From ace9e00a14bd37e445b2dbcb380b981e40627abe Mon Sep 17 00:00:00 2001 From: Mikael Finstad Date: Tue, 29 Oct 2024 11:17:04 +0100 Subject: [PATCH] disallow corsOrigins "*" (#5496) because it could be a security risk https://app.intercom.com/a/inbox/qiqpfgjg/inbox/admin/4490996/conversation/26852700017788 --- docs/companion.md | 4 +++- docs/guides/migration-guides.md | 5 ++++- packages/@uppy/companion/src/config/companion.js | 4 ++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/companion.md b/docs/companion.md index e58c00a6ee..83aa31c900 100644 --- a/docs/companion.md +++ b/docs/companion.md @@ -183,7 +183,9 @@ npm install @uppy/companion To plug Companion into an existing server, call its `.app` method, passing in an [options](#options) object as a parameter. This returns a server instance that -you can mount on a route in your Express app. +you can mount on a route in your Express app. Note: do **not** use the `cors` +module in your project, because Companion already includes it. Use the +`corsOrigins` Companion option to customise CORS behavior. ```js import express from 'express'; diff --git a/docs/guides/migration-guides.md b/docs/guides/migration-guides.md index b8ba53799b..596aa60b43 100644 --- a/docs/guides/migration-guides.md +++ b/docs/guides/migration-guides.md @@ -9,7 +9,10 @@ These cover all the major Uppy versions and how to migrate to them. - Setting the `corsOrigin` (`COMPANION_CLIENT_ORIGINS`) option is now required. You should define the list of origins you expect your app to be served from, otherwise it can be impersonated from a different origin you don’t control. - Set it to `true` if you don’t care about impersonating. + Set it to `true` if you don’t care about impersonating. If you’re using + Companion as an express middleware, do **not** use the `cors` module in your + project, because Companion already includes it. Use the `corsOrigins` + Companion option to customise CORS behavior. - `COMPANION_REDIS_EXPRESS_SESSION_PREFIX` now defaults to `companion-session:` (before `sess:`). To revert keep backwards compatibility, set the environment variable `COMPANION_REDIS_EXPRESS_SESSION_PREFIX=sess:`. diff --git a/packages/@uppy/companion/src/config/companion.js b/packages/@uppy/companion/src/config/companion.js index 801280b763..b847f3df7a 100644 --- a/packages/@uppy/companion/src/config/companion.js +++ b/packages/@uppy/companion/src/config/companion.js @@ -112,6 +112,10 @@ const validateConfig = (companionOptions) => { throw new TypeError('Option corsOrigins is required. To disable security, pass true') } + if (companionOptions.corsOrigins === '*') { + throw new TypeError('Option corsOrigins cannot be "*". To disable security, pass true') + } + if (periodicPingUrls != null && ( !Array.isArray(periodicPingUrls) || periodicPingUrls.some((url2) => !isURL(url2, { protocols: ['http', 'https'], require_protocol: true, require_tld: false }))