Add permissions for render plugin

Author: lunny

contrib/render-plugins/example-wasm/README.md

@@ -16,6 +16,11 @@ then renders the result inside the file viewer.
 - `build.sh` — helper script that builds `plugin.wasm` and produces a zip
   archive ready for upload
 
+As with other plugins, declare any Gitea endpoints or external hosts the WASM
+module needs to call inside the `permissions` array in `manifest.json`. Without
+an explicit entry, the plugin may only download the file that is currently being
+rendered.
+
 ## Build & Install
 
 1. Build the WASM binary and zip archive:

contrib/render-plugins/example-wasm/manifest.json

@@ -7,5 +7,6 @@
   "entry": "render.js",
   "filePatterns": [
     "*.wasmnote"
-  ]
+  ],
+  "permissions": []
 }

contrib/render-plugins/example/README.md

@@ -10,6 +10,11 @@ as a quick way to validate the dynamic plugin system locally.
 - `render.js` — an ES module that exports a `render(container, fileUrl)`
   function; it downloads the source file and renders it in a styled `<pre>`
 
+By default plugins may only fetch the file that is currently being rendered.
+If your plugin needs to contact Gitea APIs or any external services, list their
+domains under the `permissions` array in `manifest.json`. Requests to hosts that
+are not declared there will be blocked by the runtime.
+
 ## Build & Install
 
 1. Create a zip archive that contains both files:

contrib/render-plugins/example/manifest.json

@@ -5,5 +5,6 @@
   "version": "1.0.0",
   "description": "Simple sample plugin that renders .txt files with a custom color scheme.",
   "entry": "render.js",
-  "filePatterns": ["*.txt"]
+  "filePatterns": ["*.txt"],
+  "permissions": []
 }

models/migrations/v1_26/v324.go

@@ -18,6 +18,7 @@ func AddRenderPluginTable(x *xorm.Engine) error {
 		Version       string             `xorm:"NOT NULL"`
 		Description   string             `xorm:"TEXT"`
 		Source        string             `xorm:"TEXT"`
+		Permissions   []string           `xorm:"JSON"`
 		Entry         string             `xorm:"NOT NULL"`
 		FilePatterns  []string           `xorm:"JSON"`
 		FormatVersion int                `xorm:"NOT NULL DEFAULT 1"`

models/render/plugin.go

@@ -20,6 +20,7 @@ type Plugin struct {
 	Source        string             `xorm:"TEXT"`
 	Entry         string             `xorm:"NOT NULL"`
 	FilePatterns  []string           `xorm:"JSON"`
+	Permissions   []string           `xorm:"JSON"`
 	FormatVersion int                `xorm:"NOT NULL DEFAULT 1"`
 	Enabled       bool               `xorm:"NOT NULL DEFAULT false"`
 	CreatedUnix   timeutil.TimeStamp `xorm:"created NOT NULL"`

modules/renderplugin/manifest.go

@@ -29,6 +29,7 @@ type Manifest struct {
 	Description   string   `json:"description"`
 	Entry         string   `json:"entry"`
 	FilePatterns  []string `json:"filePatterns"`
+	Permissions   []string `json:"permissions"`
 }
 
 // Normalize validates mandatory fields and normalizes values.
@@ -71,9 +72,34 @@ func (m *Manifest) Normalize() error {
 	}
 	sort.Strings(cleanPatterns)
 	m.FilePatterns = cleanPatterns
+
+	cleanPerms := make([]string, 0, len(m.Permissions))
+	seenPerm := make(map[string]struct{}, len(m.Permissions))
+	for _, perm := range m.Permissions {
+		perm = strings.TrimSpace(strings.ToLower(perm))
+		if perm == "" {
+			continue
+		}
+		if !isValidPermissionHost(perm) {
+			return fmt.Errorf("manifest permission %q is invalid; only plain domains optionally including a port are allowed", perm)
+		}
+		if _, ok := seenPerm[perm]; ok {
+			continue
+		}
+		seenPerm[perm] = struct{}{}
+		cleanPerms = append(cleanPerms, perm)
+	}
+	sort.Strings(cleanPerms)
+	m.Permissions = cleanPerms
 	return nil
 }
 
+var permissionHostRegexp = regexp.MustCompile(`^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)*(?::[0-9]{1,5})?$`)
+
+func isValidPermissionHost(value string) bool {
+	return permissionHostRegexp.MatchString(value)
+}
+
 // LoadManifest reads and validates the manifest.json file located under dir.
 func LoadManifest(dir string) (*Manifest, error) {
 	manifestPath := filepath.Join(dir, "manifest.json")
@@ -103,4 +129,5 @@ type Metadata struct {
 	AssetsBase    string   `json:"assetsBaseUrl"`
 	FilePatterns  []string `json:"filePatterns"`
 	SchemaVersion int      `json:"schemaVersion"`
+	Permissions   []string `json:"permissions"`
 }

modules/renderplugin/manifest_test.go

@@ -27,6 +27,7 @@ func TestManifestNormalizeDefaults(t *testing.T) {
 	assert.Equal(t, "example.plugin", manifest.ID)
 	assert.Equal(t, "render.js", manifest.Entry)
 	assert.Equal(t, []string{"*.TXT", "README.md"}, manifest.FilePatterns)
+	assert.Empty(t, manifest.Permissions)
 }
 
 func TestManifestNormalizeErrors(t *testing.T) {
@@ -50,6 +51,7 @@ func TestManifestNormalizeErrors(t *testing.T) {
 		{"missing name", func(m *Manifest) { m.Name = "" }, "name is required"},
 		{"missing version", func(m *Manifest) { m.Version = "" }, "version is required"},
 		{"no patterns", func(m *Manifest) { m.FilePatterns = nil }, "at least one file pattern"},
+		{"invalid permission", func(m *Manifest) { m.Permissions = []string{"http://bad"} }, "manifest permission"},
 	}
 
 	for _, tt := range tests {
@@ -82,3 +84,18 @@ func TestLoadManifest(t *testing.T) {
 	assert.Equal(t, "example", manifest.ID)
 	assert.Equal(t, []string{"*.md", "*.txt"}, manifest.FilePatterns)
 }
+
+func TestManifestNormalizePermissions(t *testing.T) {
+	manifest := Manifest{
+		SchemaVersion: SupportedManifestVersion,
+		ID:            "perm",
+		Name:          "perm",
+		Version:       "1.0.0",
+		Entry:         "render.js",
+		FilePatterns:  []string{"*.md"},
+		Permissions:   []string{" Example.com ", "api.example.com:8080", "example.com", ""},
+	}
+
+	require.NoError(t, manifest.Normalize())
+	assert.Equal(t, []string{"api.example.com:8080", "example.com"}, manifest.Permissions)
+}

options/locale/locale_en-US.ini

@@ -3030,6 +3030,20 @@ render_plugins.detail.none = Not provided
 render_plugins.detail.file_patterns_empty = No file patterns declared.
 render_plugins.detail.actions = Plugin actions
 render_plugins.detail.upgrade = Upgrade plugin
+render_plugins.detail.permissions = Permissions
+render_plugins.confirm_install = Review permissions before installing "%s"
+render_plugins.confirm_upgrade = Review permissions before upgrading "%s"
+render_plugins.confirm.description = Gitea will only allow this plugin to contact the domains listed below (plus the file being rendered). Continue only if you trust these endpoints.
+render_plugins.confirm.permissions = Requested domains
+render_plugins.confirm.permission_hint = If the list is empty the plugin will only fetch the file currently being rendered.
+render_plugins.confirm.permission_none = None
+render_plugins.confirm.archive = Archive
+render_plugins.confirm.actions.install = Install Plugin
+render_plugins.confirm.actions.upgrade = Upgrade Plugin
+render_plugins.confirm.actions.cancel = Cancel Upload
+render_plugins.upload_token_invalid = Plugin upload session expired. Please upload the archive again.
+render_plugins.upload_discarded = Plugin upload discarded.
+render_plugins.identifier_mismatch = Uploaded plugin identifier "%s" does not match "%s".
 hooks = Webhooks
 integrations = Integrations
 authentication = Authentication Sources