Closes #1990 Add setting to ignore hosts or CIDR addresses in Embed. (#2953)

packages/rocketchat-lib/i18n/en.i18n.json

@@ -129,6 +129,8 @@
   "API_Embed" : "Embed",
   "API_EmbedDisabledFor" : "Disable Embed for Users",
   "API_EmbedDisabledFor_Description" : "Comma-separated list of usernames",
+  "API_EmbedIgnoredHosts": "Embed Ignored Hosts",
+  "API_EmbedIgnoredHostnames_Description": "Comma-separated list of hosts or CIDR addresses, eg. localhost, 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16",
   "API_GitHub_Enterprise_URL" : "Server URL",
   "API_GitHub_Enterprise_URL_Description" : "Example: http://domain.com (excluding trailing slash)",
   "API_Gitlab_URL" : "GitLab URL",

packages/rocketchat-lib/server/startup/settings.coffee

@@ -131,6 +131,7 @@ RocketChat.settings.addGroup 'Message', ->
 	@add 'Message_GroupingPeriod', 300, { type: 'int', public: true, i18nDescription: 'Message_GroupingPeriodDescription' }
 	@add 'API_Embed', true, { type: 'boolean', public: true }
 	@add 'API_EmbedDisabledFor', '', { type: 'string', public: true, i18nDescription: 'API_EmbedDisabledFor_Description' }
+	@add 'API_EmbedIgnoredHosts', 'localhost, 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16', { type: 'string', i18nDescription: 'API_EmbedIgnoredHosts_Description' }
 	@add 'Message_TimeFormat', 'LT', { type: 'string', public: true, i18nDescription: 'Message_TimeFormat_Description' }
 	@add 'Message_DateFormat', 'LL', { type: 'string', public: true, i18nDescription: 'Message_DateFormat_Description' }
 

packages/rocketchat-oembed/.npm/package/npm-shrinkwrap.json

@@ -2,6 +2,14 @@
   "dependencies": {
     "iconv-lite": {
       "version": "0.4.13"
+    },
+    "ip-range-check": {
+      "version": "0.0.1",
+      "dependencies": {
+        "ipaddr.js": {
+          "version": "1.1.0"
+        }
+      }
     }
   }
 }

packages/rocketchat-oembed/package.js

@@ -6,7 +6,8 @@ Package.describe({
 });
 
 Npm.depends({
-	'iconv-lite': '0.4.13'
+	'iconv-lite': '0.4.13',
+	'ip-range-check': '0.0.1'
 });
 
 Package.onUse(function(api) {

packages/rocketchat-oembed/server/server.coffee

@@ -2,6 +2,7 @@ URL = Npm.require('url')
 querystring = Npm.require('querystring')
 request = HTTPInternals.NpmModules.request.module
 iconv = Npm.require('iconv-lite')
+ipRangeCheck = Npm.require('ip-range-check')
 
 OEmbed = {}
 
@@ -20,7 +21,11 @@ getUrlContent = (urlObj, redirectCount = 5, callback) ->
 	if _.isString(urlObj)
 		urlObj = URL.parse urlObj
 
-	parsedUrl = _.pick urlObj, ['host', 'hash', 'pathname', 'protocol', 'port', 'query', 'search']
+	parsedUrl = _.pick urlObj, ['host', 'hash', 'pathname', 'protocol', 'port', 'query', 'search', 'hostname']
+
+	ignoredHosts = RocketChat.settings.get('API_EmbedIgnoredHosts').split(',') or []
+	if parsedUrl.hostname in ignoredHosts or ipRangeCheck(parsedUrl.hostname, ignoredHosts)
+		return callback()
 
 	data = RocketChat.callbacks.run 'oembed:beforeGetUrlContent',
 		urlObj: urlObj
@@ -86,6 +91,8 @@ OEmbed.getUrlMeta = (url, withFragment) ->
 		urlObj.path = path
 
 	content = getUrlContentSync urlObj, 5
+	if !content
+		return
 
 	if content.attachments?
 		return content