From c892500ec56974a888e2b259aec55d74b85c2793 Mon Sep 17 00:00:00 2001 From: amrbashir Date: Tue, 16 May 2023 16:14:33 +0300 Subject: [PATCH] fix(core): remove trailing slash in http scope url, closes #5208 --- .changes/config-scope-url.md | 5 +++++ core/tauri-config-schema/schema.json | 2 +- core/tauri-utils/src/config.rs | 4 +++- core/tauri/src/scope/http.rs | 9 +++++++-- tooling/cli/schema.json | 2 +- 5 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 .changes/config-scope-url.md diff --git a/.changes/config-scope-url.md b/.changes/config-scope-url.md new file mode 100644 index 000000000000..db32b20a4ceb --- /dev/null +++ b/.changes/config-scope-url.md @@ -0,0 +1,5 @@ +--- +'tauri-utils': 'patch' +--- + +Fix parsing `allowlist > http > scope` urls that added a trailing slash which broke matching the incoming requests url. diff --git a/core/tauri-config-schema/schema.json b/core/tauri-config-schema/schema.json index 95d59608ded4..84764072e214 100644 --- a/core/tauri-config-schema/schema.json +++ b/core/tauri-config-schema/schema.json @@ -2431,7 +2431,7 @@ "additionalProperties": false }, "HttpAllowlistScope": { - "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://**\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"", + "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://*\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"", "type": "array", "items": { "type": "string", diff --git a/core/tauri-utils/src/config.rs b/core/tauri-utils/src/config.rs index 0bf866ce0f3f..046a800df173 100644 --- a/core/tauri-utils/src/config.rs +++ b/core/tauri-utils/src/config.rs @@ -1892,11 +1892,13 @@ impl Allowlist for DialogAllowlistConfig { /// The scoped URL is matched against the request URL using a glob pattern. /// /// Examples: -/// - "https://**": allows all HTTPS urls +/// - "https://*": allows all HTTPS urls /// - "https://*.github.com/tauri-apps/tauri": allows any subdomain of "github.com" with the "tauri-apps/api" path /// - "https://myapi.service.com/users/*": allows access to any URLs that begins with "https://myapi.service.com/users/" #[allow(rustdoc::bare_urls)] #[derive(Debug, Default, PartialEq, Eq, Clone, Deserialize, Serialize)] +// TODO: in v2, parse into a String or a custom type that perserves the +// glob string because Url type will add a trailing slash #[cfg_attr(feature = "schema", derive(JsonSchema))] pub struct HttpAllowlistScope(pub Vec); diff --git a/core/tauri/src/scope/http.rs b/core/tauri/src/scope/http.rs index c2a49d2e455e..f7280d421655 100644 --- a/core/tauri/src/scope/http.rs +++ b/core/tauri/src/scope/http.rs @@ -20,8 +20,13 @@ impl Scope { .0 .iter() .map(|url| { - glob::Pattern::new(url.as_str()) - .unwrap_or_else(|_| panic!("scoped URL is not a valid glob pattern: `{url}`")) + glob::Pattern::new( + url + .as_str() + .strip_suffix('/') + .unwrap_or_else(|| url.as_str()), + ) + .unwrap_or_else(|_| panic!("scoped URL is not a valid glob pattern: `{url}`")) }) .collect(), } diff --git a/tooling/cli/schema.json b/tooling/cli/schema.json index 95d59608ded4..84764072e214 100644 --- a/tooling/cli/schema.json +++ b/tooling/cli/schema.json @@ -2431,7 +2431,7 @@ "additionalProperties": false }, "HttpAllowlistScope": { - "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://**\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"", + "description": "HTTP API scope definition. It is a list of URLs that can be accessed by the webview when using the HTTP APIs. The scoped URL is matched against the request URL using a glob pattern.\n\nExamples: - \"https://*\": allows all HTTPS urls - \"https://*.github.com/tauri-apps/tauri\": allows any subdomain of \"github.com\" with the \"tauri-apps/api\" path - \"https://myapi.service.com/users/*\": allows access to any URLs that begins with \"https://myapi.service.com/users/\"", "type": "array", "items": { "type": "string",