feat: Refuse to accept IIIF urls from dasch.swiss host (DEV-4106) (#3363

)
dasch-swiss · Sep 16, 2024 · 814b7ca · 814b7ca
1 parent 3e0d7d4
commit 814b7ca
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 17 deletions.
diff --git a/webapi/src/main/scala/org/knora/webapi/slice/resources/IiifImageRequestUrl.scala b/webapi/src/main/scala/org/knora/webapi/slice/resources/IiifImageRequestUrl.scala
@@ -14,15 +14,18 @@ import org.knora.webapi.slice.common.WithFrom
 
 final case class IiifImageRequestUrl(value: URL) extends Value[URL]
 
-object IiifImageRequestUrl extends WithFrom[String, IiifImageRequestUrl] {
+object IiifImageRequestUrl extends WithFrom[String, IiifImageRequestUrl] { self =>
 
   private val iiifImageUrlRegex1 = """^(https?://[^/]+/[^/]+/[^/]+/[^/]+/[^/]+/[^/]+(?:/.+)?)$""".r
 
+  private def isDaschSwissHost(url: URI): Boolean = url.getHost().endsWith("dasch.swiss")
+
   def from(value: String): Either[String, IiifImageRequestUrl] =
-    Try(URI.create(value).toURL).toEither.left.map(_ => s"Invalid URL: $value").flatMap { url =>
+    Try(URI.create(value)).toEither.left.map(_ => s"Invalid URL: $value").flatMap { url =>
       value match {
-        case iiifImageUrlRegex1(_) => Right(IiifImageRequestUrl(url))
-        case _                     => Left(s"Invalid IIIF image URL: $value")
+        case _ if self.isDaschSwissHost(url) => Left("Host dasch.swiss is not allowed")
+        case iiifImageUrlRegex1(_)           => Right(IiifImageRequestUrl(url.toURL))
+        case _                               => Left(s"Invalid IIIF image URL: $value")
       }
     }
 }
diff --git a/webapi/src/test/scala/org/knora/webapi/slice/resources/IiifImageRequestUrlSpec.scala b/webapi/src/test/scala/org/knora/webapi/slice/resources/IiifImageRequestUrlSpec.scala
@@ -43,30 +43,45 @@ object IiifImageRequestUrlSpec extends ZIOSpecDefault {
           "http://www.example.org/prefix1/abcd1234/full/600,/0/color.jpg",
           "http://www.example.org/prefix1/abcd1234/full/600,/0/grey.jpg",
           "http://www.example.org/prefix1/abcd1234/full/600,/0/bitonal.jpg",
+          "http://www.example.org/prefix1/dasch.swiss/full/600,/0/bitonal.jpg",
+          "http://dasch.swiss.www.example.org/prefix1/abcd1234/full/600,/0/bitonal.jpg",
           // V2 https://iiif.io/api/image/2.0/#image-request-uri-syntax
           "http://www.example.org/prefix1/prefix2/prefix3/prefix4/abcd1234/full/full/0/default.jpg",
           "https://www.example.org/prefix1/prefix2/prefix3/prefix4/abcd1234/full/full/!90/gray.webp",
           // V3 https://iiif.io/api/image/3.0/#21-image-request-uri-syntax
           "http://www.example.org/prefix1/prefix2/prefix3/prefix4/abcd1234/full/max/0/default.jpg",
           "https://www.example.org/prefix1/prefix2/prefix3/prefix4/abcd1234/square/%5Emax/0/gray.webp",
-          "https://iiif.dasch.swiss/0811/1Oi7mdiLsG7-FmFgp0xz2xU.jp2/full/max/0/default.jpg",
         )
       check(Gen.fromIterable(validUrls)) { url =>
         val actual = IiifImageRequestUrl.from(url)
         assertTrue(actual.isRight, actual == Right(IiifImageRequestUrl(URI.create(url).toURL)))
       }
     },
-    test("should reject a IIIF image information request url") {
-      val invalidUrls =
-        Seq(
-          "https://iiif.ub.unibe.ch/image/v2.1/632664f2-20cb-43e4-8584-2fa3988c63a2/info.json",
-          "https://iiif.dasch.swiss/0811/5Jd909CLmCJ-BUUL1DDOXGJ.jp2/info.json",
-          "ftp://www.example.org/prefix1/prefix2/prefix3/prefix4/abcd1234/square/%5Emax/0/gray.webp",
-        )
-      check(Gen.fromIterable(invalidUrls)) { url =>
-        val actual = IiifImageRequestUrl.from(url)
-        assertTrue(actual.isLeft)
-      }
-    },
+    suite("should reject invalid IIIF image request url")(
+      test("should reject a IIIF image information request url") {
+        val invalidUrls =
+          Seq(
+            "https://iiif.ub.unibe.ch/image/v2.1/632664f2-20cb-43e4-8584-2fa3988c63a2/info.json",
+            "https://iiif.dasch.swiss/0811/5Jd909CLmCJ-BUUL1DDOXGJ.jp2/info.json",
+            "ftp://www.example.org/prefix1/prefix2/prefix3/prefix4/abcd1234/square/%5Emax/0/gray.webp",
+          )
+        check(Gen.fromIterable(invalidUrls)) { url =>
+          val actual = IiifImageRequestUrl.from(url)
+          assertTrue(actual.isLeft)
+        }
+      },
+      test("should reject dasch.swiss domain IIIF image request url") {
+        val invalidUrls =
+          Seq(
+            "https://iiif.dasch.swiss/0811/1Oi7mdiLsG7-FmFgp0xz2xU.jp2/full/max/0/default.jpg",
+            "https://iiif.dasch.swiss/0811/1Oi7mdiLsG7-FmFgp0xz2xU.jp2/full/max/0/default.jpg",
+            "https://iiif.dasch.swiss/0811/1Oi7mdiLsG7-FmFgp0xz2xU.jp2/full/max/0/default.jpg",
+          )
+        check(Gen.fromIterable(invalidUrls)) { url =>
+          val actual = IiifImageRequestUrl.from(url)
+          assertTrue(actual.isLeft)
+        }
+      },
+    ),
   )
 }