aaron/mattermost-desktop
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

[MM-55054] Consider a matching origin for a media request as a trusted URL when checking permissions (#2893)

Browse source
This commit is contained in:
Devin Binnie 2023-11-02 12:21:58 -04:00 committed by GitHub
parent 31e17aae80
commit 9faaa79064
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
src/main/permissionsManager.test.js
View file

@ -65,7 +65,7 @@ describe('main/PermissionsManager', () => {
return null;
}
});
isTrustedURL.mockImplementation((url, baseURL) => baseURL.toString().startsWith(url.toString()));
isTrustedURL.mockImplementation((url, baseURL) => url.toString().startsWith(baseURL.toString()));
});
afterEach(() => {
@ -188,4 +188,20 @@ describe('main/PermissionsManager', () => {
]);
expect(dialog.showMessageBox).toHaveBeenCalledTimes(1);
});
it('should still pop dialog for media requests from the servers origin', async () => {
ViewManager.getViewByWebContentsId.mockImplementation((id) => {
if (id === 2) {
return {view: {server: {url: new URL('http://anyurl.com/subpath')}}};
}
return null;
});
const permissionsManager = new PermissionsManager('anyfile.json');
permissionsManager.writeToFile = jest.fn();
const cb = jest.fn();
dialog.showMessageBox.mockReturnValue(Promise.resolve({response: 0}));
await permissionsManager.handlePermissionRequest({id: 2}, 'media', cb, {securityOrigin: 'http://anyurl.com'});
expect(dialog.showMessageBox).toHaveBeenCalled();
});
});

2
src/main/permissionsManager.ts
View file

@ -106,7 +106,7 @@ export class PermissionsManager extends JsonFileManager<Permissions> {
}
// is the requesting url trusted?
if (!isTrustedURL(parsedURL, serverURL)) {
if (!(isTrustedURL(parsedURL, serverURL) || (permission === 'media' && parsedURL.origin === serverURL.origin))) {
return false;
}