From 451aa3bcd428159cc1f364d1eddfedd591d9e5c8 Mon Sep 17 00:00:00 2001
From: Pieter Vander Vennet <pietervdvn@posteo.net>
Date: Fri, 29 Sep 2023 11:13:30 +0200
Subject: [PATCH] Security: add nominatim endpoint to config and csp

---
 package.json               | 3 ++-
 scripts/generateLayouts.ts | 3 +++
 src/Logic/Osm/Geocoding.ts | 3 ++-
 src/Models/Constants.ts    | 2 +-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index 45ede4ec45..3e74f92093 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,8 @@
       "https://overpass.kumi.systems/api/interpreter",
       "https://overpass.openstreetmap.ru/cgi/interpreter"
     ],
-    "country_coder_host": "https://raw.githubusercontent.com/pietervdvn/MapComplete-data/main/latlon2country"
+    "country_coder_host": "https://raw.githubusercontent.com/pietervdvn/MapComplete-data/main/latlon2country",
+    "nominatimEndpoint": "https://nominatim.openstreetmap.org/search?"
   },
   "scripts": {
     "start": "npm run generate:layeroverview && npm run strt",
diff --git a/scripts/generateLayouts.ts b/scripts/generateLayouts.ts
index 83103f7c32..14793d2268 100644
--- a/scripts/generateLayouts.ts
+++ b/scripts/generateLayouts.ts
@@ -206,6 +206,7 @@ function asLangSpan(t: Translation, tag = "span"): string {
 }
 
 let previousSrc: Set<string> = new Set<string>()
+
 function generateCsp(
     layout: LayoutConfig,
     options: {
@@ -216,6 +217,7 @@ function generateCsp(
         "'self'",
         ...Constants.defaultOverpassUrls,
         Constants.countryCoderEndpoint,
+        Constants.nominatimEndpoint,
         "https://api.openstreetmap.org",
         "https://pietervdvn.goatcounter.com",
     ].concat(...SpecialVisualizations.specialVisualizations.map((sv) => sv.needsUrls))
@@ -283,6 +285,7 @@ const removeOtherLanguagesHash = crypto
     .createHash("sha256")
     .update(removeOtherLanguages)
     .digest("base64")
+
 async function createLandingPage(layout: LayoutConfig, manifest, whiteIcons, alreadyWritten) {
     Locale.language.setData(layout.language[0])
     const targetLanguage = layout.language[0]
diff --git a/src/Logic/Osm/Geocoding.ts b/src/Logic/Osm/Geocoding.ts
index 09da7af6dc..d3af5d6a5a 100644
--- a/src/Logic/Osm/Geocoding.ts
+++ b/src/Logic/Osm/Geocoding.ts
@@ -1,5 +1,6 @@
 import { Utils } from "../../Utils"
 import { BBox } from "../BBox"
+import Constants from "../../Models/Constants"
 
 export interface GeoCodeResult {
     display_name: string
@@ -15,7 +16,7 @@ export interface GeoCodeResult {
 }
 
 export class Geocoding {
-    private static readonly host = "https://nominatim.openstreetmap.org/search?"
+    public static readonly host = Constants.nominatimEndpoint
 
     static async Search(query: string, bbox: BBox): Promise<GeoCodeResult[]> {
         const b = bbox ?? BBox.global
diff --git a/src/Models/Constants.ts b/src/Models/Constants.ts
index 35959c4caf..ad68f6979e 100644
--- a/src/Models/Constants.ts
+++ b/src/Models/Constants.ts
@@ -107,7 +107,7 @@ export default class Constants {
     public static defaultOverpassUrls = Constants.config.default_overpass_urls
     public static countryCoderEndpoint: string = Constants.config.country_coder_host
     public static osmAuthConfig: AuthConfig = Constants.config.oauth_credentials
-
+    public static nominatimEndpoint: string = Constants.config.nominatimEndpoint
     /**
      * These are the values that are allowed to use as 'backdrop' icon for a map pin
      */