From 1b6fdf2341c4075dbfde323ae2340b9c8d3bada3 Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Fri, 22 Nov 2024 14:53:05 -0500
Subject: [PATCH] Add AllowTextureFromURL option, default false

Adds the `AllowTextureFromURL` config option and makes it false by
default. Admins can still set skins and capes by URL, via the front end
or the API, regardless of this setting. Allowing users to specify
textures via URL is a possible security concern and doesn't really
improve the UX that much, so we should make it opt-in.

For https://github.com/unmojang/drasl/issues/116.
---
 .pre-commit-config.yaml |  8 +++----
 config.go               |  2 ++
 user.go                 |  6 ++++++
 view/profile.tmpl       | 48 ++++++++++++++++++++++-------------------
 4 files changed, 38 insertions(+), 26 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 92b206f..4b158b2 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -20,10 +20,10 @@ repos:
     rev: 3.0.0
     hooks:
       - id: alejandra-system
-  - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.0.3
-    hooks:
-      - id: prettier
+  # - repo: https://github.com/pre-commit/mirrors-prettier
+  #   rev: v3.0.3
+  #   hooks:
+  #     - id: prettier
   - repo: local
     hooks:
       - id: swag
diff --git a/config.go b/config.go
index fd09915..bbe9847 100644
--- a/config.go
+++ b/config.go
@@ -63,6 +63,7 @@ type Config struct {
 	AllowChangingPlayerName    bool
 	AllowMultipleAccessTokens  bool
 	AllowSkins                 bool
+	AllowTextureFromURL        bool
 	ApplicationOwner           string
 	ApplicationName            string
 	BaseURL                    string
@@ -108,6 +109,7 @@ func DefaultConfig() Config {
 		AllowCapes:               true,
 		AllowChangingPlayerName:  true,
 		AllowSkins:               true,
+		AllowTextureFromURL:      false,
 		ApplicationName:          "Drasl",
 		ApplicationOwner:         "Anonymous",
 		BaseURL:                  "",
diff --git a/user.go b/user.go
index 2450eeb..0e765f9 100644
--- a/user.go
+++ b/user.go
@@ -449,6 +449,9 @@ func (app *App) UpdateUser(
 		}
 
 		if skinURL != nil {
+			if !app.Config.AllowTextureFromURL && !callerIsAdmin {
+				return User{}, NewBadRequestUserError("Setting a skin from a URL is not allowed.")
+			}
 			res, err := MakeHTTPClient().Get(*skinURL)
 			if err != nil {
 				return User{}, NewBadRequestUserError("Couldn't download skin from that URL: %s", err)
@@ -481,6 +484,9 @@ func (app *App) UpdateUser(
 			return User{}, NewBadRequestUserError("Can't specify both a cape file and a cape URL.")
 		}
 		if capeURL != nil {
+			if !app.Config.AllowTextureFromURL && !callerIsAdmin {
+				return User{}, NewBadRequestUserError("Setting a cape from a URL is not allowed.")
+			}
 			res, err := MakeHTTPClient().Get(*capeURL)
 			if err != nil {
 				return User{}, NewBadRequestUserError("Couldn't download cape from that URL: %s", err)
diff --git a/view/profile.tmpl b/view/profile.tmpl
index 7c443d6..6c1d6c8 100644
--- a/view/profile.tmpl
+++ b/view/profile.tmpl
@@ -352,19 +352,21 @@
     {{ if or .App.Config.AllowSkins .User.IsAdmin }}
       <h4>Skin</h4>
       <p>
-        <label for="skin-url">URL to skin file</label><br />
-        <input
-          type="text"
-          name="skinUrl"
-          id="skin-url"
-          class="long"
-          placeholder="Leave blank to keep"
-        />
-      </p>
-      <p>
-        <label for="skin-file">or instead, upload a skin</label><br />
+        <label for="skin-file">Upload a skin</label><br />
         <input type="file" name="skinFile" id="skin-file" />
       </p>
+      {{ if or .App.Config.AllowTextureFromURL .User.IsAdmin }}
+        <p>
+          <label for="skin-url">or instead, provide a URL to a skin</label><br />
+          <input
+            type="text"
+            name="skinUrl"
+            id="skin-url"
+            class="long"
+            placeholder="Leave blank to keep"
+          />
+        </p>
+      {{ end }}
       <p>
         <label for="delete-skin"
           >or instead, check the box to delete your current skin
@@ -394,19 +396,21 @@
     {{ if or .App.Config.AllowCapes .User.IsAdmin }}
       <h4>Cape</h4>
       <p>
-        <label for="cape-url">URL to cape file</label><br />
-        <input
-          type="text"
-          name="capeUrl"
-          id="cape-url"
-          class="long"
-          placeholder="Leave blank to keep"
-        />
-      </p>
-      <p>
-        <label for="cape-file">or instead, upload a cape</label><br />
+        <label for="cape-file">Upload a cape</label><br />
         <input type="file" name="capeFile" id="cape-file" />
       </p>
+      {{ if or .App.Config.AllowTextureFromURL .User.IsAdmin }}
+        <p>
+          <label for="cape-url">or instead, provide a URL to a cape</label><br />
+          <input
+            type="text"
+            name="capeUrl"
+            id="cape-url"
+            class="long"
+            placeholder="Leave blank to keep"
+          />
+        </p>
+      {{ end }}
       <p>
         <label for="delete-cape"
           >or instead, check the box to delete your current cape