diff --git a/chrome/content/zotero/xpcom/connector/server_connector.js b/chrome/content/zotero/xpcom/connector/server_connector.js index 84ad52aad8..7e8d364e9c 100644 --- a/chrome/content/zotero/xpcom/connector/server_connector.js +++ b/chrome/content/zotero/xpcom/connector/server_connector.js @@ -1845,3 +1845,103 @@ Zotero.Server.Connector.IEHack.prototype = { ''); } } + +/** + * Make an HTTP request from the client. Accepts {@link Zotero.HTTP.request} options and returns a minimal response + * object with the same form as the one returned from {@link Zotero.Utilities.Translate#request}. + * + * Accepts: + * method - The request method ('GET', 'POST', etc.) + * url - The URL to make the request to. Must be an absolute HTTP(S) URL. + * options - See Zotero.HTTP.request() documentation. Differences: + * - responseType is always set to 'text' + * - successCodes is always set to false (non-2xx status codes will not trigger an error) + * Returns: + * Response code is always 200. Body contains: + * status - The response status code, as a number + * headers - An object mapping header names to values + * body - The response body, as a string + */ +Zotero.Server.Connector.Request = function () {}; + +/** + * The list of allowed hosts. Intentionally hardcoded. + */ +Zotero.Server.Connector.Request.allowedHosts = ['www.worldcat.org']; + +/** + * For testing: allow disabling validation so we can make requests to the server. + */ +Zotero.Server.Connector.Request.enableValidation = false; + +Zotero.Server.Endpoints["/connector/request"] = Zotero.Server.Connector.Request; +Zotero.Server.Connector.Request.prototype = { + supportedMethods: ["POST"], + supportedDataTypes: ["application/json"], + + init: async function (req) { + let { method, url, options } = req.data; + + if (typeof method !== 'string' || typeof url !== 'string') { + return [400, 'text/plain', 'method and url are required and must be strings']; + } + + let uri; + try { + uri = Services.io.newURI(url); + } + catch (e) { + return [400, 'text/plain', 'Invalid URL']; + } + + if (uri.scheme != 'http' && uri.scheme != 'https') { + return [400, 'text/plain', 'Unsupported scheme']; + } + + if (Zotero.Server.Connector.Request.enableValidation) { + if (!Zotero.Server.Connector.Request.allowedHosts.includes(uri.host)) { + return [ + 400, + 'text/plain', + 'Unsupported URL' + ]; + } + + if (!req.headers['User-Agent'] || !req.headers['User-Agent'].startsWith('Mozilla/')) { + return [400, 'text/plain', 'Unsupported User-Agent']; + } + } + + options = options || {}; + options.responseType = 'text'; + options.successCodes = false; + + let xhr; + try { + xhr = await Zotero.HTTP.request(req.data.method, req.data.url, options); + } + catch (e) { + if (e instanceof Zotero.HTTP.BrowserOfflineException) { + return [503, 'text/plain', 'Client is offline']; + } + else { + throw e; + } + } + + let status = xhr.status; + let headers = {}; + xhr.getAllResponseHeaders() + .trim() + .split(/[\r\n]+/) + .map(line => line.split(': ')) + .forEach(parts => headers[parts.shift()] = parts.join(': ')); + let body = xhr.response; + + return [200, 'application/json', JSON.stringify({ + status, + headers, + body + })]; + } +}; diff --git a/test/tests/server_connectorTest.js b/test/tests/server_connectorTest.js index 9ffd40c4db..135164f5e9 100644 --- a/test/tests/server_connectorTest.js +++ b/test/tests/server_connectorTest.js @@ -2649,4 +2649,186 @@ describe("Connector Server", function () { assert.equal(item.libraryID, Zotero.Libraries.userLibraryID); }); }); + + describe('/connector/request', function () { + let endpoint; + + before(function () { + endpoint = connectorServerPath + '/connector/request'; + }); + + beforeEach(function () { + Zotero.Server.Connector.Request.enableValidation = true; + }); + + after(function () { + Zotero.Server.Connector.Request.enableValidation = true; + }); + + it('should reject GET requests', async function () { + let req = await Zotero.HTTP.request( + 'GET', + endpoint, + { + headers: { 'content-type': 'application/json' }, + body: JSON.stringify({ + method: 'GET', + url: 'https://www.example.com/' + }), + successCodes: false + } + ); + assert.equal(req.status, 400); + assert.include(req.responseText, 'Endpoint does not support method'); + }); + + it('should not make requests to arbitrary hosts', async function () { + let req = await Zotero.HTTP.request( + 'POST', + endpoint, + { + headers: { 'content-type': 'application/json' }, + body: JSON.stringify({ + method: 'GET', + url: `http://localhost:${Zotero.Prefs.get('httpServer.port')}/` + }), + successCodes: false + } + ); + assert.equal(req.status, 400); + assert.include(req.responseText, 'Unsupported URL'); + + req = await Zotero.HTTP.request( + 'POST', + endpoint, + { + headers: { 'content-type': 'application/json' }, + body: JSON.stringify({ + method: 'GET', + url: `http://www.example.com/` + }), + successCodes: false + } + ); + assert.equal(req.status, 400); + assert.include(req.responseText, 'Unsupported URL'); + }); + + it('should reject requests with non-Mozilla/ user agents', async function () { + let req = await Zotero.HTTP.request( + 'POST', + endpoint, + { + headers: { + 'content-type': 'application/json', + 'user-agent': 'BadBrowser/1.0' + }, + body: JSON.stringify({ + method: 'GET', + url: `https://www.worldcat.org/api/nonexistent` + }), + successCodes: false + } + ); + assert.equal(req.status, 400); + assert.include(req.responseText, 'Unsupported User-Agent'); + }); + + it('should allow a request to an allowed host', async function () { + let stub = sinon.stub(Zotero.HTTP, 'request'); + // First call: call original + stub.callThrough(); + // Second call (call from within /connector/request handler): return the following + stub.onSecondCall().returns({ + status: 200, + getAllResponseHeaders: () => '', + response: 'it went through' + }); + + let req = await Zotero.HTTP.request( + 'POST', + endpoint, + { + headers: { 'content-type': 'application/json' }, + body: JSON.stringify({ + method: 'GET', + url: `https://www.worldcat.org/api/nonexistent` + }) + } + ); + assert.equal(req.status, 200); + assert.equal(JSON.parse(req.responseText).body, 'it went through'); + + stub.restore(); + }); + + it('should return response in translator request() format with lowercase headers', async function () { + let testEndpointPath = '/test/header'; + + httpd.registerPathHandler( + testEndpointPath, + { + handle: function (request, response) { + response.setStatusLine(null, 200, 'OK'); + response.setHeader('X-Some-Header', 'Header value'); + response.write('body'); + } + } + ); + + Zotero.Server.Connector.Request.enableValidation = false; + let req = await Zotero.HTTP.request( + 'POST', + endpoint, + { + headers: { 'content-type': 'application/json' }, + body: JSON.stringify({ + method: 'GET', + url: testServerPath + testEndpointPath + }), + responseType: 'json' + } + ); + + assert.equal(req.response.status, 200); + assert.equal(req.response.headers['x-some-header'], 'Header value'); + assert.equal(req.response.body, 'body'); + }); + + it('should set Referer', async function () { + let testEndpointPath = '/test/referer'; + let referer = 'https://www.example.com/'; + + httpd.registerPathHandler( + testEndpointPath, + { + handle: function (request, response) { + assert.equal(request.getHeader('Referer'), referer); + response.setStatusLine(null, 200, 'OK'); + response.write(''); + } + } + ); + + Zotero.Server.Connector.Request.enableValidation = false; + let req = await Zotero.HTTP.request( + 'POST', + endpoint, + { + headers: { 'content-type': 'application/json' }, + body: JSON.stringify({ + method: 'GET', + url: testServerPath + testEndpointPath, + options: { + headers: { + Referer: referer + } + } + }) + } + ); + + assert.equal(JSON.parse(req.response).status, 200); + }); + }); });