Merge branch 'refs/heads/master' into netgis_map_client_update

# Conflicts: # templates/map/client/config.json
2025-05-09 16:03:35 +02:00
parent bc9cc09372 6fe67a8fbf
commit c2b12649b0
28 changed files with 336 additions and 578 deletions
--- a/konova/views/map_proxy.py
+++ b/konova/views/map_proxy.py
@@ -9,6 +9,7 @@ import json
 from json import JSONDecodeError

 import requests
+import urllib3.util
 from django.contrib.auth.decorators import login_required
 from django.http import JsonResponse, HttpRequest, HttpResponse
 from django.utils.decorators import method_decorator
@@ -17,6 +18,7 @@ from django.views import View

 from requests.auth import HTTPDigestAuth

+from konova.sub_settings.lanis_settings import MAP_PROXY_HOST_WHITELIST
 from konova.sub_settings.proxy_settings import PROXIES, GEOPORTAL_RLP_USER, GEOPORTAL_RLP_PASSWORD


@@ -31,6 +33,13 @@ class BaseClientProxyView(View):
    def dispatch(self, request, *args, **kwargs):
        return super().dispatch(request, *args, **kwargs)

+    def _check_with_whitelist(self, url):
+        parsed_url = urllib3.util.parse_url(url)
+        parsed_url_host = parsed_url.host
+        whitelist = set(MAP_PROXY_HOST_WHITELIST)
+        is_allowed = parsed_url_host in whitelist
+        return is_allowed
+
    def perform_url_call(self, url, headers={}, auth=None):
        """ Generic proxied call

@@ -61,6 +70,11 @@ class ClientProxyParcelSearch(BaseClientProxyView):

    def get(self, request: HttpRequest):
        url = request.META.get("QUERY_STRING")
+
+        is_url_allowed = self._check_with_whitelist(url)
+        if not is_url_allowed:
+            raise PermissionError(f"Proxied url '{url}' is not allowed!")
+
        content, response_code = self.perform_url_call(url)
        return HttpResponse(content)