AstralTransRocketries/drasl
1
0
Fork 0
mirror of https://github.com/unmojang/drasl.git synced 2025-08-03 19:06:04 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add AllowTextureFromURL option, default false

Browse Source 
Adds the `AllowTextureFromURL` config option and makes it false by
default. Admins can still set skins and capes by URL, via the front end
or the API, regardless of this setting. Allowing users to specify
textures via URL is a possible security concern and doesn't really
improve the UX that much, so we should make it opt-in.

For https://github.com/unmojang/drasl/issues/116.
This commit is contained in:
Evan Goode 2024-11-22 14:53:05 -05:00
parent 30d3612409
commit 1b6fdf2341
4 changed files with 38 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.pre-commit-config.yaml
View File

@ -20,10 +20,10 @@ repos:
rev: 3.0.0
hooks:
- id: alejandra-system
- repo: https://github.com/pre-commit/mirrors-prettier
rev: v3.0.3
hooks:
- id: prettier
# - repo: https://github.com/pre-commit/mirrors-prettier
# rev: v3.0.3
# hooks:
# - id: prettier
- repo: local
hooks:
- id: swag

2
config.go
View File

@ -63,6 +63,7 @@ type Config struct {
AllowChangingPlayerName bool
AllowMultipleAccessTokens bool
AllowSkins bool
AllowTextureFromURL bool
ApplicationOwner string
ApplicationName string
BaseURL string
@ -108,6 +109,7 @@ func DefaultConfig() Config {
AllowCapes: true,
AllowChangingPlayerName: true,
AllowSkins: true,
AllowTextureFromURL: false,
ApplicationName: "Drasl",
ApplicationOwner: "Anonymous",
BaseURL: "",

6
user.go
View File

@ -449,6 +449,9 @@ func (app *App) UpdateUser(
}
if skinURL != nil {
if !app.Config.AllowTextureFromURL && !callerIsAdmin {
return User{}, NewBadRequestUserError("Setting a skin from a URL is not allowed.")
}
res, err := MakeHTTPClient().Get(*skinURL)
if err != nil {
return User{}, NewBadRequestUserError("Couldn't download skin from that URL: %s", err)
@ -481,6 +484,9 @@ func (app *App) UpdateUser(
return User{}, NewBadRequestUserError("Can't specify both a cape file and a cape URL.")
}
if capeURL != nil {
if !app.Config.AllowTextureFromURL && !callerIsAdmin {
return User{}, NewBadRequestUserError("Setting a cape from a URL is not allowed.")
}
res, err := MakeHTTPClient().Get(*capeURL)
if err != nil {
return User{}, NewBadRequestUserError("Couldn't download cape from that URL: %s", err)

48
view/profile.tmpl
View File

@ -352,19 +352,21 @@
{{ if or .App.Config.AllowSkins .User.IsAdmin }}
<h4>Skin</h4>
<p>
<label for="skin-url">URL to skin file</label><br />
<input
type="text"
name="skinUrl"
id="skin-url"
class="long"
placeholder="Leave blank to keep"
/>
</p>
<p>
<label for="skin-file">or instead, upload a skin</label><br />
<label for="skin-file">Upload a skin</label><br />
<input type="file" name="skinFile" id="skin-file" />
</p>
{{ if or .App.Config.AllowTextureFromURL .User.IsAdmin }}
<p>
<label for="skin-url">or instead, provide a URL to a skin</label><br />
<input
type="text"
name="skinUrl"
id="skin-url"
class="long"
placeholder="Leave blank to keep"
/>
</p>
{{ end }}
<p>
<label for="delete-skin"
>or instead, check the box to delete your current skin
@ -394,19 +396,21 @@
{{ if or .App.Config.AllowCapes .User.IsAdmin }}
<h4>Cape</h4>
<p>
<label for="cape-url">URL to cape file</label><br />
<input
type="text"
name="capeUrl"
id="cape-url"
class="long"
placeholder="Leave blank to keep"
/>
</p>
<p>
<label for="cape-file">or instead, upload a cape</label><br />
<label for="cape-file">Upload a cape</label><br />
<input type="file" name="capeFile" id="cape-file" />
</p>
{{ if or .App.Config.AllowTextureFromURL .User.IsAdmin }}
<p>
<label for="cape-url">or instead, provide a URL to a cape</label><br />
<input
type="text"
name="capeUrl"
id="cape-url"
class="long"
placeholder="Leave blank to keep"
/>
</p>
{{ end }}
<p>
<label for="delete-cape"
>or instead, check the box to delete your current cape