Merge pull request #444 from dadi/feature/overridable-asset-config

Override assets.allowFullURL at domain level
dadi · Oct 15, 2018 · 3860c55 · 3860c55
2 parents a22068d + 32622ab
commit 3860c55
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 1 deletion.
diff --git a/config.js b/config.js
@@ -279,6 +279,12 @@ const schema = {
         format: String,
         default: '',
         allowDomainOverride: true
+      },
+      allowFullURL: {
+        doc: 'If true, assets can be loaded from any remote URL',
+        format: Boolean,
+        default: true,
+        allowDomainOverride: true
       }
     }
   },

diff --git a/dadi/lib/handlers/css.js b/dadi/lib/handlers/css.js
@@ -24,6 +24,8 @@ const CSSHandler = function (format, req, {
     true
   )
 
+  this.isExternalUrl = this.url.pathname.indexOf('http://') > 0 || this.url.pathname.indexOf('https://') > 0
+
   this.isCompressed = Boolean(
     this.options.compress ||
     this.legacyURLOverrides.compress ||
@@ -66,6 +68,22 @@ CSSHandler.prototype.get = function () {
       {domain: this.req.__domain}
     )
 
+    // Aborting the request if full remote URL is required and not enabled.
+    if (
+      this.isExternalUrl &&
+      (
+        !config.get('assets.remote.enabled', this.req.__domain) ||
+        !config.get('assets.remote.allowFullURL', this.req.__domain)
+      )
+    ) {
+      let err = {
+        statusCode: 403,
+        message: 'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
+      }
+
+      return Promise.reject(err)
+    }
+
     return this.storageHandler.get().then(stream => {
       return this.transform(stream)
     }).then(stream => {

diff --git a/dadi/lib/handlers/default.js b/dadi/lib/handlers/default.js
@@ -22,6 +22,8 @@ const DefaultHandler = function (format, req, {
     true
   )
 
+  this.isExternalUrl = this.url.pathname.indexOf('http://') > 0 || this.url.pathname.indexOf('https://') > 0
+
   this.cache = Cache()
   this.cacheKey = [req.__domain, this.url.href]
 
@@ -52,6 +54,22 @@ DefaultHandler.prototype.get = function () {
       {domain: this.req.__domain}
     )
 
+    // Aborting the request if full remote URL is required and not enabled.
+    if (
+      this.isExternalUrl &&
+      (
+        !config.get('assets.remote.enabled', this.req.__domain) ||
+        !config.get('assets.remote.allowFullURL', this.req.__domain)
+      )
+    ) {
+      let err = {
+        statusCode: 403,
+        message: 'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
+      }
+
+      return Promise.reject(err)
+    }
+
     return this.storageHandler.get().then(stream => {
       return this.cache.cacheFile(stream, this.cacheKey, {
         ttl: config.get('caching.ttl', this.req.__domain)

diff --git a/dadi/lib/handlers/js.js b/dadi/lib/handlers/js.js
@@ -27,6 +27,8 @@ const JSHandler = function (format, req, {
     true
   )
 
+  this.isExternalUrl = this.url.pathname.indexOf('http://') > 0 || this.url.pathname.indexOf('https://') > 0
+
   this.cache = Cache()
   this.cacheKey = [req.__domain, this.url.href]
 
@@ -63,6 +65,22 @@ JSHandler.prototype.get = function () {
       {domain: this.req.__domain}
     )
 
+    // Aborting the request if full remote URL is required and not enabled.
+    if (
+      this.isExternalUrl &&
+      (
+        !config.get('assets.remote.enabled', this.req.__domain) ||
+        !config.get('assets.remote.allowFullURL', this.req.__domain)
+      )
+    ) {
+      let err = {
+        statusCode: 403,
+        message: 'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
+      }
+
+      return Promise.reject(err)
+    }
+
     return this.storageHandler.get().then(stream => {
       return this.transform(stream)
     }).then(stream => {

diff --git a/test/acceptance/multi-domain.js b/test/acceptance/multi-domain.js
@@ -333,7 +333,7 @@ describe('Multi-domain', function () {
       })
     }).timeout(5000)
 
-    it('should use the allowFullURL setting defined at domain level to determine whether or not a request with a full remote URL will be served', done => {
+    it('should use the images.allowFullURL setting defined at domain level to determine whether or not a request with a full remote URL will be served', done => {
       config.set('images.remote.allowFullURL', true, 'localhost')
       config.set('images.remote.allowFullURL', false, 'testdomain.com')
 
@@ -358,6 +358,81 @@ describe('Multi-domain', function () {
         })
     }).timeout(5000)
 
+    it('should use the assets.allowFullURL setting defined at domain level to determine whether or not a CSS request with a full remote URL will be served', done => {
+      config.set('assets.remote.allowFullURL', true, 'localhost')
+      config.set('assets.remote.allowFullURL', false, 'testdomain.com')
+
+      request(cdnUrl)
+        .get('/http://one.somedomain.tech/test.css')
+        .set('Host', 'localhost:80')
+        .expect(200)
+        .end((err, res) => {
+          res.headers['content-type'].should.eql('text/css')
+
+          request(cdnUrl)
+            .get('/http://one.somedomain.tech/test.css')
+            .set('Host', 'testdomain.com:80')
+            .end((err, res) => {
+              res.statusCode.should.eql(403)
+              res.body.message.should.eql(
+                'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
+              )
+
+              done()
+            })
+        })
+    }).timeout(5000)
+
+    it('should use the assets.allowFullURL setting defined at domain level to determine whether or not a JS request with a full remote URL will be served', done => {
+      config.set('assets.remote.allowFullURL', true, 'localhost')
+      config.set('assets.remote.allowFullURL', false, 'testdomain.com')
+
+      request(cdnUrl)
+        .get('/http://one.somedomain.tech/test.js')
+        .set('Host', 'localhost:80')
+        .expect(200)
+        .end((err, res) => {
+          res.headers['content-type'].should.eql('application/javascript')
+
+          request(cdnUrl)
+            .get('/http://one.somedomain.tech/test.js')
+            .set('Host', 'testdomain.com:80')
+            .end((err, res) => {
+              res.statusCode.should.eql(403)
+              res.body.message.should.eql(
+                'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
+              )
+
+              done()
+            })
+        })
+    }).timeout(5000)
+
+    it('should use the assets.allowFullURL setting defined at domain level to determine whether or not a default request with a full remote URL will be served', done => {
+      config.set('assets.remote.allowFullURL', true, 'localhost')
+      config.set('assets.remote.allowFullURL', false, 'testdomain.com')
+
+      request(cdnUrl)
+        .get('/http://one.somedomain.tech/test.txt')
+        .set('Host', 'localhost:80')
+        .expect(200)
+        .end((err, res) => {
+          res.headers['content-type'].should.eql('text/plain')
+
+          request(cdnUrl)
+            .get('/http://one.somedomain.tech/test.txt')
+            .set('Host', 'testdomain.com:80')
+            .end((err, res) => {
+              res.statusCode.should.eql(403)
+              res.body.message.should.eql(
+                'Loading assets from a full remote URL is not supported by this instance of DADI CDN'
+              )
+
+              done()
+            })
+        })
+    }).timeout(5000)
+
     describe('when the target domain is not configured', () => {
       let testDomain = 'unknowndomain.com'