From e045667f2fc9303354109e573cfe3d5fe41279eb Mon Sep 17 00:00:00 2001
From: Rahul Rodrigues <rodrigues.rahul77@gmail.com>
Date: Mon, 6 May 2024 11:15:03 -0400
Subject: [PATCH] Host header (#5765)

* fixed host-header vulnerability with optional env var

* removed testing print statement

* updated env var HOST to URL_HOST

* Update sample.env

---------

Co-authored-by: Ahmad Farhat <ahmad.farhat@blindsidenetworks.com>
---
 app/helpers/application_helper.rb | 2 +-
 sample.env                        | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 0fa721f729..2b05458384 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -19,7 +19,7 @@
 module ApplicationHelper
   def branding_image
     asset_path = SettingGetter.new(setting_name: 'BrandingImage', provider: current_provider).call
-    asset_url(asset_path)
+    asset_url(asset_path, host: ENV.fetch('URL_HOST', nil))
   end
 
   def page_title
diff --git a/sample.env b/sample.env
index e3761dfebd..21584ca7f4 100644
--- a/sample.env
+++ b/sample.env
@@ -71,6 +71,9 @@ REDIS_URL=
 #GCS_CLIENT_ID=
 #GCS_CLIENT_CERT=
 
+# Set this to explicitly specify base hostname
+#URL_HOST=
+
 # Define the default locale language code (i.e. 'en' for English) from the following list:
 #  [en, ar, fr, es, fa_IR]
 # The DEFAULT_LOCALE setting specifies the default language, overriding the browser language which is always set.