Validate endpoints from feature flags (#1196)

Validate endpoints from feature flags
2025-12-20 09:20:16 +00:00 · 2022-01-24 13:06:43 -08:00
parent de5df90f75
commit f5da8bb276
10 changed files with 178 additions and 59 deletions
--- a/src/Utils/EndpointValidation.ts
+++ b/src/Utils/EndpointValidation.ts
@@ -0,0 +1,83 @@
+import { JunoEndpoints } from "Common/Constants";
+import * as Logger from "../Common/Logger";
+
+export function validateEndpoint(
+  endpointToValidate: string | undefined,
+  allowedEndpoints: ReadonlyArray<string>
+): boolean {
+  try {
+    return validateEndpointInternal(
+      endpointToValidate,
+      allowedEndpoints.map((e) => e)
+    );
+  } catch (reason) {
+    Logger.logError(`${endpointToValidate} not allowed`, "validateEndpoint");
+    Logger.logError(`${JSON.stringify(reason)}`, "validateEndpoint");
+    return false;
+  }
+}
+
+function validateEndpointInternal(
+  endpointToValidate: string | undefined,
+  allowedEndpoints: ReadonlyArray<string>
+): boolean {
+  if (endpointToValidate === undefined) {
+    return false;
+  }
+
+  const originToValidate: string = new URL(endpointToValidate).origin;
+  const allowedOrigins: string[] = allowedEndpoints.map((allowedEndpoint) => new URL(allowedEndpoint).origin) || [];
+  const valid = allowedOrigins.indexOf(originToValidate) >= 0;
+
+  if (!valid) {
+    throw new Error(
+      `${endpointToValidate} is not an allowed endpoint. Allowed endpoints are ${allowedArmEndpoints.toString()}`
+    );
+  }
+
+  return valid;
+}
+
+export const allowedArmEndpoints: ReadonlyArray<string> = [
+  "https://management.azure.com",
+  "https://management.usgovcloudapi.net",
+  "https://management.chinacloudapi.cn",
+];
+
+export const allowedAadEndpoints: ReadonlyArray<string> = ["https://login.microsoftonline.com/"];
+
+export const allowedBackendEndpoints: ReadonlyArray<string> = [
+  "https://main.documentdb.ext.azure.com",
+  "https://localhost:12901",
+  "https://localhost:1234",
+];
+
+export const allowedMongoProxyEndpoints: ReadonlyArray<string> = [
+  "https://main.documentdb.ext.azure.com",
+  "https://localhost:12901",
+];
+
+export const allowedEmulatorEndpoints: ReadonlyArray<string> = ["https://localhost:8081"];
+
+export const allowedMongoBackendEndpoints: ReadonlyArray<string> = ["https://localhost:1234"];
+
+export const allowedGraphEndpoints: ReadonlyArray<string> = ["https://graph.windows.net"];
+
+export const allowedArcadiaEndpoints: ReadonlyArray<string> = ["https://workspaceartifacts.projectarcadia.net"];
+
+export const allowedHostedExplorerEndpoints: ReadonlyArray<string> = ["https://cosmos.azure.com/"];
+
+export const allowedMsalRedirectEndpoints: ReadonlyArray<string> = [
+  "https://cosmos-explorer-preview.azurewebsites.net/",
+];
+
+export const allowedJunoOrigins: ReadonlyArray<string> = [
+  JunoEndpoints.Test,
+  JunoEndpoints.Test2,
+  JunoEndpoints.Test3,
+  JunoEndpoints.Prod,
+  JunoEndpoints.Stage,
+  "https://localhost",
+];
+
+export const allowedNotebookServerUrls: ReadonlyArray<string> = [];
--- a/src/Utils/MessageValidation.ts
+++ b/src/Utils/MessageValidation.ts
@@ -4,7 +4,7 @@ export function isInvalidParentFrameOrigin(event: MessageEvent): boolean {
  return !isValidOrigin(configContext.allowedParentFrameOrigins, event);
 }

-function isValidOrigin(allowedOrigins: string[], event: MessageEvent): boolean {
+function isValidOrigin(allowedOrigins: ReadonlyArray<string>, event: MessageEvent): boolean {
  const eventOrigin = (event && event.origin) || "";
  const windowOrigin = (window && window.origin) || "";
  if (eventOrigin === windowOrigin) {