From 5060f68b9728bf94818ee985c16c25511f248143 Mon Sep 17 00:00:00 2001
From: stuebinm
Date: Mon, 20 Dec 2021 00:15:08 +0100
Subject: disallow extended API variables in links

---
 lib/Uris.hs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'lib/Uris.hs')

diff --git a/lib/Uris.hs b/lib/Uris.hs
index 5ad9180..e2d9a5f 100644
--- a/lib/Uris.hs
+++ b/lib/Uris.hs
@@ -9,7 +9,7 @@ module Uris where
 
 
 
-import           Control.Monad           (unless)
+import           Control.Monad           (unless, when)
 import           Data.Aeson              (FromJSON (..), Options (..),
                                           SumEncoding (UntaggedValue),
                                           defaultOptions, genericParseJSON)
@@ -58,6 +58,7 @@ data SubstError =
   | IsBlocked
   | DomainDoesNotExist Text
   | WrongScope Text [Text]
+  | VarsDisallowed
   -- ^ This link's schema exists, but cannot be used in this scope.
   -- The second field contains a list of schemas that may be used instead.
 
@@ -65,7 +66,10 @@ data SubstError =
 applySubst :: KnownSymbol s
   => Proxy s -> SchemaSet -> Text -> Either SubstError Text
 applySubst s substs uri =  do
+  when (uri =~ "{{{.*}}}")
+   $ Left VarsDisallowed
   (schema, domain, rest) <- note NotALink $ parseUri uri
+
   rules <- note (SchemaDoesNotExist schema) ( M.lookup schema substs)
   unless (symbolVal s `elem` scope rules)
         $ Left (WrongScope schema
-- 
cgit v1.2.3