From 5a1efd0e27c3f7a12dbc1ac405a9d859b67506ad Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete.matsy@gmail.com>
Date: Sat, 7 Sep 2024 01:30:34 +0300
Subject: [PATCH] add download utils

---
 app/controllers/api/submissions_controller.rb |  2 +-
 app/controllers/api/submitters_controller.rb  |  2 +-
 .../templates_uploads_controller.rb           |  8 +----
 lib/download_utils.rb                         | 33 +++++++++++++++++++
 lib/submitters/normalize_values.rb            | 14 +-------
 5 files changed, 37 insertions(+), 22 deletions(-)
 create mode 100644 lib/download_utils.rb

diff --git a/app/controllers/api/submissions_controller.rb b/app/controllers/api/submissions_controller.rb
index 886013550..6fdd84d42 100644
--- a/app/controllers/api/submissions_controller.rb
+++ b/app/controllers/api/submissions_controller.rb
@@ -80,7 +80,7 @@ def create
       end
 
       render json: build_create_json(submissions)
-    rescue Submitters::NormalizeValues::BaseError => e
+    rescue Submitters::NormalizeValues::BaseError, DownloadUtils::UnableToDownload => e
       Rollbar.warning(e) if defined?(Rollbar)
 
       render json: { error: e.message }, status: :unprocessable_entity
diff --git a/app/controllers/api/submitters_controller.rb b/app/controllers/api/submitters_controller.rb
index 4a73a96d1..1c5cc3a9c 100644
--- a/app/controllers/api/submitters_controller.rb
+++ b/app/controllers/api/submitters_controller.rb
@@ -77,7 +77,7 @@ def update
                                                                 with_urls: true,
                                                                 with_events: false,
                                                                 params:)
-    rescue Submitters::NormalizeValues::BaseError => e
+    rescue Submitters::NormalizeValues::BaseError, DownloadUtils::UnableToDownload => e
       Rollbar.warning(e) if defined?(Rollbar)
 
       render json: { error: e.message }, status: :unprocessable_entity
diff --git a/app/controllers/templates_uploads_controller.rb b/app/controllers/templates_uploads_controller.rb
index 7d1066755..620860cb7 100644
--- a/app/controllers/templates_uploads_controller.rb
+++ b/app/controllers/templates_uploads_controller.rb
@@ -52,7 +52,7 @@ def save_template!(template, url_params)
   def create_file_params_from_url
     tempfile = Tempfile.new
     tempfile.binmode
-    tempfile.write(conn.get(Addressable::URI.parse(params[:url]).display_uri.to_s).body)
+    tempfile.write(DownloadUtils.call(params[:url]).body)
     tempfile.rewind
 
     file = ActionDispatch::Http::UploadedFile.new(
@@ -65,10 +65,4 @@ def create_file_params_from_url
 
     { files: [file] }
   end
-
-  def conn
-    Faraday.new do |faraday|
-      faraday.response :follow_redirects
-    end
-  end
 end
diff --git a/lib/download_utils.rb b/lib/download_utils.rb
new file mode 100644
index 000000000..3fc32950f
--- /dev/null
+++ b/lib/download_utils.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module DownloadUtils
+  LOCALHOSTS = %w[0.0.0.0 127.0.0.1 localhost].freeze
+
+  UnableToDownload = Class.new(StandardError)
+
+  module_function
+
+  def call(url)
+    uri = Addressable::URI.parse(url)
+
+    if Docuseal.multitenant?
+      raise UnableToDownload, "Error loading: #{uri.display_uri}. Only HTTPS is allowed." if uri.scheme != 'https'
+
+      if uri.host.in?(LOCALHOSTS)
+        raise UnableToDownload, "Error loading: #{uri.display_uri}. Can't download from localhost."
+      end
+    end
+
+    resp = conn.get(uri.display_uri.to_s)
+
+    raise UnableToDownload, "Error loading: #{uri.display_uri}" if resp.status >= 400
+
+    resp
+  end
+
+  def conn
+    Faraday.new do |faraday|
+      faraday.response :follow_redirects
+    end
+  end
+end
diff --git a/lib/submitters/normalize_values.rb b/lib/submitters/normalize_values.rb
index 3e65b0c7e..bed672e0e 100644
--- a/lib/submitters/normalize_values.rb
+++ b/lib/submitters/normalize_values.rb
@@ -11,7 +11,6 @@ module NormalizeValues
     UnknownFieldName = Class.new(BaseError)
     InvalidDefaultValue = Class.new(BaseError)
     UnknownSubmitterName = Class.new(BaseError)
-    UnableToDownload = Class.new(BaseError)
 
     TRUE_VALUES = ['1', 'true', true, 'TRUE', 'True', 'yes', 'YES', 'Yes'].freeze
     FALSE_VALUES = ['0', 'false', false, 'FALSE', 'False', 'no', 'NO', 'No'].freeze
@@ -185,12 +184,7 @@ def find_or_create_blob_from_url(account, url)
 
       return blob if blob
 
-      uri = Addressable::URI.parse(url)
-      resp = conn.get(uri.display_uri.to_s)
-
-      raise UnableToDownload, "Error loading: #{uri.display_uri}" if resp.status >= 400
-
-      data = resp.body
+      data = DownloadUtils.call(url).body
 
       checksum = Digest::MD5.base64digest(data)
 
@@ -215,11 +209,5 @@ def find_blob_by_checksum(checksum, account)
 
       nil
     end
-
-    def conn
-      Faraday.new do |faraday|
-        faraday.response :follow_redirects
-      end
-    end
   end
 end