Merge pull request #167 from eve-bright/allow-hostname-only-config-for-whitelist

Allow whitelist config to contain hostnames without protocols

Author: oskarhane

lib/helpers.coffee

@@ -52,7 +52,7 @@ class neo.helpers
 
     @mergeDocumentArrays = (arr1, arr2) ->
       [].concat(arr1, arr2)
-        .reduce((tot, curr) -> 
+        .reduce((tot, curr) ->
           return tot if tot.done.indexOf(curr.content) > -1
           tot.done.push(curr.content)
           tot.out.push(curr)
@@ -142,10 +142,15 @@ class neo.helpers
     @stripNGAttributes = (string = '') ->
       string.replace(/(\s+(ng|data|x)[^\s=]*\s*=\s*("[^"]*"|'[^']*'|[\w\-.:]+\s*))/ig, '')
 
-    @hostIsAllowed = (hostname, whitelist) ->
+    @hostIsAllowed = (uri, whitelist) ->
       return true if whitelist is '*'
-      whitelisted_hosts = if whitelist? and whitelist isnt '' then whitelist.split(",") else ['http://guides.neo4j.com', 'https://guides.neo4j.com', 'http://localhost', 'https://localhost']
-      hostname in whitelisted_hosts
+      host_without_port = document.createElement('a')
+      host_without_port.setAttribute('href', uri)
+      hostnamePlusProtocol = host_without_port.protocol + '//' + host_without_port.hostname
+      hostname = host_without_port.hostname
+
+      whitelisted_hosts = if whitelist? and whitelist isnt '' then whitelist.split(",") else ['guides.neo4j.com', 'localhost']
+      hostname in whitelisted_hosts ||  hostnamePlusProtocol in whitelisted_hosts
 
     @getBrowserName = ->
       return 'Opera' if !!window.opera || navigator.userAgent.indexOf(' OPR/') >= 0
@@ -155,7 +160,7 @@ class neo.helpers
       return 'Internet Explorer' if !!document.documentMode
       return 'Edge' if !!window.StyleMedia
       'Unknown'
-      
+
     @getServerHostname = (Settings) ->
       if Settings.host then Settings.host else location.href
 
@@ -167,7 +172,7 @@ class neo.helpers
         flat = [].concat.apply(flat, [].concat.apply(that.flattenArray(item))) if Array.isArray item
         flat
       , [])
-        
+
     @getUrlParam = (name, theLocation) ->
       return no unless theLocation
       out = []

test/spec/other/utils.coffee

@@ -47,7 +47,7 @@ describe 'Utils', () ->
     text = """
           cypher queries
           will often be more
-          legible on multiple lines 
+          legible on multiple lines
           than squashed onto a single line
           """
     expect(Utils.firstWord text).toBe 'cypher'
@@ -119,22 +119,30 @@ describe 'Utils', () ->
     expect(Utils.cleanHTML text).toBe 'hello <p>xxx</p>'
 
   it 'should respect whitelist from server', ->
-    host = 'http://first.com'
-    whitelist = 'http://second.com,http://third.com'
-    expect(Utils.hostIsAllowed host, '*').toBe yes
-    expect(Utils.hostIsAllowed host, null).toBe no
-    expect(Utils.hostIsAllowed host, '').toBe no
-    expect(Utils.hostIsAllowed host, host).toBe yes
-    expect(Utils.hostIsAllowed host, whitelist).toBe no
-    expect(Utils.hostIsAllowed 'http://guides.neo4j.com', null).toBe yes
-    expect(Utils.hostIsAllowed 'http://guides.neo4j.com', '').toBe yes
+    whitelist = 'https://second.com,fourth.com'
+    expect(Utils.hostIsAllowed 'http://first.com', whitelist).toBe no
+    expect(Utils.hostIsAllowed 'http://second.com', whitelist).toBe no
+    expect(Utils.hostIsAllowed 'https://second.com', whitelist).toBe yes
+    expect(Utils.hostIsAllowed 'http://fourth.com', whitelist).toBe yes
+    expect(Utils.hostIsAllowed 'https://fourth.com', whitelist).toBe yes
+
+  it 'should treat * from server as all hosts allowed', ->
+    expect(Utils.hostIsAllowed 'anything', '*').toBe yes
+
+  it 'should use defaults if no whitelist specified', ->
+    expect(Utils.hostIsAllowed 'http://anything.com', null).toBe no
+    expect(Utils.hostIsAllowed 'http://anything.com', '').toBe no
+    expect(Utils.hostIsAllowed 'guides.neo4j.com', null).toBe yes
+    expect(Utils.hostIsAllowed 'guides.neo4j.com', '').toBe yes
+    expect(Utils.hostIsAllowed 'localhost', '').toBe yes
+    expect(Utils.hostIsAllowed 'localhost', '').toBe yes
 
   it 'should merge two arrays with documents without duplicates', ->
     arr1 = [getDocument('MATCH (n) RETURN n'), getDocument('//My script\nRETURN "me"')]
     arr2 = [getDocument('MATCH (n)-(m) RETURN n'), getDocument('//My script\nRETURN "me"'), getDocument('RETURN 1')]
     expect(JSON.stringify(Utils.mergeDocumentArrays(arr1, arr2)))
-      .toBe(JSON.stringify([getDocument('MATCH (n) RETURN n'), 
-          getDocument('//My script\nRETURN "me"'), 
+      .toBe(JSON.stringify([getDocument('MATCH (n) RETURN n'),
+          getDocument('//My script\nRETURN "me"'),
           getDocument('MATCH (n)-(m) RETURN n'),
           getDocument('RETURN 1')]))
 
@@ -155,7 +163,7 @@ describe 'Utils', () ->
       {location: 'http://neo4j.com/?param=', paramName: 'param', expect: undefined},
       {location: 'http://neo4j.com/', paramName: 'param', expect: undefined}
     ]
-    urls.forEach((tCase) -> 
+    urls.forEach((tCase) ->
       res = Utils.getUrlParam tCase.paramName, tCase.location
       val = if res then res[0] else res
       expect(val).toBe(tCase.expect)