Fix GHSL-2026-045_Wekan.

Thanks to GHSL and xet7 !
2026-03-10 07:32:35 +01:00 · 2026-02-19 23:47:56 +02:00 · 2026-02-19 23:47:56 +02:00 · 62216e36c1
commit 62216e36c1
parent 73eb98c57a
3 changed files with 191 additions and 0 deletions
--- a/models/trelloCreator.js
+++ b/models/trelloCreator.js
@ -22,6 +22,7 @@ import {
  calendar
 } from '/imports/lib/dateUtils';
 import getSlug from 'limax';
+import { validateAttachmentUrl } from './lib/attachmentUrlValidation';

 const DateString = Match.Where(function(dateAsString) {
  check(dateAsString, String);
@ -471,6 +472,17 @@ export class TrelloCreator {
            }
          };
          if (att.url) {
+            const validation = validateAttachmentUrl(att.url);
+            if (!validation.valid) {
+              if (process.env.DEBUG === 'true') {
+                console.warn(
+                  'Blocked attachment URL during Trello import:',
+                  validation.reason,
+                  att.url,
+                );
+              }
+              return;
+            }
            Attachments.load(att.url, opts, cb, true);
          } else if (att.file) {
            Attachments.insert(att.file, opts, cb, true);