add download utils

app/controllers/api/submissions_controller.rb

@@ -80,7 +80,7 @@ module Api
       end
 
       render json: build_create_json(submissions)
-    rescue Submitters::NormalizeValues::BaseError => e
+    rescue Submitters::NormalizeValues::BaseError, DownloadUtils::UnableToDownload => e
       Rollbar.warning(e) if defined?(Rollbar)
 
       render json: { error: e.message }, status: :unprocessable_entity

app/controllers/api/submitters_controller.rb

@@ -77,7 +77,7 @@ module Api
                                                                 with_urls: true,
                                                                 with_events: false,
                                                                 params:)
-    rescue Submitters::NormalizeValues::BaseError => e
+    rescue Submitters::NormalizeValues::BaseError, DownloadUtils::UnableToDownload => e
       Rollbar.warning(e) if defined?(Rollbar)
 
       render json: { error: e.message }, status: :unprocessable_entity

app/controllers/templates_uploads_controller.rb

@@ -52,7 +52,7 @@ class TemplatesUploadsController < ApplicationController
   def create_file_params_from_url
     tempfile = Tempfile.new
     tempfile.binmode
-    tempfile.write(conn.get(Addressable::URI.parse(params[:url]).display_uri.to_s).body)
+    tempfile.write(DownloadUtils.call(params[:url]).body)
     tempfile.rewind
 
     file = ActionDispatch::Http::UploadedFile.new(
@@ -65,10 +65,4 @@ class TemplatesUploadsController < ApplicationController
 
     { files: [file] }
   end
-
-  def conn
-    Faraday.new do |faraday|
-      faraday.response :follow_redirects
-    end
-  end
 end

lib/download_utils.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module DownloadUtils
+  LOCALHOSTS = %w[0.0.0.0 127.0.0.1 localhost].freeze
+
+  UnableToDownload = Class.new(StandardError)
+
+  module_function
+
+  def call(url)
+    uri = Addressable::URI.parse(url)
+
+    if Docuseal.multitenant?
+      raise UnableToDownload, "Error loading: #{uri.display_uri}. Only HTTPS is allowed." if uri.scheme != 'https'
+
+      if uri.host.in?(LOCALHOSTS)
+        raise UnableToDownload, "Error loading: #{uri.display_uri}. Can't download from localhost."
+      end
+    end
+
+    resp = conn.get(uri.display_uri.to_s)
+
+    raise UnableToDownload, "Error loading: #{uri.display_uri}" if resp.status >= 400
+
+    resp
+  end
+
+  def conn
+    Faraday.new do |faraday|
+      faraday.response :follow_redirects
+    end
+  end
+end

lib/submitters/normalize_values.rb

@@ -11,7 +11,6 @@ module Submitters
     UnknownFieldName = Class.new(BaseError)
     InvalidDefaultValue = Class.new(BaseError)
     UnknownSubmitterName = Class.new(BaseError)
-    UnableToDownload = Class.new(BaseError)
 
     TRUE_VALUES = ['1', 'true', true, 'TRUE', 'True', 'yes', 'YES', 'Yes'].freeze
     FALSE_VALUES = ['0', 'false', false, 'FALSE', 'False', 'no', 'NO', 'No'].freeze
@@ -185,12 +184,7 @@ module Submitters
 
       return blob if blob
 
-      uri = Addressable::URI.parse(url)
+      data = DownloadUtils.call(url).body
-      resp = conn.get(uri.display_uri.to_s)
-
-      raise UnableToDownload, "Error loading: #{uri.display_uri}" if resp.status >= 400
-
-      data = resp.body
 
       checksum = Digest::MD5.base64digest(data)
 
@@ -215,11 +209,5 @@ module Submitters
 
       nil
     end
-
-    def conn
-      Faraday.new do |faraday|
-        faraday.response :follow_redirects
-      end
-    end
   end
 end