Página Principal Explorar Ajuda
Iniciar Sessão
biheng
/
uppy
1
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ver Fonte

disallow corsOrigins "*" (#5496)

because it could be a security risk
https://app.intercom.com/a/inbox/qiqpfgjg/inbox/admin/4490996/conversation/26852700017788
Mikael Finstad há 5 meses atrás
pai
f8df085b68
commit
ace9e00a14
3 ficheiros alterados com 11 adições e 2 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 3 1
      docs/companion.md
  2. 4 1
      docs/guides/migration-guides.md
  3. 4 0
      packages/@uppy/companion/src/config/companion.js

+ 3 - 1
docs/companion.md
Ver Ficheiro 

@@ -183,7 +183,9 @@ npm install @uppy/companion
 
 
 To plug Companion into an existing server, call its `.app` method, passing in an
 
 [options](#options) object as a parameter. This returns a server instance that
 
-you can mount on a route in your Express app.
 
+you can mount on a route in your Express app. Note: do **not** use the `cors`
 
+module in your project, because Companion already includes it. Use the
 
+`corsOrigins` Companion option to customise CORS behavior.
 
 
 ```js
 
 import express from 'express';

+ 4 - 1
docs/guides/migration-guides.md
Ver Ficheiro 

@@ -9,7 +9,10 @@ These cover all the major Uppy versions and how to migrate to them.
 
 - Setting the `corsOrigin` (`COMPANION_CLIENT_ORIGINS`) option is now required.
 
   You should define the list of origins you expect your app to be served from,
 
   otherwise it can be impersonated from a different origin you don’t control.
 
-  Set it to `true` if you don’t care about impersonating.
 
+  Set it to `true` if you don’t care about impersonating. If you’re using
 
+  Companion as an express middleware, do **not** use the `cors` module in your
 
+  project, because Companion already includes it. Use the `corsOrigins`
 
+  Companion option to customise CORS behavior.
 
 - `COMPANION_REDIS_EXPRESS_SESSION_PREFIX` now defaults to `companion-session:`
 
   (before `sess:`). To revert keep backwards compatibility, set the environment
 
   variable `COMPANION_REDIS_EXPRESS_SESSION_PREFIX=sess:`.

+ 4 - 0
packages/@uppy/companion/src/config/companion.js
Ver Ficheiro 

@@ -112,6 +112,10 @@ const validateConfig = (companionOptions) => {
 
     throw new TypeError('Option corsOrigins is required. To disable security, pass true')
 
   }
 
 
+  if (companionOptions.corsOrigins === '*') {
 
+    throw new TypeError('Option corsOrigins cannot be "*". To disable security, pass true')
 
+  }
 
+
 
   if (periodicPingUrls != null && (
 
     !Array.isArray(periodicPingUrls)
 
     || periodicPingUrls.some((url2) => !isURL(url2, { protocols: ['http', 'https'], require_protocol: true, require_tld: false }))