Make uploadUrls recommended (transloadit#3182)

* Make uploadUrls recommended - warn on startup if uploadUrls is not specified as not specifying it is a security risk - improve docs to make it more clear why uploadUrls should be specified (say that uploadUrls is required even though it is not, due to backward compatibility) - no longer require_tld (it gives a false security) - fixes transloadit#2831 * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com> * remove `example: []` Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
docsend · Sep 30, 2021 · d08d377 · d08d377
1 parent f61a845
commit d08d377
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/src/companion.js b/src/companion.js
@@ -249,4 +249,8 @@ const validateConfig = (companionOptions) => {
       }
     })
   }
+
+  if (companionOptions.uploadUrls == null || companionOptions.uploadUrls.length === 0) {
+    logger.warn('Running without uploadUrls specified is a security risk if running in production', 'startup.uploadUrls')
+  }
 }
diff --git a/src/server/Uploader.js b/src/server/Uploader.js
@@ -201,7 +201,7 @@ class Uploader {
       return false
     }
 
-    const validatorOpts = { require_protocol: true, require_tld: !options.companionOptions.debug }
+    const validatorOpts = { require_protocol: true, require_tld: false }
     return [options.endpoint, options.uploadUrl].every((url) => {
       if (url && !validator.isURL(url, validatorOpts)) {
         this._errRespMessage = 'invalid destination url'

diff --git a/test/__tests__/uploader.js b/test/__tests__/uploader.js
@@ -7,10 +7,38 @@ const Uploader = require('../../src/server/Uploader')
 const socketClient = require('../mocksocket')
 const standalone = require('../../src/standalone')
 
+const { companionOptions } = standalone()
+
 describe('uploader with tus protocol', () => {
+  test('uploader respects uploadUrls', async () => {
+    const opts = {
+      endpoint: 'http://localhost/files',
+      companionOptions: { ...companionOptions, uploadUrls: [/^http:\/\/url.myendpoint.com\//] },
+    }
+
+    expect(new Uploader(opts).hasError()).toBe(true)
+  })
+
+  test('uploader respects uploadUrls, valid', async () => {
+    const opts = {
+      endpoint: 'http://url.myendpoint.com/files',
+      companionOptions: { ...companionOptions, uploadUrls: [/^http:\/\/url.myendpoint.com\//] },
+    }
+
+    expect(new Uploader(opts).hasError()).toBe(false)
+  })
+
+  test('uploader respects uploadUrls, localhost', async () => {
+    const opts = {
+      endpoint: 'http://localhost:1337/',
+      companionOptions: { ...companionOptions, uploadUrls: [/^http:\/\/localhost:1337\//] },
+    }
+
+    expect(new Uploader(opts).hasError()).toBe(false)
+  })
+
   test('upload functions with tus protocol', () => {
     const fileContent = Buffer.from('Some file content')
-    const { companionOptions } = standalone()
     const opts = {
       companionOptions,
       endpoint: 'http://url.myendpoint.com/files',