c177f0a1b3
commit41748a4036
Merge:3b1d4d63
4991a70b
Author: grégoire parant <g.parant@thecodingmachine.com> Date: Mon Aug 2 21:38:37 2021 +0200 Merge pull request #1327 from thecodingmachine/hotFixErrorCardBack Fix error generated commit4991a70bba
Author: Gregoire Parant <g.parant@thecodingmachine.com> Date: Mon Aug 2 21:34:03 2021 +0200 Fix error generated Don't generate error if file is Invalid commit3b1d4d630c
Merge:f52b4598
02e5860e
Author: grégoire parant <g.parant@thecodingmachine.com> Date: Mon Aug 2 21:03:18 2021 +0200 Merge pull request #1326 from thecodingmachine/HotFixCreateMapFeature Hot fix create map feature commit02e5860e43
Author: Gregoire Parant <g.parant@thecodingmachine.com> Date: Mon Aug 2 20:59:13 2021 +0200 HotFix redirect on production domain of WorkAdventure - Update domain `ADMIN_URL` by `workadventu.re` commitf52b459872
Merge:3d657b4a
3ab069d6
Author: grégoire parant <g.parant@thecodingmachine.com> Date: Mon Aug 2 11:23:16 2021 +0200 Merge pull request #1324 from thecodingmachine/develop Release v1.4.11 commit3ab069d650
Merge:2b748138
9d4ffe54
Author: Kharhamel <Kharhamel@users.noreply.github.com> Date: Fri Jul 30 15:51:07 2021 +0200 Merge pull request #1323 from thecodingmachine/openIDPoc FIX: bomp the node version of pusher commit9d4ffe542c
Author: kharhamel <oognic@gmail.com> Date: Fri Jul 30 15:50:30 2021 +0200 FIX: bomp the node version of pusher commit2b7481383f
Merge:74975ac9
9c803a69
Author: Kharhamel <Kharhamel@users.noreply.github.com> Date: Fri Jul 30 15:48:56 2021 +0200 Merge pull request #1251 from thecodingmachine/openIDPoc POC for the openID connect commit9c803a69ff
Author: kharhamel <oognic@gmail.com> Date: Tue Jul 27 16:37:01 2021 +0200 FEATURE: users can now login via an openID client commit74975ac9d8
Merge:315fe7ca
ebdcf880
Author: Kharhamel <Kharhamel@users.noreply.github.com> Date: Fri Jul 30 14:54:33 2021 +0200 Merge pull request #1322 from thecodingmachine/improveCapacityWarning FEATURE: improved the room capacity warning visuals commitebdcf8804d
Author: kharhamel <oognic@gmail.com> Date: Fri Jul 30 14:08:27 2021 +0200 added admin link to the warning container commit41ac51f291
Author: kharhamel <oognic@gmail.com> Date: Thu Jul 29 18:02:36 2021 +0200 FEATURE: improved the room capacity warning visuals commit315fe7ca82
Author: David Négrier <d.negrier@thecodingmachine.com> Date: Thu Jul 29 17:49:51 2021 +0200 Adding a "font-family" property for text objects. (#1311) - Tiled displays your system fonts. - Computers have different sets of fonts. Therefore, browsers never rely on system fonts - Which means if you select a font in Tiled, it is quite unlikely it will render properly in WorkAdventure To circumvent this problem, in your text object in Tiled, you can now add an additional property: `font-family`. The `font-family` property can contain any "web-font" that can be loaded by your browser. This allows us to use the "Press Start 2P" 8px font in text objects, which renders way better than the default "Sans serif" font of your browser. commit7ffe564e8e
Author: GRL78 <80678534+GRL78@users.noreply.github.com> Date: Thu Jul 29 17:42:16 2021 +0200 Graphic upgrade of the global message console (#1287) * Graphic upgrade of the global message console Fix: error if LoginScene doesn't exist * Rework graphic of global message console * Rework graphic of global message console * Remove console.log commit2a1af2a131
Author: grégoire parant <g.parant@thecodingmachine.com> Date: Thu Jul 29 16:42:31 2021 +0200 PWA service workers (#1319) * PWA services worker - [x] Register service worker of PWA to install WorkAdventure application on desktop and mobile - [x] Create webpage specifique for PWA - [ ] Add register service to save and redirect on a card - [ ] Add possibilities to install PWA for one World (with register token if existing) * Finish PWA strategy to load last map visited * Fix feedback @Kharhamel * Fix feedback @Kharhamel
70 lines
2.6 KiB
TypeScript
70 lines
2.6 KiB
TypeScript
import Axios from "axios";
|
|
import ipaddr from "ipaddr.js";
|
|
import { Resolver } from "dns";
|
|
import { promisify } from "util";
|
|
import { LocalUrlError } from "./LocalUrlError";
|
|
import { ITiledMap } from "@workadventure/tiled-map-type-guard";
|
|
import { isTiledMap } from "@workadventure/tiled-map-type-guard/dist";
|
|
|
|
class MapFetcher {
|
|
async fetchMap(mapUrl: string): Promise<ITiledMap> {
|
|
// Before trying to make the query, let's verify the map is actually on the open internet (and not a local test map)
|
|
|
|
if (await this.isLocalUrl(mapUrl)) {
|
|
throw new LocalUrlError('URL for map "' + mapUrl + '" targets a local map');
|
|
}
|
|
|
|
// Note: mapUrl is provided by the client. A possible attack vector would be to use a rogue DNS server that
|
|
// returns local URLs. Alas, Axios cannot pin a URL to a given IP. So "isLocalUrl" and Axios.get could potentially
|
|
// target to different servers (and one could trick Axios.get into loading resources on the internal network
|
|
// despite isLocalUrl checking that.
|
|
// We can deem this problem not that important because:
|
|
// - We make sure we are only passing "GET" requests
|
|
// - The result of the query is never displayed to the end user
|
|
const res = await Axios.get(mapUrl, {
|
|
maxContentLength: 50 * 1024 * 1024, // Max content length: 50MB. Maps should not be bigger
|
|
timeout: 10000, // Timeout after 10 seconds
|
|
});
|
|
|
|
if (!isTiledMap(res.data)) {
|
|
//TODO fixme
|
|
//throw new Error("Invalid map format for map " + mapUrl);
|
|
console.error("Invalid map format for map " + mapUrl);
|
|
}
|
|
|
|
return res.data;
|
|
}
|
|
|
|
/**
|
|
* Returns true if the domain name is localhost of *.localhost
|
|
* Returns true if the domain name resolves to an IP address that is "private" (like 10.x.x.x or 192.168.x.x)
|
|
*
|
|
* @private
|
|
*/
|
|
async isLocalUrl(url: string): Promise<boolean> {
|
|
const urlObj = new URL(url);
|
|
if (urlObj.hostname === "localhost" || urlObj.hostname.endsWith(".localhost")) {
|
|
return true;
|
|
}
|
|
|
|
let addresses = [];
|
|
if (!ipaddr.isValid(urlObj.hostname)) {
|
|
const resolver = new Resolver();
|
|
addresses = await promisify(resolver.resolve).bind(resolver)(urlObj.hostname);
|
|
} else {
|
|
addresses = [urlObj.hostname];
|
|
}
|
|
|
|
for (const address of addresses) {
|
|
const addr = ipaddr.parse(address);
|
|
if (addr.range() !== "unicast") {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
}
|
|
|
|
export const mapFetcher = new MapFetcher();
|