[server] improve hostname validation

AlexTugarev · AlexTugarev · commit b1c53ea8062e · 2021-04-30T12:25:14.000+02:00
diff --git a/components/gitpod-protocol/src/util/gitpod-host-url.ts b/components/gitpod-protocol/src/util/gitpod-host-url.ts
@@ -128,9 +128,13 @@ export class GitpodHostUrl {
 
     get workspaceId(): string | undefined {
         const hostSegs = this.url.host.split(".");
-        if (hostSegs.length > 1 && hostSegs[0].match(workspaceIDRegex)) {
-            // URL has a workspace prefix
-            return hostSegs[0];
+        if (hostSegs.length > 1) {
+            const matchResults = hostSegs[0].match(workspaceIDRegex);
+            if (matchResults) {
+                // URL has a workspace prefix
+                // port prefixes are excluded
+                return matchResults[0];
+            }
         }
 
         const pathSegs = this.url.pathname.split("/")
diff --git a/components/server/src/bitbucket/bitbucket-context-parser.spec.ts b/components/server/src/bitbucket/bitbucket-context-parser.spec.ts
@@ -18,7 +18,7 @@ import { BitbucketTokenHelper } from "./bitbucket-token-handler";
 const expect = chai.expect;
 import { skipIfEnvVarNotSet } from "@gitpod/gitpod-protocol/lib/util/skip-if";
 
-@suite.only(timeout(10000), skipIfEnvVarNotSet("GITPOD_TEST_TOKEN_BITBUCKET"))
+@suite(timeout(10000), skipIfEnvVarNotSet("GITPOD_TEST_TOKEN_BITBUCKET"))
 class TestBitbucketContextParser {
 
     protected parser: BitbucketContextParser;
diff --git a/components/server/src/express-util.ts b/components/server/src/express-util.ts
@@ -9,7 +9,7 @@ import { log } from '@gitpod/gitpod-protocol/lib/util/logging';
 import { URL } from 'url';
 import * as express from 'express';
 import * as crypto from 'crypto';
-import { GitpodHostUrl, workspaceIDRegex } from '@gitpod/gitpod-protocol/lib/util/gitpod-host-url';
+import { GitpodHostUrl } from '@gitpod/gitpod-protocol/lib/util/gitpod-host-url';
 
 export const pingPong: WsRequestHandler = (ws, req, next) => {
     let pingSentTimer: any;
@@ -91,7 +91,14 @@ const looksLikeWorkspaceHostname = (originHostname: URL, gitpodHostName: string)
         return false;
     }
     const url = new GitpodHostUrl(originHostname);
-    return workspaceIDRegex.test(url.workspaceId || '')
+    const workspaceId = url.workspaceId;
+    if (workspaceId) {
+        const hostname = url.url.hostname as string;
+        if (hostname.startsWith(workspaceId)) {
+            return true;
+        }
+    }
+    return false;
 };
 
 export function saveSession(reqOrSession: express.Request | Express.Session): Promise<void> {
