enforce usage of uploadUrls (#3965)

See #3180
transloadit · Aug 10, 2022 · a477148 · a477148
1 parent 90b62c7
commit a477148
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/packages/@uppy/companion/src/config/companion.js b/packages/@uppy/companion/src/config/companion.js
@@ -99,7 +99,8 @@ const validateConfig = (companionOptions) => {
   }
 
   if (companionOptions.uploadUrls == null || companionOptions.uploadUrls.length === 0) {
-    logger.warn('Running without uploadUrls specified is a security risk if running in production', 'startup.uploadUrls')
+    if (process.env.NODE_ENV === 'production') throw new Error('uploadUrls is required')
+    logger.error('Running without uploadUrls is a security risk and Companion will refuse to start up when running in production (NODE_ENV=production)', 'startup.uploadUrls')
   }
 
   if (periodicPingUrls != null && (

diff --git a/website/src/docs/companion.md b/website/src/docs/companion.md
@@ -357,9 +357,9 @@ const options = {
 
 1. **filePath(required)** - Full path to the directory to which provider files will be downloaded temporarily.
 
-2. **secret(recommended)** - A secret string which Companion uses to generate authorization tokens. You should generate a long random string for this.
+2. **uploadUrls(required)** - An allowlist (array) of strings (exact URLs) or regular expressions. Companion will only accept uploads to these URLs. This ensures that your Companion instance is only allowed to upload to your trusted servers and prevents [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery) attacks.
 
-3. **uploadUrls(recommended)** - An allowlist (array) of strings (exact URLs) or regular expressions. If specified, Companion will only accept uploads to these URLs. This is needed to make sure a Companion instance is only allowed to upload to your servers. **Omitting this leaves your system open to potential [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery) attacks, and may throw an error in future `@uppy/companion` releases.**
+3. **secret(recommended)** - A secret string which Companion uses to generate authorization tokens. You should generate a long random string for this.
 
 4. **redisUrl(optional)** - URL to running Redis server. If this is set, the state of uploads would be stored temporarily. This helps for resumed uploads after a browser crash from the client. The stored upload would be sent back to the client on reconnection.