From 453380fd94dc2d9b09edff99709d3bdf886a1a33 Mon Sep 17 00:00:00 2001 From: Willian Viana Date: Wed, 25 Sep 2024 17:43:52 -0300 Subject: [PATCH] feat(metadata): add safe path validation --- data/metadata.json | 58 +++++++++++++++++++++++++++++++ pages/api/metadata/[...params].js | 17 +++++---- 2 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 data/metadata.json diff --git a/data/metadata.json b/data/metadata.json new file mode 100644 index 0000000000..cead296d25 --- /dev/null +++ b/data/metadata.json @@ -0,0 +1,58 @@ +[ + "umd_landsat_alerts", + "gfw_integrated_alerts", + "umd_glad_sentinel2_alerts", + "wur_radd_alerts", + "nasa_viirs_fire_alerts", + "umd_tree_cover_loss_from_fires", + "umd_tree_cover_gain_from_height", + "umd_tree_cover_loss", + "gfw_emerging_hot_spots", + "tsc_tree_cover_loss_drivers", + "umd_adm0_net_tree_cover_change_from_height", + "umd_tree_cover_density_2000", + "umd_tree_cover_density_2000", + "wri_tropical_tree_cover", + "wri_tropical_tree_cover", + "umd_regional_primary_forest_2001", + "umd_tree_cover_height_2020", + "wcs_forest_landscape_integrity_index", + "ifl_intact_forest_landscapes", + "esa_land_cover_2015", + "umd_soy_planted_area", + "gfw_planted_forests", + "gfw_peatlands", + "gmw_global_mangrove_extent", + "mapbiomas_bra_land_cover", + "ibge_bra_biomes", + "idn_land_cover_2017", + "gfw_managed_forests", + "gfw_mining_concessions", + "gfw_oil_palm", + "gfw_west_africa_cocoa_plot_density", + "gfw_universal_mill_list", + "rspo_oil_palm", + "gfw_oil_gas", + "gfw_wood_fiber", + "wdpa_protected_areas", + "intl_rivers_dam_hotspots", + "landmark_indigenous_and_community_lands", + "landmark_natural_resource_rights", + "licadho_khm_economic_land_concessions", + "haka_idn_leuser", + "idn_forest_area", + "idn_forest_moratorium", + "osinfor_per_forest_concessions", + "osinfor_per_forest_concessions", + "osinfor_peru_permanent_production_forests", + "gfw_forest_carbon_gross_emissions", + "gfw_forest_carbon_net_flux", + "gfw_forest_carbon_gross_removals", + "whrc_aboveground_biomass_stock_2000", + "birdlife_biodiversity_intactness", + "birdlife_biodiversity_significance", + "birdlife_alliance_for_zero_extinction_sites", + "birdlife_key_biodiversity_areas", + "ci_biodiversity_hotspots", + "birdlife_endemic_bird_areas" +] \ No newline at end of file diff --git a/pages/api/metadata/[...params].js b/pages/api/metadata/[...params].js index c7e657618b..797559402a 100644 --- a/pages/api/metadata/[...params].js +++ b/pages/api/metadata/[...params].js @@ -1,14 +1,19 @@ -import { GFW_DATA_API, GFW_STAGING_DATA_API } from 'utils/apis'; +import { GFW_DATA_API } from 'utils/apis'; import axios from 'axios'; -const ENVIRONMENT = process.env.NEXT_PUBLIC_FEATURE_ENV; -const GFW_METADATA_API_URL = - ENVIRONMENT === 'staging' ? GFW_STAGING_DATA_API : GFW_DATA_API; +import METADATA_LIST from '../../../data/metadata.json'; export default async (req, res) => { try { - const path = req.query.params.join('/'); - const url = `${GFW_METADATA_API_URL}/${path}`; + const userPath = req.query.params[1]; + const safePath = METADATA_LIST.includes(userPath); + + if (!safePath) { + return res.status(400).end('Invalid path'); + } + + const url = `${GFW_DATA_API}/dataset/${userPath}`; + const datasetMetadata = await axios.get(url); const datasetVersionMetadata = await axios.get(`${url}/latest/metadata`);