1- import crypto from 'node:crypto' ;
2-
31import type { ILicenseV3 , BehaviorWithContext , LicenseValidationOptions } from '@rocket.chat/core-typings' ;
42
53import { isBehaviorAllowed } from '../isItemAllowed' ;
@@ -20,9 +18,8 @@ const validateUrl = (licenseURL: string, url: string) => {
2018 return licenseURL . toLowerCase ( ) === url . toLowerCase ( ) ;
2119} ;
2220
23- const validateHash = ( licenseURL : string , url : string ) => {
24- const value = crypto . createHash ( 'sha256' ) . update ( url ) . digest ( 'hex' ) ;
25- return licenseURL === value ;
21+ const validateHash = ( licenseURL : string , hashedUrl : string ) => {
22+ return licenseURL === hashedUrl ;
2623} ;
2724
2825export function validateLicenseUrl ( this : LicenseManager , license : ILicenseV3 , options : LicenseValidationOptions ) : BehaviorWithContext [ ] {
@@ -41,25 +38,49 @@ export function validateLicenseUrl(this: LicenseManager, license: ILicenseV3, op
4138 return [ getResultingBehavior ( { behavior : 'invalidate_license' } , { reason : 'url' } ) ] ;
4239 }
4340
41+ const hashedWorkspaceUrl = this . hashWorkspaceUrl ( workspaceUrl ) ;
42+
4443 return serverUrls
4544 . filter ( ( url ) => {
45+ if (
46+ url . type === 'url' &&
47+ url . value . length === 64 &&
48+ / ^ [ a - f 0 - 9 ] { 64 } $ / i. test ( url . value ) &&
49+ validateHash ( url . value , hashedWorkspaceUrl )
50+ ) {
51+ // If the url type is 'url' but the value looks like a hash, validate it as a hash to avoid invalidating licenses unnecessarily.
52+ logger . warn (
53+ `License URL with type 'url' is actually a hash. Validating as hash to avoid invalidating license unnecessarily. url: ${ url . value } ` ,
54+ ) ;
55+ return false ;
56+ }
57+
58+ if ( url . type === 'hash' && ! / ^ [ a - f 0 - 9 ] { 64 } $ / i. test ( url . value ) && validateUrl ( url . value , workspaceUrl ) ) {
59+ // If the url type is 'hash' but the value looks like a url, validate it as a url to avoid invalidating licenses unnecessarily.
60+ logger . warn (
61+ `License URL with type 'hash' does not look like a hash. Validating as url to avoid invalidating license unnecessarily. url: ${ url . value } ` ,
62+ ) ;
63+ return false ;
64+ }
65+
4666 switch ( url . type ) {
4767 case 'regex' :
4868 return ! validateRegex ( url . value , workspaceUrl ) ;
4969 case 'hash' :
50- return ! validateHash ( url . value , workspaceUrl ) ;
70+ return ! validateHash ( url . value , hashedWorkspaceUrl ) ;
5171 case 'url' :
5272 return ! validateUrl ( url . value , workspaceUrl ) ;
5373 default :
54- return false ;
74+ return true ; // If the type is unknown, consider it invalid to be safe.
5575 }
5676 } )
5777 . map ( ( url ) => {
5878 if ( ! options . suppressLog ) {
5979 logger . error ( {
6080 msg : 'Url validation failed' ,
61- url,
81+ licenseUrl : url ,
6282 workspaceUrl,
83+ hashedWorkspaceUrl,
6384 } ) ;
6485 }
6586 return getResultingBehavior ( { behavior : 'invalidate_license' } , { reason : 'url' } ) ;
0 commit comments