Home Explore Help
Sign In
biheng
/
uppy
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

disallow corsOrigins "*" (#5496)

because it could be a security risk
https://app.intercom.com/a/inbox/qiqpfgjg/inbox/admin/4490996/conversation/26852700017788
Mikael Finstad 5 months ago
parent
f8df085b68
commit
ace9e00a14
3 changed files with 11 additions and 2 deletions
Unified View Show Diff Stats
  1. 3 1
      docs/companion.md
  2. 4 1
      docs/guides/migration-guides.md
  3. 4 0
      packages/@uppy/companion/src/config/companion.js

+ 3 - 1
docs/companion.md
View File 

@@ -183,7 +183,9 @@ npm install @uppy/companion
 
 
 
 To plug Companion into an existing server, call its `.app` method, passing in an
 
 To plug Companion into an existing server, call its `.app` method, passing in an
 
 [options](#options) object as a parameter. This returns a server instance that
 
 [options](#options) object as a parameter. This returns a server instance that
 
-you can mount on a route in your Express app.
 
+you can mount on a route in your Express app. Note: do **not** use the `cors`
 
+module in your project, because Companion already includes it. Use the
 
+`corsOrigins` Companion option to customise CORS behavior.
 
 
 
 ```js
 
 ```js
 
 import express from 'express';
 
 import express from 'express';

+ 4 - 1
docs/guides/migration-guides.md
View File 

@@ -9,7 +9,10 @@ These cover all the major Uppy versions and how to migrate to them.
 
 - Setting the `corsOrigin` (`COMPANION_CLIENT_ORIGINS`) option is now required.
 
 - Setting the `corsOrigin` (`COMPANION_CLIENT_ORIGINS`) option is now required.
 
   You should define the list of origins you expect your app to be served from,
 
   You should define the list of origins you expect your app to be served from,
 
   otherwise it can be impersonated from a different origin you don’t control.
 
   otherwise it can be impersonated from a different origin you don’t control.
 
-  Set it to `true` if you don’t care about impersonating.
 
+  Set it to `true` if you don’t care about impersonating. If you’re using
 
+  Companion as an express middleware, do **not** use the `cors` module in your
 
+  project, because Companion already includes it. Use the `corsOrigins`
 
+  Companion option to customise CORS behavior.
 
 - `COMPANION_REDIS_EXPRESS_SESSION_PREFIX` now defaults to `companion-session:`
 
 - `COMPANION_REDIS_EXPRESS_SESSION_PREFIX` now defaults to `companion-session:`
 
   (before `sess:`). To revert keep backwards compatibility, set the environment
 
   (before `sess:`). To revert keep backwards compatibility, set the environment
 
   variable `COMPANION_REDIS_EXPRESS_SESSION_PREFIX=sess:`.
 
   variable `COMPANION_REDIS_EXPRESS_SESSION_PREFIX=sess:`.

+ 4 - 0
packages/@uppy/companion/src/config/companion.js
View File 

@@ -112,6 +112,10 @@ const validateConfig = (companionOptions) => {
 
     throw new TypeError('Option corsOrigins is required. To disable security, pass true')
 
     throw new TypeError('Option corsOrigins is required. To disable security, pass true')
 
   }
 
   }
 
 
 
+  if (companionOptions.corsOrigins === '*') {
 
+    throw new TypeError('Option corsOrigins cannot be "*". To disable security, pass true')
 
+  }
 
+
 
   if (periodicPingUrls != null && (
 
   if (periodicPingUrls != null && (
 
     !Array.isArray(periodicPingUrls)
 
     !Array.isArray(periodicPingUrls)
 
     || periodicPingUrls.some((url2) => !isURL(url2, { protocols: ['http', 'https'], require_protocol: true, require_tld: false }))
 
     || periodicPingUrls.some((url2) => !isURL(url2, { protocols: ['http', 'https'], require_protocol: true, require_tld: false }))