1 | var path = require('path');
|
2 | var url = require('url');
|
3 |
|
4 | var isRemoteResource = require('../utils/is-remote-resource');
|
5 | var hasProtocol = require('../utils/has-protocol');
|
6 |
|
7 | var HTTP_PROTOCOL = 'http:';
|
8 |
|
9 | function isAllowedResource(uri, isRemote, rules) {
|
10 | var match;
|
11 | var absoluteUri;
|
12 | var allowed = isRemote ? false : true;
|
13 | var rule;
|
14 | var isNegated;
|
15 | var normalizedRule;
|
16 | var i;
|
17 |
|
18 | if (rules.length === 0) {
|
19 | return false;
|
20 | }
|
21 |
|
22 | if (isRemote && !hasProtocol(uri)) {
|
23 | uri = HTTP_PROTOCOL + uri;
|
24 | }
|
25 |
|
26 | match = isRemote ?
|
27 | url.parse(uri).host :
|
28 | uri;
|
29 |
|
30 | absoluteUri = isRemote ?
|
31 | uri :
|
32 | path.resolve(uri);
|
33 |
|
34 | for (i = 0; i < rules.length; i++) {
|
35 | rule = rules[i];
|
36 | isNegated = rule[0] == '!';
|
37 | normalizedRule = rule.substring(1);
|
38 |
|
39 | if (isNegated && isRemote && isRemoteRule(normalizedRule)) {
|
40 | allowed = allowed && !isAllowedResource(uri, true, [normalizedRule]);
|
41 | } else if (isNegated && !isRemote && !isRemoteRule(normalizedRule)) {
|
42 | allowed = allowed && !isAllowedResource(uri, false, [normalizedRule]);
|
43 | } else if (isNegated) {
|
44 | allowed = allowed && true;
|
45 | } else if (rule == 'all') {
|
46 | allowed = true;
|
47 | } else if (isRemote && rule == 'local') {
|
48 | allowed = allowed || false;
|
49 | } else if (isRemote && rule == 'remote') {
|
50 | allowed = true;
|
51 | } else if (!isRemote && rule == 'remote') {
|
52 | allowed = false;
|
53 | } else if (!isRemote && rule == 'local') {
|
54 | allowed = true;
|
55 | } else if (rule === match) {
|
56 | allowed = true;
|
57 | } else if (rule === uri) {
|
58 | allowed = true;
|
59 | } else if (isRemote && absoluteUri.indexOf(rule) === 0) {
|
60 | allowed = true;
|
61 | } else if (!isRemote && absoluteUri.indexOf(path.resolve(rule)) === 0) {
|
62 | allowed = true;
|
63 | } else if (isRemote != isRemoteRule(normalizedRule)) {
|
64 | allowed = allowed && true;
|
65 | } else {
|
66 | allowed = false;
|
67 | }
|
68 | }
|
69 |
|
70 | return allowed;
|
71 | }
|
72 |
|
73 | function isRemoteRule(rule) {
|
74 | return isRemoteResource(rule) || url.parse(HTTP_PROTOCOL + '//' + rule).host == rule;
|
75 | }
|
76 |
|
77 | module.exports = isAllowedResource;
|