From 77d448ed9d5e594da62cc72568a5d6a6cf04917f Mon Sep 17 00:00:00 2001
From: Sasha Ames <amysash2006@gmail.com>
Date: Thu, 20 Oct 2022 11:53:25 -0700
Subject: [PATCH 1/4] whitelist shards

---
 cog/views/views_search.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/cog/views/views_search.py b/cog/views/views_search.py
index d493b4909..ddfb29333 100644
--- a/cog/views/views_search.py
+++ b/cog/views/views_search.py
@@ -383,6 +383,9 @@ def metadata_display(request, project_short_name):
     index_node = request.GET.get('index_node', None)
     back = request.GET.get('back', None)
     
+    if not index_node in ["esgf-node.llnl.gov", "esgf.ceda.ac.uk", "esgf-data.dkrz.de", "esgf-node.ipsl.upmc.fr", "esg-dn1.nsc.liu.se", "esgf.nci.org.au", "esgdata.gfdl.noaa.gov"]
+        return HttpResponseBadRequest()
+
     # retrieve project from database
     project = get_object_or_404(Project, short_name__iexact=project_short_name)
     config = _getSearchConfig(request, project)
@@ -827,6 +830,9 @@ def search_group_delete(request, group_id):
 def search_files(request, dataset_id, index_node):
     """View that searches for all files of a given dataset, and returns the response as JSON"""
     
+    if not index_node in ["esgf-node.llnl.gov", "esgf.ceda.ac.uk", "esgf-data.dkrz.de", "esgf-node.ipsl.upmc.fr", "esg-dn1.nsc.liu.se", "esgf.nci.org.au", "esgdata.gfdl.noaa.gov"]
+        return HttpResponseBadRequest()
+    
     # maximum number of files to query for
     limit = request.GET.get('limit', 20)
             
@@ -990,6 +996,11 @@ def citation_display(request):
     # get citation info in json format
     url = request.GET.get('url', '')
 
+    # Whitelist the citation request to just the DKRZ server for now
+    res = urllib.parse.urlparse(url)
+    if res.hostname != "cera-www.dkrz.de":
+        return HttpResponseBadRequest()
+
     try:
         fh = urllib.request.urlopen(url)
         response = fh.read()

From 0de79b14faa969eb909a99bc0b804a683be61193 Mon Sep 17 00:00:00 2001
From: Sasha Ames <sashakames@users.noreply.github.com>
Date: Thu, 20 Oct 2022 22:07:22 -0700
Subject: [PATCH 2/4] add missing : for white list checks

---
 cog/views/views_search.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cog/views/views_search.py b/cog/views/views_search.py
index ddfb29333..2d213b165 100644
--- a/cog/views/views_search.py
+++ b/cog/views/views_search.py
@@ -383,7 +383,7 @@ def metadata_display(request, project_short_name):
     index_node = request.GET.get('index_node', None)
     back = request.GET.get('back', None)
     
-    if not index_node in ["esgf-node.llnl.gov", "esgf.ceda.ac.uk", "esgf-data.dkrz.de", "esgf-node.ipsl.upmc.fr", "esg-dn1.nsc.liu.se", "esgf.nci.org.au", "esgdata.gfdl.noaa.gov"]
+    if not index_node in ["esgf-node.llnl.gov", "esgf.ceda.ac.uk", "esgf-data.dkrz.de", "esgf-node.ipsl.upmc.fr", "esg-dn1.nsc.liu.se", "esgf.nci.org.au", "esgdata.gfdl.noaa.gov"]:
         return HttpResponseBadRequest()
 
     # retrieve project from database
@@ -830,7 +830,7 @@ def search_group_delete(request, group_id):
 def search_files(request, dataset_id, index_node):
     """View that searches for all files of a given dataset, and returns the response as JSON"""
     
-    if not index_node in ["esgf-node.llnl.gov", "esgf.ceda.ac.uk", "esgf-data.dkrz.de", "esgf-node.ipsl.upmc.fr", "esg-dn1.nsc.liu.se", "esgf.nci.org.au", "esgdata.gfdl.noaa.gov"]
+    if not index_node in ["esgf-node.llnl.gov", "esgf.ceda.ac.uk", "esgf-data.dkrz.de", "esgf-node.ipsl.upmc.fr", "esg-dn1.nsc.liu.se", "esgf.nci.org.au", "esgdata.gfdl.noaa.gov"]:
         return HttpResponseBadRequest()
     
     # maximum number of files to query for

From b0d5339665665dc46166d1c3f21295576fcb1479 Mon Sep 17 00:00:00 2001
From: Sasha Ames <sashakames@users.noreply.github.com>
Date: Mon, 24 Oct 2022 15:48:34 -0700
Subject: [PATCH 3/4] up v num

---
 settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/settings.py b/settings.py
index be54b3008..9d2b632b7 100644
--- a/settings.py
+++ b/settings.py
@@ -16,7 +16,7 @@
 from cog.site_manager import siteManager
 from cog.constants import SECTION_ESGF, SECTION_PID
 
-COG_VERSION = 'v4.0.1'
+COG_VERSION = 'v4.0.2'
 
 SITE_NAME = siteManager.get('SITE_NAME', default='Local CoG')
 SITE_DOMAIN = siteManager.get('SITE_DOMAIN', default='localhost:8000')

From 936f352506ced5c8d0c2a2997b34a6d36f512d16 Mon Sep 17 00:00:00 2001
From: Sasha Ames <amysash2006@gmail.com>
Date: Mon, 31 Oct 2022 07:12:57 -0700
Subject: [PATCH 4/4] up v num

---
 settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/settings.py b/settings.py
index be54b3008..9d2b632b7 100644
--- a/settings.py
+++ b/settings.py
@@ -16,7 +16,7 @@
 from cog.site_manager import siteManager
 from cog.constants import SECTION_ESGF, SECTION_PID
 
-COG_VERSION = 'v4.0.1'
+COG_VERSION = 'v4.0.2'
 
 SITE_NAME = siteManager.get('SITE_NAME', default='Local CoG')
 SITE_DOMAIN = siteManager.get('SITE_DOMAIN', default='localhost:8000')