From caabac3e7468766e447f7a341f1006456061d7ba Mon Sep 17 00:00:00 2001
From: Shaun Walker <shaun.walker@siliqon.com>
Date: Thu, 14 May 2020 18:40:53 -0400
Subject: [PATCH] removed redundant assembly download logic, added security on
 download controller methods

---
 .../Interfaces/IModuleDefinitionService.cs    |  1 -
 .../Services/ModuleDefinitionService.cs       | 37 -------------------
 Oqtane.Client/Services/ThemeService.cs        | 27 --------------
 Oqtane.Client/UI/SiteRouter.razor             |  2 -
 .../Controllers/ModuleDefinitionController.cs | 32 ++++++++++------
 5 files changed, 20 insertions(+), 79 deletions(-)

diff --git a/Oqtane.Client/Services/Interfaces/IModuleDefinitionService.cs b/Oqtane.Client/Services/Interfaces/IModuleDefinitionService.cs
index 8560c661..cca5e642 100644
--- a/Oqtane.Client/Services/Interfaces/IModuleDefinitionService.cs
+++ b/Oqtane.Client/Services/Interfaces/IModuleDefinitionService.cs
@@ -12,7 +12,6 @@ namespace Oqtane.Services
         Task UpdateModuleDefinitionAsync(ModuleDefinition moduleDefinition);
         Task InstallModuleDefinitionsAsync();
         Task DeleteModuleDefinitionAsync(int moduleDefinitionId, int siteId);
-        Task LoadModuleDefinitionsAsync(int siteId, Runtime runtime);
         Task CreateModuleDefinitionAsync(ModuleDefinition moduleDefinition, int moduleId);
     }
 }
diff --git a/Oqtane.Client/Services/ModuleDefinitionService.cs b/Oqtane.Client/Services/ModuleDefinitionService.cs
index 12d408b4..2159a25d 100644
--- a/Oqtane.Client/Services/ModuleDefinitionService.cs
+++ b/Oqtane.Client/Services/ModuleDefinitionService.cs
@@ -49,43 +49,6 @@ namespace Oqtane.Services
             await DeleteAsync($"{Apiurl}/{moduleDefinitionId}?siteid={siteId}");
         }
 
-        public async Task LoadModuleDefinitionsAsync(int siteId, Runtime runtime)
-        {
-            // get list of modules from the server
-            List<ModuleDefinition> moduledefinitions = await GetModuleDefinitionsAsync(siteId);
-
-            // download assemblies to browser when running client-side Blazor
-            if (runtime == Runtime.WebAssembly)
-            {
-                // get list of loaded assemblies on the client ( in the client-side hosting module the browser client has its own app domain )
-                Assembly[] assemblies = AppDomain.CurrentDomain.GetAssemblies();
-
-                foreach (ModuleDefinition moduledefinition in moduledefinitions)
-                {
-                    // if a module has dependencies, check if they are loaded
-                    if (moduledefinition.Dependencies != "")
-                    {
-                        foreach (string dependency in moduledefinition.Dependencies.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
-                        {
-                            string assemblyname = dependency.Replace(".dll", "");
-                            if (assemblies.Where(item => item.FullName.StartsWith(assemblyname + ",")).FirstOrDefault() == null)
-                            {
-                                // download assembly from server and load
-                                var bytes = await _http.GetByteArrayAsync($"{Apiurl}/load/{assemblyname}.dll");
-                                Assembly.Load(bytes);
-                            }
-                        }
-                    }
-                    // check if the module assembly is loaded
-                    if (assemblies.Where(item => item.FullName.StartsWith(moduledefinition.AssemblyName + ",")).FirstOrDefault() == null)
-                    {
-                        // download assembly from server and load
-                        var bytes = await _http.GetByteArrayAsync($"{Apiurl}/load/{moduledefinition.AssemblyName}.dll");
-                        Assembly.Load(bytes);
-                    }
-                }
-            }
-        }
         public async Task CreateModuleDefinitionAsync(ModuleDefinition moduleDefinition, int moduleId)
         {
             await PostJsonAsync($"{Apiurl}?moduleid={moduleId.ToString()}", moduleDefinition);
diff --git a/Oqtane.Client/Services/ThemeService.cs b/Oqtane.Client/Services/ThemeService.cs
index e40e83dc..ddb47158 100644
--- a/Oqtane.Client/Services/ThemeService.cs
+++ b/Oqtane.Client/Services/ThemeService.cs
@@ -23,33 +23,6 @@ namespace Oqtane.Services
         public async Task<List<Theme>> GetThemesAsync()
         {
             List<Theme> themes = await GetJsonAsync<List<Theme>>(Apiurl);
-
-            // get list of loaded assemblies
-            Assembly[] assemblies = AppDomain.CurrentDomain.GetAssemblies();
-
-            foreach (Theme theme in themes)
-            {
-                if (theme.Dependencies != "")
-                {
-                    foreach (string dependency in theme.Dependencies.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
-                    {
-                        string assemblyname = dependency.Replace(".dll", "");
-                        if (assemblies.Where(item => item.FullName.StartsWith(assemblyname + ",")).FirstOrDefault() == null)
-                        {
-                            // download assembly from server and load
-                            var bytes = await _http.GetByteArrayAsync($"{Apiurl}/load/{assemblyname}.dll");
-                            Assembly.Load(bytes);
-                        }
-                    }
-                }
-                if (assemblies.Where(item => item.FullName.StartsWith(theme.AssemblyName + ",")).FirstOrDefault() == null)
-                {
-                    // download assembly from server and load
-                    var bytes = await _http.GetByteArrayAsync($"{Apiurl}/load/{theme.AssemblyName}.dll");
-                    Assembly.Load(bytes);
-                }
-            }
-
             return themes.OrderBy(item => item.Name).ToList();
         }
 
diff --git a/Oqtane.Client/UI/SiteRouter.razor b/Oqtane.Client/UI/SiteRouter.razor
index 3d058032..ac7b692e 100644
--- a/Oqtane.Client/UI/SiteRouter.razor
+++ b/Oqtane.Client/UI/SiteRouter.razor
@@ -11,7 +11,6 @@
 @inject IPageService PageService
 @inject IUserService UserService
 @inject IModuleService ModuleService
-@inject IModuleDefinitionService ModuleDefinitionService
 @inject ILogService LogService
 @implements IHandleAfterRender
 
@@ -157,7 +156,6 @@
 
             if (PageState == null || reload >= Reload.Site)
             {
-                await ModuleDefinitionService.LoadModuleDefinitionsAsync(site.SiteId, runtime);
                 pages = await PageService.GetPagesAsync(site.SiteId);
             }
             else
diff --git a/Oqtane.Server/Controllers/ModuleDefinitionController.cs b/Oqtane.Server/Controllers/ModuleDefinitionController.cs
index 139ec366..d9131d69 100644
--- a/Oqtane.Server/Controllers/ModuleDefinitionController.cs
+++ b/Oqtane.Server/Controllers/ModuleDefinitionController.cs
@@ -13,6 +13,7 @@ using Oqtane.Repository;
 using Oqtane.Security;
 using System;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Configuration;
 // ReSharper disable StringIndexOfIsCultureSpecific.1
 
 namespace Oqtane.Controllers
@@ -27,10 +28,11 @@ namespace Oqtane.Controllers
         private readonly IUserPermissions _userPermissions;
         private readonly IInstallationManager _installationManager;
         private readonly IWebHostEnvironment _environment;
+        private readonly IConfigurationRoot _config;
         private readonly IServiceProvider _serviceProvider;
         private readonly ILogManager _logger;
 
-        public ModuleDefinitionController(IModuleDefinitionRepository moduleDefinitions, IModuleRepository modules,ITenantRepository tenants, ISqlRepository sql, IUserPermissions userPermissions, IInstallationManager installationManager, IWebHostEnvironment environment, IServiceProvider serviceProvider, ILogManager logger)
+        public ModuleDefinitionController(IModuleDefinitionRepository moduleDefinitions, IModuleRepository modules,ITenantRepository tenants, ISqlRepository sql, IUserPermissions userPermissions, IInstallationManager installationManager, IWebHostEnvironment environment, IConfigurationRoot config, IServiceProvider serviceProvider, ILogManager logger)
         {
             _moduleDefinitions = moduleDefinitions;
             _modules = modules;
@@ -39,6 +41,7 @@ namespace Oqtane.Controllers
             _userPermissions = userPermissions;
             _installationManager = installationManager;
             _environment = environment;
+            _config = config;
             _serviceProvider = serviceProvider;
             _logger = logger;
         }
@@ -158,11 +161,26 @@ namespace Oqtane.Controllers
             }
         }
 
+        // GET api/<controller>/load
+        [HttpGet("load")]
+        public List<string> Load()
+        {
+            List<string> list = new List<string>();
+            if (_config.GetSection("Runtime").Value == "WebAssembly")
+            {
+                var assemblies = AppDomain.CurrentDomain.GetOqtaneClientAssemblies();
+                list = AppDomain.CurrentDomain.GetOqtaneClientAssemblies().Select(a => a.GetName().Name).ToList();
+                var deps = assemblies.SelectMany(a => a.GetReferencedAssemblies()).Distinct();
+                list.AddRange(deps.Where(a => a.Name.EndsWith(".oqtane", StringComparison.OrdinalIgnoreCase)).Select(a => a.Name));
+            }
+            return list;
+        }
+        
         // GET api/<controller>/load/assembyname
         [HttpGet("load/{assemblyname}")]
         public IActionResult Load(string assemblyname)
         {
-            if (Path.GetExtension(assemblyname).ToLower() == ".dll")
+            if (_config.GetSection("Runtime").Value == "WebAssembly" && Path.GetExtension(assemblyname).ToLower() == ".dll")
             {
                 string binfolder = Path.GetDirectoryName(Assembly.GetEntryAssembly().Location);
                 byte[] file = System.IO.File.ReadAllBytes(Path.Combine(binfolder, assemblyname));
@@ -175,16 +193,6 @@ namespace Oqtane.Controllers
                 return null;
             }
         }
-        // GET api/<controller>/load/assembyname
-        [HttpGet("load")]
-        public List<string> Load()
-        {
-            var assemblies = AppDomain.CurrentDomain.GetOqtaneClientAssemblies();
-            var list = AppDomain.CurrentDomain.GetOqtaneClientAssemblies().Select(a => a.GetName().Name).ToList();
-            var deps = assemblies.SelectMany(a => a.GetReferencedAssemblies()).Distinct();
-            list.AddRange(deps.Where(a=>a.Name.EndsWith(".oqtane",StringComparison.OrdinalIgnoreCase)).Select(a=>a.Name));
-            return list;
-        }
 
         // POST api/<controller>?moduleid=x
         [HttpPost]