Embed API: fix regex patterns for allowed external domains (#11059)

stsewd · web-flow · commit 12c90eb9bf01 · 2024-01-24T17:11:06.000-05:00
The patterns were not ending with `$`,
so any domain that started with the allowed domain would be allowed
(docs.python.org.example.com).

This isn't a security issue, since including content from a domain
that isn't allowed is not differently than including content from
a domain that is hosted on RTD (users shouldn't allow including content
from projects they don't trust).
This is mostly to prevent abuse.
diff --git a/readthedocs/embed/v3/tests/test_basics.py b/readthedocs/embed/v3/tests/test_basics.py
@@ -10,7 +10,7 @@ class TestEmbedAPIv3Basics:
     @pytest.fixture(autouse=True)
     def setup_method(self, settings):
         settings.PUBLIC_DOMAIN = "readthedocs.io"
-        settings.RTD_EMBED_API_EXTERNAL_DOMAINS = ["docs.project.com"]
+        settings.RTD_EMBED_API_EXTERNAL_DOMAINS = [r"^docs\.project\.com$"]
 
         self.api_url = reverse("embed_api_v3")
 
diff --git a/readthedocs/embed/v3/tests/test_external_pages.py b/readthedocs/embed/v3/tests/test_external_pages.py
@@ -14,7 +14,7 @@ class TestEmbedAPIv3ExternalPages:
     @pytest.fixture(autouse=True)
     def setup_method(self, settings):
         settings.PUBLIC_DOMAIN = "readthedocs.io"
-        settings.RTD_EMBED_API_EXTERNAL_DOMAINS = ["docs.project.com"]
+        settings.RTD_EMBED_API_EXTERNAL_DOMAINS = [r"^docs\.project\.com$"]
 
         self.api_url = reverse("embed_api_v3")
 
diff --git a/readthedocs/settings/base.py b/readthedocs/settings/base.py
@@ -932,10 +932,10 @@ def DOCKER_LIMITS(self):
     MAILERLITE_API_KEY = None
 
     RTD_EMBED_API_EXTERNAL_DOMAINS = [
-        r'docs\.python\.org',
-        r'docs\.scipy\.org',
-        r'docs\.sympy\.org',
-        r'numpy\.org',
+        r'^docs\.python\.org$',
+        r'^docs\.scipy\.org$',
+        r'^docs\.sympy\.org$',
+        r'^numpy\.org$',
     ]
     RTD_EMBED_API_PAGE_CACHE_TIMEOUT = 5 * 10
     RTD_EMBED_API_DEFAULT_REQUEST_TIMEOUT = 1
diff --git a/readthedocs/settings/docker_compose.py b/readthedocs/settings/docker_compose.py
@@ -83,10 +83,10 @@ def RTD_EMBED_API_EXTERNAL_DOMAINS(self):
         domains = super().RTD_EMBED_API_EXTERNAL_DOMAINS
         domains.extend(
             [
-                r".*\.readthedocs\.io",
-                r".*\.org\.readthedocs\.build",
-                r".*\.readthedocs-hosted\.com",
-                r".*\.com\.readthedocs\.build",
+                r"^.*\.readthedocs\.io$",
+                r"^.*\.org\.readthedocs\.build$",
+                r"^.*\.readthedocs-hosted\.com$",
+                r"^.*\.com\.readthedocs\.build$",
             ]
         )
         return domains

Original file line number	Diff line number	Diff line change
`@@ -83,10 +83,10 @@ def RTD_EMBED_API_EXTERNAL_DOMAINS(self):`
`83`	`83`	`domains = super().RTD_EMBED_API_EXTERNAL_DOMAINS`
`84`	`84`	`domains.extend(`
`85`	`85`	`[`
`86`		`- r".*\.readthedocs\.io",`
`87`		`- r".*\.org\.readthedocs\.build",`
`88`		`- r".*\.readthedocs-hosted\.com",`
`89`		`- r".*\.com\.readthedocs\.build",`
	`86`	`+ r"^.*\.readthedocs\.io$",`
	`87`	`+ r"^.*\.org\.readthedocs\.build$",`
	`88`	`+ r"^.*\.readthedocs-hosted\.com$",`
	`89`	`+ r"^.*\.com\.readthedocs\.build$",`
`90`	`90`	`]`
`91`	`91`	`)`
`92`	`92`	`return domains`