From d1b579d5e44e7f752558295daf055404f430b43b Mon Sep 17 00:00:00 2001
From: Ratko Zagorac <ratkozagorac@gmail.com>
Date: Tue, 25 Feb 2025 14:16:08 +0100
Subject: [PATCH] MWPW-151376: Check sharepoint url

---
 tools/floodgate/js/config.js | 17 ++++++++-------
 tools/loc/config.js          | 41 ++++++++++++++++++------------------
 tools/loc/utils.js           |  8 ++++++-
 3 files changed, 37 insertions(+), 29 deletions(-)

diff --git a/tools/floodgate/js/config.js b/tools/floodgate/js/config.js
index c9bb995da5..d6eecdbffd 100644
--- a/tools/floodgate/js/config.js
+++ b/tools/floodgate/js/config.js
@@ -22,15 +22,16 @@ function getPromoteIgnorePaths(configJson) {
 async function getConfig(fgColor) {
   if (!decoratedConfig) {
     const urlInfo = getUrlInfo();
-    if (urlInfo.isValid()) {
-      const configPath = `${urlInfo.origin}${FLOODGATE_CONFIG}`;
-      const configJson = await fetchConfigJson(configPath);
-      decoratedConfig = {
-        sp: getSharepointConfig(configJson, fgColor),
-        admin: getHelixAdminConfig(),
-        promoteIgnorePaths: getPromoteIgnorePaths(configJson),
-      };
+    if (!urlInfo.isValid()) {
+      throw new Error('Invalid Url Parameters that point to project file');
     }
+    const configPath = `${urlInfo.origin}${FLOODGATE_CONFIG}`;
+    const configJson = await fetchConfigJson(configPath);
+    decoratedConfig = {
+      sp: getSharepointConfig(configJson, fgColor),
+      admin: getHelixAdminConfig(),
+      promoteIgnorePaths: getPromoteIgnorePaths(configJson),
+    };
   }
   return decoratedConfig;
 }
diff --git a/tools/loc/config.js b/tools/loc/config.js
index e56411cff5..c9b720629c 100644
--- a/tools/loc/config.js
+++ b/tools/loc/config.js
@@ -188,27 +188,28 @@ function getHelixAdminConfig() {
 async function getConfig() {
   if (!decoratedConfig) {
     const urlInfo = getUrlInfo();
-    if (urlInfo.isValid()) {
-      const configPath = `${urlInfo.origin}${LOC_CONFIG}`;
-      const configJson = await fetchConfigJson(configPath);
-      const locales = getLocalesConfig(configJson);
-      const decoratedLocales = getDecoratedLocalesConfig(locales);
-      const workflowsConfig = getWorkflowsConfig(configJson);
-      decoratedConfig = {
-        locales,
-        decoratedLocales,
-        glaas: getDecoratedGLaaSConfig(configJson, decoratedLocales, workflowsConfig),
-        sp: getSharepointConfig(configJson),
-        admin: getHelixAdminConfig(),
-        getLivecopiesForLanguage(language) {
-          const localeConfig = decoratedLocales[language];
-          return localeConfig?.livecopies ? localeConfig.livecopies : null;
-        },
-        getWorkflowForLanguage(language, customWorkflow) {
-          return getWorkflowForLanguage(workflowsConfig, language, decoratedLocales, customWorkflow);
-        },
-      };
+    if (!urlInfo.isValid()) {
+      throw new Error('Invalid Url Parameters that point to project file');
     }
+    const configPath = `${urlInfo.origin}${LOC_CONFIG}`;
+    const configJson = await fetchConfigJson(configPath);
+    const locales = getLocalesConfig(configJson);
+    const decoratedLocales = getDecoratedLocalesConfig(locales);
+    const workflowsConfig = getWorkflowsConfig(configJson);
+    decoratedConfig = {
+      locales,
+      decoratedLocales,
+      glaas: getDecoratedGLaaSConfig(configJson, decoratedLocales, workflowsConfig),
+      sp: getSharepointConfig(configJson),
+      admin: getHelixAdminConfig(),
+      getLivecopiesForLanguage(language) {
+        const localeConfig = decoratedLocales[language];
+        return localeConfig?.livecopies ? localeConfig.livecopies : null;
+      },
+      getWorkflowForLanguage(language, customWorkflow) {
+        return getWorkflowForLanguage(workflowsConfig, language, decoratedLocales, customWorkflow);
+      },
+    };
   }
   return decoratedConfig;
 }
diff --git a/tools/loc/utils.js b/tools/loc/utils.js
index 08d99c5d37..35540004ae 100644
--- a/tools/loc/utils.js
+++ b/tools/loc/utils.js
@@ -68,6 +68,12 @@ export function getUrlInfo() {
   function getParam(name) {
     return location.searchParams.get(name);
   }
+
+  function isValidReferrer(url) {
+    const allowedHosts = ['adobe.sharepoint.com'];
+    return allowedHosts.includes(new URL(url)?.hostname);
+  }
+
   const projectName = getParam('project');
   const sub = projectName ? projectName.split('--') : [];
 
@@ -83,7 +89,7 @@ export function getUrlInfo() {
     ref,
     origin: `https://${ref}--${repo}--${owner}.hlx.page`, // TODO ADD HLX5 SUPPORT
     isValid() {
-      return sp && owner && repo && ref;
+      return sp && owner && repo && ref && isValidReferrer(sp);
     },
   };
   return urlInfo;