fix(core): remove trailing slash in http scope url, closes #5208

tauri-apps · May 16, 2023 · 8a2d6af · 8a2d6af
1 parent 3cc295e
commit 8a2d6af
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 11 deletions.
diff --git a/.changes/config-scope-url.md b/.changes/config-scope-url.md
@@ -0,0 +1,5 @@
+---
+'tauri-utils': 'patch'
+---
+
+Fix parsing `allowlist > http > scope` urls that added a trailing slash which broke matching the incoming requests url.
diff --git a/core/tauri-config-schema/schema.json b/core/tauri-config-schema/schema.json
@@ -2431,13 +2431,17 @@
       "additionalProperties": false
     },
     "HttpAllowlistScope": {
-      "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://**\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"",
+      "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://*\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"",
       "type": "array",
       "items": {
-        "type": "string",
-        "format": "uri"
+        "$ref": "#/definitions/ScopeURL"
       }
     },
+    "ScopeURL": {
+      "description": "A glob pattern describing allowed urls.",
+      "type": "string",
+      "format": "uri"
+    },
     "NotificationAllowlistConfig": {
       "description": "Allowlist for the notification APIs.\n\nSee more: https://tauri.app/v1/api/config#notificationallowlistconfig",
       "type": "object",

diff --git a/core/tauri-utils/src/config.rs b/core/tauri-utils/src/config.rs
@@ -27,6 +27,7 @@ use std::{
   collections::HashMap,
   fmt::{self, Display},
   fs::read_to_string,
+  ops::{Deref, DerefMut},
   path::PathBuf,
   str::FromStr,
 };
@@ -1887,18 +1888,47 @@ impl Allowlist for DialogAllowlistConfig {
   }
 }
 
+/// A glob pattern describing allowed urls.
+#[derive(Debug, Default, PartialEq, Eq, Clone, Deserialize, Serialize)]
+#[cfg_attr(feature = "schema", derive(JsonSchema))]
+pub struct ScopeURL(#[cfg_attr(feature = "schema", schemars(url))] pub String);
+impl Deref for ScopeURL {
+  type Target = String;
+
+  fn deref(&self) -> &Self::Target {
+    &self.0
+  }
+}
+impl DerefMut for ScopeURL {
+  fn deref_mut(&mut self) -> &mut Self::Target {
+    &mut self.0
+  }
+}
+impl Display for ScopeURL {
+  fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+    write!(f, "{}", self.0)
+  }
+}
+impl From<&str> for ScopeURL {
+  fn from(value: &str) -> Self {
+    Self(value.to_string())
+  }
+}
+
 /// HTTP API scope definition.
 /// It is a list of URLs that can be accessed by the webview when using the HTTP APIs.
 /// The scoped URL is matched against the request URL using a glob pattern.
 ///
 /// Examples:
-/// - "https://**": allows all HTTPS urls
+/// - "https://*": allows all HTTPS urls
 /// - "https://*.github.com/tauri-apps/tauri": allows any subdomain of "github.com" with the "tauri-apps/api" path
 /// - "https://myapi.service.com/users/*": allows access to any URLs that begins with "https://myapi.service.com/users/"
 #[allow(rustdoc::bare_urls)]
 #[derive(Debug, Default, PartialEq, Eq, Clone, Deserialize, Serialize)]
+// TODO: in v2, parse into a String or a custom type that perserves the
+// glob string because Url type will add a trailing slash
 #[cfg_attr(feature = "schema", derive(JsonSchema))]
-pub struct HttpAllowlistScope(pub Vec<Url>);
+pub struct HttpAllowlistScope(pub Vec<ScopeURL>);
 
 /// Allowlist for the HTTP APIs.
 ///
@@ -3724,7 +3754,7 @@ mod build {
 
   impl ToTokens for HttpAllowlistScope {
     fn to_tokens(&self, tokens: &mut TokenStream) {
-      let allowed_urls = vec_lit(&self.0, url_lit);
+      let allowed_urls = vec_lit(&self.0, |s| str_lit(&s.0));
       tokens.append_all(quote! { ::tauri::utils::config::HttpAllowlistScope(#allowed_urls) })
     }
   }

diff --git a/core/tauri/src/scope/http.rs b/core/tauri/src/scope/http.rs
@@ -20,8 +20,13 @@ impl Scope {
         .0
         .iter()
         .map(|url| {
-          glob::Pattern::new(url.as_str())
-            .unwrap_or_else(|_| panic!("scoped URL is not a valid glob pattern: `{url}`"))
+          glob::Pattern::new(
+            url
+              .as_str()
+              .strip_suffix('/')
+              .unwrap_or_else(|| url.as_str()),
+          )
+          .unwrap_or_else(|_| panic!("scoped URL is not a valid glob pattern: `{url}`"))
         })
         .collect(),
     }

diff --git a/tooling/cli/schema.json b/tooling/cli/schema.json
@@ -2431,13 +2431,17 @@
       "additionalProperties": false
     },
     "HttpAllowlistScope": {
-      "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://**\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"",
+      "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://*\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"",
       "type": "array",
       "items": {
-        "type": "string",
-        "format": "uri"
+        "$ref": "#/definitions/ScopeURL"
       }
     },
+    "ScopeURL": {
+      "description": "A glob pattern describing allowed urls.",
+      "type": "string",
+      "format": "uri"
+    },
     "NotificationAllowlistConfig": {
       "description": "Allowlist for the notification APIs.\n\nSee more: https://tauri.app/v1/api/config#notificationallowlistconfig",
       "type": "object",