onebox 2.0.2 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 373f78c55bcd96d80865329cabb0b3f2e091cfbac87f71a9b913b0512649e4c5
-  data.tar.gz: 3c21d762657d8f96109ea5db3048daca0948544c0d25625f4242ff35680e094c
+  metadata.gz: 9b0d5f22e692ec775f7a30215772f6c13f41a4a17c6faf2c25eb902cb7ab8915
+  data.tar.gz: d07753cc17aa1f3d656e59d4600f1d966ed21a60f10261563a8eca908fd560a7
 SHA512:
-  metadata.gz: ae768140c4c42b634a10e9c3f8ab716adbb2bbda5f74a4c1c6205abaee4cbff557d3e87ae25b2f81039caed5c330e9dccadbce87b6e8af3ba691a35114ecffa8
-  data.tar.gz: 3102dc52f8bd7a9246ae1854289ad1138283b2dbf92f8a7bc53c99c650176d7b9c38afd57549305baf34e622fcde335fd13bee075b4f803470ea50c3f784407d
+  metadata.gz: 04dd906ddead063b6b787d17bb709cac2fb3c1a9dc4d3932354c374218a8dac4f0710f741a0388b5a013919bdb9e77d0e0216b1f9606de8c1822dc52938c6070
+  data.tar.gz: b3a782c32fb3499e3610560eb67cd35623ca85987bedb1932f2cba759f397a7b8fe9af17e2f87cf54ff246551685ebbdadd5322478ea7a0a0944319ba7f55fed

data/lib/onebox/engine.rb

@@ -12,6 +12,22 @@ module Onebox
       end.map(&method(:const_get))
     end
 
+    def self.all_iframe_origins
+      engines.flat_map { |e| e.iframe_origins }.uniq.compact
+    end
+
+    def self.origins_to_regexes(origins)
+      return /.*/ if origins.include?("*")
+      origins.map do |origin|
+        escaped_origin = Regexp.escape(origin)
+        if origin.start_with?("*.", "https://*.", "http://*.")
+          escaped_origin = escaped_origin.sub("\\*", '\S*')
+        end
+
+        Regexp.new("\\A#{escaped_origin}", 'i')
+      end
+    end
+
     attr_reader :url, :uri
     attr_reader :timeout
 
@@ -100,6 +116,14 @@ module Onebox
         class_variable_set :@@matcher, r
       end
 
+      def requires_iframe_origins(*origins)
+        class_variable_set :@@iframe_origins, origins
+      end
+
+      def iframe_origins
+        class_variable_defined?(:@@iframe_origins) ? class_variable_get(:@@iframe_origins) : []
+      end
+
       # calculates a name for onebox using the class name of engine
       def onebox_name
         name.split("::").last.downcase.gsub(/onebox/, "")

data/lib/onebox/engine/allowlisted_generic_onebox.rb

@@ -281,7 +281,9 @@ module Onebox
       end
 
       def is_card?
-        data[:card] == 'player' && data[:player] =~ URI::regexp
+        data[:card] == 'player' &&
+          data[:player] =~ URI::regexp &&
+          options[:allowed_iframe_regexes]&.any? { |r| data[:player] =~ r }
       end
 
       def is_article?
@@ -305,16 +307,19 @@ module Onebox
       end
 
       def is_video?
-        data[:type] =~ /^video[\/\.]/ && !Onebox::Helpers.blank?(data[:video])
+        data[:type] =~ /^video[\/\.]/ &&
+          data[:video_type] == "video/mp4" && # Many sites include 'videos' with text/html types (i.e. iframes)
+          !Onebox::Helpers.blank?(data[:video])
       end
 
       def is_embedded?
-        data[:html] &&
-        data[:height] &&
-        (
-          data[:html]["iframe"] ||
-          AllowlistedGenericOnebox.html_providers.include?(data[:provider_name])
-        )
+        return false unless data[:html] && data[:height]
+        return true if AllowlistedGenericOnebox.html_providers.include?(data[:provider_name])
+        return false unless data[:html]["iframe"]
+
+        fragment = Nokogiri::HTML::fragment(data[:html])
+        src = fragment.at_css('iframe')&.[]("src")
+        options[:allowed_iframe_regexes]&.any? { |r| src =~ r }
       end
 
       def card_html

data/lib/onebox/engine/bandcamp_onebox.rb

@@ -8,6 +8,7 @@ module Onebox
 
       matches_regexp(/^https?:\/\/.*\.bandcamp\.com\/(album|track)\//)
       always_https
+      requires_iframe_origins "https://bandcamp.com"
 
       def placeholder_html
         og = get_opengraph

data/lib/onebox/engine/facebook_media_onebox.rb

@@ -8,6 +8,7 @@ module Onebox
 
       matches_regexp(/^https?:\/\/.*\.facebook\.com\/(\w+)\/(videos|\?).*/)
       always_https
+      requires_iframe_origins "https://www.facebook.com"
 
       def to_html
         metadata = get_twitter

data/lib/onebox/engine/google_calendar_onebox.rb

@@ -7,6 +7,7 @@ module Onebox
 
       matches_regexp /^(https?:)?\/\/((www|calendar)\.google\.[\w.]{2,}|goo\.gl)\/calendar\/.+$/
       always_https
+      requires_iframe_origins "https://calendar.google.com"
 
       def to_html
         url = @url.split('&').first

data/lib/onebox/engine/google_maps_onebox.rb

@@ -23,6 +23,8 @@ module Onebox
 
       always_https
 
+      requires_iframe_origins("https://maps.google.com", "https://google.com")
+
       # Matches shortened Google Maps URLs
       matches_regexp :short,      %r"^(https?:)?//goo\.gl/maps/"
 

data/lib/onebox/engine/kaltura_onebox.rb

@@ -8,6 +8,7 @@ module Onebox
 
       always_https
       matches_regexp(/^https?:\/\/[a-z0-9]+\.kaltura\.com\/id\/[a-zA-Z0-9]+/)
+      requires_iframe_origins "https://*.kaltura.com"
 
       def preview_html
         og = get_opengraph

data/lib/onebox/engine/sketchfab_onebox.rb

@@ -8,6 +8,7 @@ module Onebox
 
       matches_regexp(/^https?:\/\/sketchfab\.com\/(?:models\/|3d-models\/(?:[^\/\s]+-)?)([a-z0-9]{32})/)
       always_https
+      requires_iframe_origins("https://sketchfab.com")
 
       def to_html
         og = get_opengraph

data/lib/onebox/engine/slides_onebox.rb

@@ -7,10 +7,11 @@ module Onebox
       include StandardEmbed
 
       matches_regexp(/^https?:\/\/slides\.com\/[\p{Alnum}_\-]+\/[\p{Alnum}_\-]+$/)
+      requires_iframe_origins "https://slides.com"
 
       def to_html
         <<-HTML
-          <iframe src="//slides.com#{uri.path}/embed?style=light"
+          <iframe src="https://slides.com#{uri.path}/embed?style=light"
                   width="576"
                   height="420"
                   scrolling="no"

data/lib/onebox/engine/standard_embed.rb

@@ -2,6 +2,7 @@
 
 require "cgi"
 require "onebox/open_graph"
+require 'onebox/oembed'
 
 module Onebox
   module Engine

data/lib/onebox/engine/steam_store_onebox.rb

@@ -8,6 +8,7 @@ module Onebox
 
       always_https
       matches_regexp(/^https?:\/\/store\.steampowered\.com\/app\/\d+/)
+      requires_iframe_origins "https://store.steampowered.com"
 
       def placeholder_html
         og = get_opengraph

data/lib/onebox/engine/trello_onebox.rb

@@ -7,6 +7,7 @@ module Onebox
       include StandardEmbed
 
       matches_regexp(/^https:\/\/trello\.com\/[bc]\/\W*/)
+      requires_iframe_origins "https://trello.com"
       always_https
 
       def to_html

data/lib/onebox/engine/twitch_clips_onebox.rb

@@ -9,6 +9,8 @@ class Onebox::Engine::TwitchClipsOnebox
   end
   include Onebox::Mixins::TwitchOnebox
 
+  requires_iframe_origins "https://clips.twitch.tv"
+
   def query_params
     "clip=#{twitch_id}"
   end

data/lib/onebox/engine/typeform_onebox.rb

@@ -6,6 +6,7 @@ module Onebox
       include Engine
 
       matches_regexp(/^https?:\/\/[a-z0-9\-_]+\.typeform\.com\/to\/[a-zA-Z0-9]+/)
+      requires_iframe_origins "https://*.typeform.com"
       always_https
 
       def to_html

data/lib/onebox/engine/vimeo_onebox.rb

@@ -7,6 +7,7 @@ module Onebox
       include StandardEmbed
 
       matches_regexp(/^https?:\/\/(www\.)?vimeo\.com\/\d+/)
+      requires_iframe_origins "https://player.vimeo.com"
       always_https
 
       WIDTH  ||= 640

data/lib/onebox/engine/wistia_onebox.rb

@@ -7,6 +7,7 @@ module Onebox
       include StandardEmbed
 
       matches_regexp(/https?:\/\/(.+)?(wistia.com|wi.st)\/(medias|embed)\/.*/)
+      requires_iframe_origins "https://fast.wistia.com"
       always_https
 
       def to_html

data/lib/onebox/engine/youku_onebox.rb

@@ -7,6 +7,7 @@ module Onebox
       include HTML
 
       matches_regexp(/^(https?:\/\/)?([\da-z\.-]+)(youku.com\/)(.)+\/?$/)
+      requires_iframe_origins "https://player.youku.com"
 
       # Try to get the video ID. Works for URLs of the form:
       # * http://v.youku.com/v_show/id_XNjM3MzAxNzc2.html
@@ -19,7 +20,14 @@ module Onebox
       end
 
       def to_html
-        "<embed width='570' height='360' src='https://players.youku.com/player.php/sid/#{video_id}/v.swf' type='application/x-shockwave-flash'></embed>"
+        <<~HTML
+          <iframe src="https://player.youku.com/embed/#{video_id}"
+                  width="640"
+                  height="430"
+                  frameborder='0'
+                  allowfullscreen>
+          </iframe>
+        HTML
       end
 
       private

data/lib/onebox/engine/youtube_onebox.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'onebox/oembed'
-
 module Onebox
   module Engine
     class YoutubeOnebox
@@ -9,16 +7,17 @@ module Onebox
       include StandardEmbed
 
       matches_regexp(/^https?:\/\/(?:www\.)?(?:m\.)?(?:youtube\.com|youtu\.be)\/.+$/)
+      requires_iframe_origins "https://www.youtube.com"
       always_https
 
       WIDTH  ||= 480
       HEIGHT ||= 360
 
       def placeholder_html
-        if video_id
-          "<img src='https://i.ytimg.com/vi/#{video_id}/hqdefault.jpg' width='#{WIDTH}' height='#{HEIGHT}' #{video_oembed_data.title_attr}>"
-        elsif list_id
-          "<img src='#{list_thumbnail_url}' width='#{WIDTH}' height='#{HEIGHT}' #{list_oembed_data.title_attr}>"
+        og = get_opengraph.data
+
+        if video_id || list_id
+          "<img src='#{og[:image]}' width='#{WIDTH}' height='#{HEIGHT}' title='#{og[:title]}'>"
         else
           to_html
         end
@@ -53,7 +52,7 @@ module Onebox
       end
 
       def video_title
-        @video_title ||= video_oembed_data.title
+        @video_title ||= get_opengraph.data[:title]
       end
 
       private
@@ -81,29 +80,6 @@ module Onebox
         @list_id ||= params['list']
       end
 
-      def list_thumbnail_url
-        @list_thumbnail_url ||= begin
-          url = "https://www.youtube.com/oembed?format=json&url=https://www.youtube.com/playlist?list=#{list_id}"
-          response = Onebox::Helpers.fetch_response(url) rescue "{}"
-          data = Onebox::Oembed.new(response)
-          data.thumbnail_url
-        rescue
-          nil
-        end
-      end
-
-      def video_oembed_data
-        url = "https://www.youtube.com/oembed?format=json&url=https://www.youtube.com/watch?v=#{video_id}"
-        response = Onebox::Helpers.fetch_response(url) rescue "{}"
-        Onebox::Oembed.new(response)
-      end
-
-      def list_oembed_data
-        url = "https://www.youtube.com/oembed?format=json&url=https://www.youtube.com/playlist?list=#{list_id}"
-        response = Onebox::Helpers.fetch_response(url) rescue "{}"
-        Onebox::Oembed.new(response)
-      end
-
       def embed_params
         p = { 'feature' => 'oembed', 'wmode' => 'opaque' }
 

data/lib/onebox/matcher.rb

@@ -2,8 +2,9 @@
 
 module Onebox
   class Matcher
-    def initialize(link)
+    def initialize(link, options = {})
       @url = link
+      @options = options
     end
 
     def ordered_engines
@@ -16,9 +17,14 @@ module Onebox
       uri = URI(@url)
       return unless uri.port.nil? || Onebox.options.allowed_ports.include?(uri.port)
       return unless uri.scheme.nil? || Onebox.options.allowed_schemes.include?(uri.scheme)
-      ordered_engines.find { |engine| engine === uri }
+      ordered_engines.find { |engine| engine === uri && has_allowed_iframe_origins?(engine) }
     rescue URI::InvalidURIError
       nil
     end
+
+    def has_allowed_iframe_origins?(engine)
+      allowed_regexes = @options[:allowed_iframe_regexes] || []
+      engine.iframe_origins.all? { |o| allowed_regexes.any? { |r| o =~ r } }
+    end
   end
 end

data/lib/onebox/mixins/twitch_onebox.rb

@@ -7,6 +7,7 @@ module Onebox
       def self.included(klass)
         klass.include(Onebox::Engine)
         klass.matches_regexp(klass.twitch_regexp)
+        klass.requires_iframe_origins "https://player.twitch.tv"
         klass.include(InstanceMethods)
       end
 
@@ -25,7 +26,7 @@ module Onebox
 
         def to_html
           <<~HTML
-          <iframe src="//#{base_url}#{query_params}&parent=#{options[:hostname]}&autoplay=false" width="620" height="378" frameborder="0" style="overflow: hidden;" scrolling="no" allowfullscreen="allowfullscreen"></iframe>
+          <iframe src="https://#{base_url}#{query_params}&parent=#{options[:hostname]}&autoplay=false" width="620" height="378" frameborder="0" style="overflow: hidden;" scrolling="no" allowfullscreen="allowfullscreen"></iframe>
           HTML
         end
       end

data/lib/onebox/preview.rb

@@ -7,10 +7,14 @@ module Onebox
     client_exception = defined?(Net::HTTPClientException) ? Net::HTTPClientException : Net::HTTPServerException
     WEB_EXCEPTIONS ||= [client_exception, OpenURI::HTTPError, Timeout::Error, Net::HTTPError, Errno::ECONNREFUSED]
 
-    def initialize(link, parameters = Onebox.options)
+    def initialize(link, options = Onebox.options)
       @url = link
-      @options = parameters
-      @engine_class = Matcher.new(@url).oneboxed
+      @options = options.dup
+
+      allowed_origins = @options[:allowed_iframe_origins] || Onebox::Engine.all_iframe_origins
+      @options[:allowed_iframe_regexes] = Engine.origins_to_regexes(allowed_origins)
+
+      @engine_class = Matcher.new(@url, @options).oneboxed
     end
 
     def to_s
@@ -63,7 +67,10 @@ module Onebox
     end
 
     def sanitize(html)
-      Sanitize.fragment(html, @options[:sanitize_config] || Sanitize::Config::ONEBOX)
+      config = @options[:sanitize_config] || Sanitize::Config::ONEBOX
+      config = config.merge(allowed_iframe_regexes: @options[:allowed_iframe_regexes])
+
+      Sanitize.fragment(html, config)
     end
 
     def engine

data/lib/onebox/sanitize_config.rb

@@ -12,7 +12,7 @@ class Sanitize
         'a' => RELAXED[:attributes]['a'] + %w(target),
         'audio' => %w[controls],
         'embed' => %w[height src type width],
-        'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href],
+        'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href data-unsanitized-src],
         'source' => %w[src type],
         'video' => %w[controls height loop width autoplay muted poster controlslist playsinline],
         'path' => %w[d],
@@ -39,6 +39,22 @@ class Sanitize
           else
             a_tag.remove_attribute('target')
           end
+        end,
+
+        lambda do |env|
+          next unless env[:node_name] == 'iframe'
+
+          iframe = env[:node]
+          allowed_regexes = env[:config][:allowed_iframe_regexes] || [/.*/]
+
+          allowed = allowed_regexes.any? { |r| iframe["src"] =~ r }
+
+          if !allowed
+            # add a data attribute with the blocked src. This is not required
+            # but makes it much easier to troubleshoot onebox issues
+            iframe["data-unsanitized-src"] = iframe["src"]
+            iframe.remove_attribute("src")
+          end
         end
       ],
 

data/lib/onebox/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Onebox
-  VERSION = "2.0.2"
+  VERSION = "2.1.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: onebox
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.1.0
 platform: ruby
 authors:
 - Joanna Zeta
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-18 00:00:00.000000000 Z
+date: 2020-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable