diff --git a/.changes/fix-http-scope-url-match.md b/.changes/fix-http-scope-url-match.md new file mode 100644 index 0000000000..c3929f5d88 --- /dev/null +++ b/.changes/fix-http-scope-url-match.md @@ -0,0 +1,5 @@ +--- +"http": patch +--- + +Fixes scope not allowing subpaths, query parameters and hash when those values are empty. diff --git a/plugins/http/src/scope.rs b/plugins/http/src/scope.rs index 9067f4065a..291cbfa379 100644 --- a/plugins/http/src/scope.rs +++ b/plugins/http/src/scope.rs @@ -6,7 +6,7 @@ use std::sync::Arc; use serde::{Deserialize, Deserializer}; use url::Url; -use urlpattern::{UrlPattern, UrlPatternInit, UrlPatternMatchInput}; +use urlpattern::{UrlPattern, UrlPatternMatchInput}; #[allow(rustdoc::bare_urls)] #[derive(Debug)] @@ -15,7 +15,21 @@ pub struct Entry { } fn parse_url_pattern(s: &str) -> Result { - let init = UrlPatternInit::parse_constructor_string::(s, None)?; + let mut init = urlpattern::UrlPatternInit::parse_constructor_string::(s, None)?; + if init.search.as_ref().map(|p| p.is_empty()).unwrap_or(true) { + init.search.replace("*".to_string()); + } + if init.hash.as_ref().map(|p| p.is_empty()).unwrap_or(true) { + init.hash.replace("*".to_string()); + } + if init + .pathname + .as_ref() + .map(|p| p.is_empty() || p == "/") + .unwrap_or(true) + { + init.pathname.replace("*".to_string()); + } UrlPattern::parse(init) } @@ -100,6 +114,7 @@ mod tests { let deny = Arc::new("http://localhost:8080/*".parse().unwrap()); let scope = super::Scope::new(vec![&allow], vec![&deny]); assert!(!scope.is_allowed(&"http://localhost:8080/file.png".parse().unwrap())); + assert!(!scope.is_allowed(&"http://localhost:8080?framework=tauri".parse().unwrap())); } #[test] @@ -109,9 +124,10 @@ mod tests { let scope = super::Scope::new(vec![&entry], Vec::new()); assert!(scope.is_allowed(&"http://localhost:8080".parse().unwrap())); assert!(scope.is_allowed(&"http://localhost:8080/".parse().unwrap())); + assert!(scope.is_allowed(&"http://localhost:8080/file".parse().unwrap())); + assert!(scope.is_allowed(&"http://localhost:8080/path/to/asset.png".parse().unwrap())); + assert!(scope.is_allowed(&"http://localhost:8080/path/list?limit=50".parse().unwrap())); - assert!(!scope.is_allowed(&"http://localhost:8080/file".parse().unwrap())); - assert!(!scope.is_allowed(&"http://localhost:8080/path/to/asset.png".parse().unwrap())); assert!(!scope.is_allowed(&"https://localhost:8080".parse().unwrap())); assert!(!scope.is_allowed(&"http://localhost:8081".parse().unwrap())); assert!(!scope.is_allowed(&"http://local:8080".parse().unwrap())); @@ -124,6 +140,7 @@ mod tests { let scope = super::Scope::new(vec![&entry], Vec::new()); assert!(scope.is_allowed(&"http://localhost:8080/file.png".parse().unwrap())); + assert!(scope.is_allowed(&"http://localhost:8080/file.png?q=1".parse().unwrap())); assert!(!scope.is_allowed(&"http://localhost:8080".parse().unwrap())); assert!(!scope.is_allowed(&"http://localhost:8080/file".parse().unwrap())); @@ -136,7 +153,13 @@ mod tests { let scope = super::Scope::new(vec![&entry], Vec::new()); assert!(scope.is_allowed(&"http://localhost:8080/file.png".parse().unwrap())); + assert!(scope.is_allowed(&"http://localhost:8080/file.png#head".parse().unwrap())); assert!(scope.is_allowed(&"http://localhost:8080/assets/file.png".parse().unwrap())); + assert!(scope.is_allowed( + &"http://localhost:8080/assets/file.png?width=100&height=200" + .parse() + .unwrap() + )); assert!(!scope.is_allowed(&"http://localhost:8080/file.jpeg".parse().unwrap())); } @@ -147,7 +170,15 @@ mod tests { let scope = super::Scope::new(vec![&entry], Vec::new()); assert!(scope.is_allowed(&"http://something.else".parse().unwrap())); - assert!(!scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap())); + assert!(scope.is_allowed(&"http://something.else#tauri".parse().unwrap())); + assert!(scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap())); + assert!(scope.is_allowed(&"http://something.else?rel=tauri".parse().unwrap())); + assert!(scope.is_allowed( + &"http://something.else/path/to/file.mp4?start=500" + .parse() + .unwrap() + )); + assert!(!scope.is_allowed(&"https://something.else".parse().unwrap())); let entry = Arc::new("http://*/*".parse().unwrap()); @@ -163,10 +194,11 @@ mod tests { let scope = super::Scope::new(vec![&entry], Vec::new()); assert!(scope.is_allowed(&"http://something.else".parse().unwrap())); - assert!(!scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap())); + assert!(scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap())); assert!(scope.is_allowed(&"file://path".parse().unwrap())); - assert!(!scope.is_allowed(&"file://path/to/file".parse().unwrap())); + assert!(scope.is_allowed(&"file://path/to/file".parse().unwrap())); assert!(scope.is_allowed(&"https://something.else".parse().unwrap())); + assert!(scope.is_allowed(&"https://something.else?x=1#frag".parse().unwrap())); let entry = Arc::new("*://*/*".parse().unwrap()); let scope = super::Scope::new(vec![&entry], Vec::new()); @@ -176,4 +208,24 @@ mod tests { assert!(scope.is_allowed(&"file://path/to/file".parse().unwrap())); assert!(scope.is_allowed(&"https://something.else".parse().unwrap())); } + + #[test] + fn validate_query() { + let entry = Arc::new("https://tauri.app/path?x=*".parse().unwrap()); + let scope = super::Scope::new(vec![&entry], Vec::new()); + + assert!(scope.is_allowed(&"https://tauri.app/path?x=5".parse().unwrap())); + + assert!(!scope.is_allowed(&"https://tauri.app/path?y=5".parse().unwrap())); + } + + #[test] + fn validate_hash() { + let entry = Arc::new("https://tauri.app/path#frame*".parse().unwrap()); + let scope = super::Scope::new(vec![&entry], Vec::new()); + + assert!(scope.is_allowed(&"https://tauri.app/path#frame".parse().unwrap())); + + assert!(!scope.is_allowed(&"https://tauri.app/path#work".parse().unwrap())); + } }