feat(dev): add interface for safe downloads

Author: broken-pen

docs/configuration.org

@@ -555,6 +555,36 @@ See [[https://orgmode.org/manual/Property-Inheritance.html][Property Inheritance
 - Default: ~{ [':tangle'] = 'no', [':noweb']  = no }~
 Default header args for extracting source code. See [[#extract-source-code-tangle][Extract source code (tangle)]] for more details.
 
+*** org_resource_download_policy
+:PROPERTIES:
+:CUSTOM_ID: org_resource_download_policy
+:END:
+- Type: ='always' | 'prompt' | 'safe' | 'never'=
+- Default: ='prompt'=
+Policy applied to requests to obtain remote resources.
+
+- =always= - Always download remote resources (dangerous!)
+- =prompt= - Prompt before downloading an unsafe resource
+- =safe= - Only download resources allowed by [[#org_safe_remote_resources][org_safe_remote_resources]]
+- =never= - Never download any resources
+
+In Emacs Orgmode, this affects keywords like =#+setupfile= and =#+include=
+on export, =org-persist-write:url=; and =org-attach-url= in non-interactive
+sessions. Nvim Orgmode currently does not use this option, but defines it
+for future use.
+
+*** org_safe_remote_resources
+:PROPERTIES:
+:CUSTOM_ID: org_safe_remote_resources
+:END:
+- Type: =string[]=
+- Default: ={}=
+
+List of regex patterns matching safe URIs. URI regexps are applied to both
+URLs and Org files requesting remote resources. The test uses
+=vim.regex()=, so the regexes are always interpreted as magic and
+case-sensitive.
+
 *** calendar_week_start_day
 :PROPERTIES:
 :CUSTOM_ID: calendar_week_start_day

lua/orgmode/config/_meta.lua

@@ -240,6 +240,8 @@
 ---@field org_id_link_to_org_use_id? boolean If true, Storing a link to the headline will automatically generate ID for that headline. Default: false
 ---@field org_use_property_inheritance boolean | string | string[] If true, properties are inherited by sub-headlines; may also be a regex or list of property names. Default: false
 ---@field org_babel_default_header_args? table<string, string> Default header args for org-babel blocks: Default: { [':tangle'] = 'no', [':noweb'] = 'no' }
+---@field org_resource_download_policy 'always' | 'prompt' | 'safe' | 'never' Policy for downloading files from the Internet. Default: 'prompt'
+---@field org_safe_remote_resources string[] List of regex patterns for URIs considered always safe to download from. Default: {}
 ---@field win_split_mode? 'horizontal' | 'vertical' | 'auto' | 'float' | string[] How to open agenda and capture windows. Default: 'horizontal'
 ---@field win_border? 'none' | 'single' | 'double' | 'rounded' | 'solid' | 'shadow' | string[] Border configuration for `win_split_mode = 'float'`. Default: 'single'
 ---@field notifications? OrgNotificationsConfig Notification settings

lua/orgmode/config/defaults.lua

@@ -71,6 +71,8 @@ local DefaultConfig = {
     [':tangle'] = 'no',
     [':noweb'] = 'no',
   },
+  org_resource_download_policy = 'prompt',
+  org_safe_remote_resources = {},
   win_split_mode = 'horizontal',
   win_border = 'single',
   notifications = {

lua/orgmode/objects/remote_resource.lua

@@ -0,0 +1,169 @@
+local config = require('orgmode.config')
+local fs = require('orgmode.utils.fs')
+local utils = require('orgmode.utils')
+local Menu = require('orgmode.ui.menu')
+local State = require('orgmode.state.state')
+local Promise = require('orgmode.utils.promise')
+
+local M = {}
+
+---Return true if the URI should be fetched.
+---@param uri string
+---@return OrgPromise<boolean> safe
+function M.should_fetch(uri)
+  local policy = config.org_resource_download_policy
+  return Promise.resolve(policy == 'always' or M.is_uri_safe(uri)):next(function(safe)
+    if safe then
+      return true
+    end
+    if policy == 'prompt' then
+      return M.confirm_safe(uri)
+    end
+    return false
+  end)
+end
+
+---@param resource_uri string
+---@param file_uri string | false
+---@param patterns string[]
+---@return boolean matches
+local function check_patterns(resource_uri, file_uri, patterns)
+  for _, pattern in ipairs(patterns) do
+    local re = vim.regex(pattern)
+    if re:match_str(resource_uri) or (file_uri and re:match_str(file_uri)) then
+      return true
+    end
+  end
+  return false
+end
+
+---Check the uri matches any of the (configured or cached) safe patterns.
+---@param uri string
+---@return OrgPromise<boolean> safe
+function M.is_uri_safe(uri)
+  local current_file = fs.get_real_path(utils.current_file_path())
+  ---@type string | false # deduced type is `string | boolean`
+  local file_uri = current_file and vim.uri_from_fname(current_file) or false
+  local uri_patterns = {}
+  if config.org_safe_remote_resources then
+    vim.list_extend(uri_patterns, config.org_safe_remote_resources)
+  end
+  return State:load():next(function(state)
+    local cached = state['org_safe_remote_resources']
+    if cached then
+      vim.list_extend(uri_patterns, cached)
+    end
+    return check_patterns(uri, file_uri, uri_patterns)
+  end)
+end
+
+---@param uri string
+---@return string escaped
+local function uri_to_pattern(uri)
+  -- Escape backslashes, disable magic characters, anchor front and back of the
+  -- pattern.
+  return string.format([[\V\^%s\$]], uri:gsub([[\]], [[\\]]))
+end
+
+---@param filename string
+---@return string escaped
+local function filename_to_pattern(filename)
+  return uri_to_pattern(vim.uri_from_fname(filename))
+end
+
+---@param domain string
+---@return string escaped
+local function domain_to_pattern(domain)
+  -- We construct the following regex:
+  -- 1. http or https protocol;
+  -- 2. followed by userinfo (`name:password@`),
+  -- 3. followed by potentially `www.` (for convenience),
+  -- 4. followed by the domain (in very-nomagic mode)
+  -- 5. followed by either a slash or nothing at all.
+  return string.format(
+    [[\v^https?://([^@/?#]*\@)?(www\.)?(\V%s\v)($|/)]],
+    -- `domain` here includes the host name and port. If it doesn't contain
+    -- characters illegal in a host or port, this encoding should do nothing.
+    -- If it contains illegal characters, the domain is broken in a safe way.
+    vim.uri_encode(domain)
+  )
+end
+
+---@param pattern string
+---@return OrgPromise<OrgState>
+local function cache_safe_pattern(pattern)
+  ---@param state OrgState
+  return State:load():next(function(state)
+    -- We manipulate `cached` in a strange way here to ensure that `state` gets
+    -- marked as dirty.
+    local patterns = { pattern }
+    local cached = state['org_safe_remote_resources']
+    if cached then
+      vim.list_extend(patterns, cached)
+    end
+    state['org_safe_remote_resources'] = patterns
+  end)
+end
+
+---Ask the user if URI should be considered safe.
+---@param uri string
+---@return OrgPromise<boolean> safe
+function M.confirm_safe(uri)
+  ---@type OrgMenu
+  return Promise.new(function(resolve)
+    local menu = Menu:new({
+      title = string.format('An org-mode document would like to download %s, which is not considered safe.', uri),
+      prompt = 'Do you want to download this?',
+    })
+    menu:add_option({
+      key = '!',
+      label = 'Yes, and mark it as safe.',
+      action = function()
+        cache_safe_pattern(uri_to_pattern(uri))
+        return true
+      end,
+    })
+    local authority = uri:match('^https?://([^/?#]*)')
+    -- `domain` here includes the host name and port.
+    local domain = authority and authority:match('^[^@]*@(.*)$') or authority
+    if domain then
+      menu:add_option({
+        key = 'd',
+        label = string.format('Yes, and mark the domain as safe. (%s)', domain),
+        action = function()
+          cache_safe_pattern(domain_to_pattern(domain))
+          return true
+        end,
+      })
+    end
+    local filename = fs.get_real_path(utils.current_file_path())
+    if filename then
+      menu:add_option({
+        key = 'f',
+        label = string.format('Yes, and mark the org file as safe. (%s)', filename),
+        action = function()
+          cache_safe_pattern(filename_to_pattern(filename))
+          return true
+        end,
+      })
+    end
+    menu:add_option({
+      key = 'y',
+      label = 'Yes, just this once.',
+      action = function()
+        return true
+      end,
+    })
+    menu:add_option({
+      key = 'n',
+      label = 'No, skip this resource.',
+      action = function()
+        return false
+      end,
+    })
+    menu:add_separator({ icon = ' ', length = 1 })
+    resolve(menu:open())
+  end)
+end
+
+return M

lua/orgmode/state/state.lua

@@ -172,7 +172,7 @@ function OrgState:wipe(overwrite)
   self._ctx.saved = false
   self._ctx.dirty = true
   if overwrite then
-    state:save_sync()
+    self:save_sync()
   end
 end
 

lua/orgmode/utils/fs.lua

@@ -26,6 +26,7 @@ function M.substitute_path(path_str, base)
 end
 
 ---@param filepath string
+---@return string | false
 function M.get_real_path(filepath)
   if not filepath then
     return false

tests/plenary/object/remote_resource_spec.lua

@@ -0,0 +1,109 @@
+local State = require('orgmode.state.state')
+local config = require('orgmode.config')
+local remote = require('orgmode.objects.remote_resource')
+
+local config_backup = vim.deepcopy(config.opts)
+
+describe('Remote resource', function()
+  local SAFE_URL = 'https://example.com/'
+  local UNSAFE_URL = 'http://bad.example.org/'
+
+  after_each(function()
+    config:extend(config_backup)
+  end)
+
+  describe('with policy "always"', function()
+    before_each(function()
+      config:extend({ org_resource_download_policy = 'always' })
+    end)
+    it('accepts everything', function()
+      assert.is.True(remote.should_fetch(UNSAFE_URL):wait())
+    end)
+  end)
+
+  describe('with policy "safe"', function()
+    before_each(function()
+      config:extend({
+        org_resource_download_policy = 'safe',
+        -- This implicitly tests that we use actual regexes and not Lua
+        -- patterns (which would use `%` as escape character, not `\`).
+        org_safe_remote_resources = { '^https://.*\\.com/\\?$' },
+      })
+    end)
+    it('accepts safe URLs', function()
+      assert.is.True(remote.should_fetch(SAFE_URL):wait())
+    end)
+    it('rejects unsafe URLs', function()
+      assert.is.False(remote.should_fetch(UNSAFE_URL):wait())
+    end)
+  end)
+
+  describe('with policy "prompt"', function()
+    before_each(function()
+      config:extend({ org_resource_download_policy = 'prompt' })
+    end)
+    it('opens a prompt', function()
+      vim.api.nvim_input('<Esc>')
+      assert.is.Nil(remote.should_fetch(SAFE_URL):wait())
+    end)
+    it('accepts on "y"', function()
+      vim.api.nvim_input('y')
+      assert.is.True(remote.should_fetch(SAFE_URL):wait())
+    end)
+    it('rejects on "n"', function()
+      vim.api.nvim_input('n')
+      assert.is.False(remote.should_fetch(SAFE_URL):wait())
+    end)
+    describe('and saving decisions', function()
+      after_each(function()
+        State:wipe()
+      end)
+      it('accepts forever with "!"', function()
+        vim.api.nvim_input('!')
+        assert.is.True(remote.should_fetch(SAFE_URL):wait())
+        config:extend({ org_resource_download_policy = 'safe' })
+        assert.is.True(remote.should_fetch(SAFE_URL):wait())
+        assert.is.False(remote.should_fetch(SAFE_URL .. '/more'):wait())
+        assert.is.False(remote.should_fetch(UNSAFE_URL):wait())
+      end)
+      it('accepts forever with "d"', function()
+        vim.api.nvim_input('d')
+        assert.is.True(remote.should_fetch(SAFE_URL):wait())
+        config:extend({ org_resource_download_policy = 'safe' })
+        assert.is.True(remote.should_fetch(SAFE_URL):wait())
+        assert.is.True(remote.should_fetch(SAFE_URL .. '/more'):wait())
+        assert.is.False(remote.should_fetch(UNSAFE_URL):wait())
+      end)
+      it('accepts forever with "f"', function()
+        local todo_file = vim.fn.getcwd() .. '/tests/plenary/fixtures/todo.org'
+        vim.cmd.edit(todo_file)
+        vim.api.nvim_input('f')
+        assert.is.True(remote.should_fetch(SAFE_URL):wait())
+        config:extend({ org_resource_download_policy = 'safe' })
+        assert.is.True(remote.should_fetch(SAFE_URL):wait())
+        assert.is.True(remote.should_fetch(UNSAFE_URL):wait())
+        vim.api.nvim_buf_set_name(0, '')
+        assert.is.False(remote.should_fetch(SAFE_URL):wait())
+      end)
+    end)
+  end)
+
+  describe('with policy "never"', function()
+    before_each(function()
+      config:extend({ org_resource_download_policy = 'never' })
+    end)
+    it('rejects everything', function()
+      assert.is.False(remote.should_fetch(SAFE_URL):wait())
+    end)
+  end)
+
+  describe('default config', function()
+    it('prompts', function()
+      assert.are.equal('prompt', config.org_resource_download_policy)
+    end)
+
+    it('has no safe patterns', function()
+      assert.are.same({}, config.org_safe_remote_resources)
+    end)
+  end)
+end)