SECURITY: ensure embed_url contains valid http(s) uri

SECURITY: ensure embed_url contains valid http(s) uri

diff --git a/app/models/topic_embed.rb b/app/models/topic_embed.rb
index a18e5b8..362ee79 100644
--- a/app/models/topic_embed.rb
+++ b/app/models/topic_embed.rb
@@ -109,6 +109,8 @@ class TopicEmbed < ActiveRecord::Base
 
     url = UrlHelper.escape_uri(url)
     original_uri = URI.parse(url)
+    raise URI::InvalidURIError unless original_uri.is_a?(URI::HTTP)
+
     opts = {
       tags: %w[div p code pre h1 h2 h3 b em i strong a img ul li ol blockquote],
       attributes: %w[href src class],
diff --git a/lib/post_creator.rb b/lib/post_creator.rb
index 8a37e4c..c3b9556 100644
--- a/lib/post_creator.rb
+++ b/lib/post_creator.rb
@@ -374,6 +374,10 @@ class PostCreator
   # discourse post.
   def create_embedded_topic
     return unless @opts[:embed_url].present?
+
+    original_uri = URI.parse(@opts[:embed_url])
+    raise Discourse::InvalidParameters.new(:embed_url) unless original_uri.is_a?(URI::HTTP)
+
     embed = TopicEmbed.new(topic_id: @post.topic_id, post_id: @post.id, embed_url: @opts[:embed_url])
     rollback_from_errors!(embed) unless embed.save
   end
diff --git a/spec/models/topic_embed_spec.rb b/spec/models/topic_embed_spec.rb
index ddfbe11..c91781e 100644
--- a/spec/models/topic_embed_spec.rb
+++ b/spec/models/topic_embed_spec.rb
@@ -308,6 +308,14 @@ describe TopicEmbed do
       end
     end
 
+    context "non-http URL" do
+      let(:url) { '/test.txt' }
+
+      it "throws an error" do
+        expect { TopicEmbed.find_remote(url) }.to raise_error(URI::InvalidURIError)
+      end
+    end
+
     context "emails" do
       let(:url) { 'http://example.com/foo' }
       let(:contents) { '<p><a href="mailto:foo%40example.com">URL encoded @ symbol</a></p><p><a href="mailto:bar@example.com">normal mailto link</a></p>' }
diff --git a/spec/requests/posts_controller_spec.rb b/spec/requests/posts_controller_spec.rb
index 909db8c..ff355ad 100644
--- a/spec/requests/posts_controller_spec.rb
+++ b/spec/requests/posts_controller_spec.rb
@@ -675,6 +675,17 @@ describe PostsController do
           I18n.t("invalid_params", message: "category")
         )
       end
+
+      it 'will raise an error if specified embed_url is invalid' do
+        user = Fabricate(:admin)
+        master_key = Fabricate(:api_key).key
+
+        post "/posts.json",
+          params: { title: 'this is a test title', raw: 'this is test body', embed_url: '/test.txt' },
+          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }
+
+        expect(response.status).to eq(422)
+      end
     end
 
     describe "when logged in" do

GitHub sha: 03d26cd6