wrap SetHTMl and OpenURL to cover some abuse cases for html panels

2025-03-04 03:03:18 -05:00 · 2022-06-14 22:07:09 -04:00 · 2022-06-14 22:07:09 -04:00 · a331881f12
commit a331881f12
parent f9c45503e9
2 changed files with 58 additions and 0 deletions
--- a/lua/cfc_http_restrictions/list_manager.lua
+++ b/lua/cfc_http_restrictions/list_manager.lua
@ -137,6 +137,26 @@ function CFCHTTP.isAllowed( url )
    return isAllowed
 end

+local function getUrlsInHTML( html )
+    local pattern = "%a+://[%a%d%.-]+:?%d*/[a-zA-Z0-9%.]+"
+    
+    local urls = {}
+	for url in string.gmatch(html, pattern) do
+		table.insert(urls, url)
+	end
+	
+	return urls
+end
+
+function CFCHTTP.isHTMLAllowed( html )
+	local urls = getUrlsInHTML( html )
+	for _, url in pairs(urls) do
+		if not CFCHTTP.isAllowed( url ) then return false end
+	end
+	
+	return true
+end
+
 function CFCHTTP.allowAddress( addr, isPattern, isPermanent )
    if CFCHTTP.allowedAddresses[addr] ~= nil and CFCHTTP.allowedAddresses[addr].isPermanent then
        notification.AddLegacy( "You cant change this address", NOTIFY_ERROR, 5 )
--- a/lua/cfc_http_restrictions/wrap_functions.lua
+++ b/lua/cfc_http_restrictions/wrap_functions.lua
@ -107,6 +107,44 @@ local function wrapPlayURL()
    end
 end

+
+local function wrapHTMLPanel(panelName)
+    print( "wrapped SetHTML and OpenURL for "..panelName )
+    funcName = function(functionName)
+        return "_"..panelName.."_"..functionName
+    end
+
+    _G[funcName("SetHTML")] =  _G[funcName("SetHTML")] or vgui.GetControlTable(panelName).SetHTML
+    _G[funcName("OpenURL")] =  _G[funcName("OpenURL")] or vgui.GetControlTable(panelName).OpenURL
+    
+    vgui.GetControlTable("DMediaPlayerHTML").SetHTML = function( self, html, ... )
+        local isAllowed = CFCHTTP.isHTMLAllowed( html ) 
+
+        local stack = string.Split( debug.traceback(), "\n" )
+        logRequest( "GET", url, stack[3], isAllowed )
+
+        if not isAllowed then
+            html = [[<h1> BLOCKED </h1>]] 
+        end
+    
+        _G[funcName("SetHTML")]( self, html, ... )
+    end
+    
+    vgui.GetControlTable("DMediaPlayerHTML").OpenURL = function( self, url, ... )
+        local isAllowed = CFCHTTP.isAllowed( url )
+        local stack = string.Split( debug.traceback(), "\n" )
+        logRequest( "GET", url, stack[3], isAllowed )
+        if not isAllowed then return end
+
+        _G[funcName("OpenURL")]( self, url, ... )
+    end
+    
+end
+
+wrapHTMLPanel("DHTML")
+wrapHTMLPanel("DPanel")
+wrapHTMLPanel("DMediaPlayerHTML")
+
 wrapHTTP()
 wrapFetch()
 wrapPost()