-nc]

Well I didn't use /users/<username> because it means doing 2 API requests to get the avatar content...but after all it's not that bad as we always ask a reasonably small amount of avatars.

It's cleaner and will still work if URLs change.

Thanks for pointing this out. I think we got it now 😁.

[julien-nc]

New release is out. Feel free to reopen this if needed. Thanks again.