disallow corsOrigins "*" (#5496)

because it could be a security risk https://app.intercom.com/a/inbox/qiqpfgjg/inbox/admin/4490996/conversation/26852700017788
transloadit · Oct 29, 2024 · ace9e00 · ace9e00
1 parent f8df085
commit ace9e00
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/docs/companion.md b/docs/companion.md
@@ -183,7 +183,9 @@ npm install @uppy/companion
 
 To plug Companion into an existing server, call its `.app` method, passing in an
 [options](#options) object as a parameter. This returns a server instance that
-you can mount on a route in your Express app.
+you can mount on a route in your Express app. Note: do **not** use the `cors`
+module in your project, because Companion already includes it. Use the
+`corsOrigins` Companion option to customise CORS behavior.
 
 ```js
 import express from 'express';

diff --git a/docs/guides/migration-guides.md b/docs/guides/migration-guides.md
@@ -9,7 +9,10 @@ These cover all the major Uppy versions and how to migrate to them.
 - Setting the `corsOrigin` (`COMPANION_CLIENT_ORIGINS`) option is now required.
   You should define the list of origins you expect your app to be served from,
   otherwise it can be impersonated from a different origin you don’t control.
-  Set it to `true` if you don’t care about impersonating.
+  Set it to `true` if you don’t care about impersonating. If you’re using
+  Companion as an express middleware, do **not** use the `cors` module in your
+  project, because Companion already includes it. Use the `corsOrigins`
+  Companion option to customise CORS behavior.
 - `COMPANION_REDIS_EXPRESS_SESSION_PREFIX` now defaults to `companion-session:`
   (before `sess:`). To revert keep backwards compatibility, set the environment
   variable `COMPANION_REDIS_EXPRESS_SESSION_PREFIX=sess:`.

diff --git a/packages/@uppy/companion/src/config/companion.js b/packages/@uppy/companion/src/config/companion.js
@@ -112,6 +112,10 @@ const validateConfig = (companionOptions) => {
     throw new TypeError('Option corsOrigins is required. To disable security, pass true')
   }
 
+  if (companionOptions.corsOrigins === '*') {
+    throw new TypeError('Option corsOrigins cannot be "*". To disable security, pass true')
+  }
+
   if (periodicPingUrls != null && (
     !Array.isArray(periodicPingUrls)
     || periodicPingUrls.some((url2) => !isURL(url2, { protocols: ['http', 'https'], require_protocol: true, require_tld: false }))