Disable PuSH for blocked domains

2017-02-14 04:01:02 +01:00
parent 94b61bdcf6
commit 40a4053732
2 changed files with 7 additions and 3 deletions
--- a/app/services/pubsubhubbub/subscribe_service.rb
+++ b/app/services/pubsubhubbub/subscribe_service.rb
@ -2,8 +2,9 @@

 class Pubsubhubbub::SubscribeService < BaseService
  def call(account, callback, secret, lease_seconds)
-    return ['Invalid topic URL', 422] if account.nil?
-    return ['Invalid callback URL', 422] unless !callback.blank? && callback =~ /\A#{URI.regexp(%w(http https))}\z/
+    return ['Invalid topic URL',        422] if account.nil?
+    return ['Invalid callback URL',     422] unless !callback.blank? && callback =~ /\A#{URI.regexp(%w(http https))}\z/
+    return ['Callback URL not allowed', 403] if DomainBlock.blocked?(Addressable::URI.parse(callback).host)

    subscription = Subscription.where(account: account, callback_url: callback).first_or_create!(account: account, callback_url: callback)
    Pubsubhubbub::ConfirmationWorker.perform_async(subscription.id, 'subscribe', secret, lease_seconds)