Merge pull request quirrel-dev#796 from quirrel-dev/regression-absolute-endpoints

only allow absolute endpoints

Author: Skn0tt

src/api/scheduler/routes/queues.ts

@@ -13,6 +13,8 @@ import { QueuesUpdateCronBody } from "../types/queues/update-cron";
 import { isValidCronExpression } from "../../../shared/is-valid-cron";
 import { isValidTimezone } from "../../../shared/repeat";
 
+import * as Url from "url"
+
 const jobs: FastifyPluginCallback = (fastify, opts, done) => {
   const jobsRepo = fastify.jobs;
   const queueRepo = jobsRepo.queueRepo;
@@ -35,6 +37,11 @@ const jobs: FastifyPluginCallback = (fastify, opts, done) => {
     return true;
   }
 
+  function isAbsoluteURL(string: string): boolean {
+    const url = Url.parse(string);
+    return Boolean(url.protocol && url.hostname);
+  }
+
   const baseSchema = {
     tags: ["Queueing"],
     security: fastify.adminBasedAuthEnabled
@@ -54,6 +61,12 @@ const jobs: FastifyPluginCallback = (fastify, opts, done) => {
       "body.repeat.cron uses unsupported syntax. See https://github.com/harrisiirak/cron-parser for reference.",
   };
 
+  const INVALID_ENDPOINT_ERROR = {
+    statusCode: 400,
+    error: "Bad Request",
+    message: "endpoint needs to be absolute URL.",
+  };
+
   const INVALID_TIMEZONE_ERROR = {
     statusCode: 400,
     error: "Bad Request",
@@ -77,6 +90,10 @@ const jobs: FastifyPluginCallback = (fastify, opts, done) => {
       const { tokenId, body } = request;
       const { endpoint } = request.params;
 
+      if (!isAbsoluteURL(endpoint)) {
+        return reply.status(400).send(INVALID_ENDPOINT_ERROR);
+      }
+
       if (!hasValidCronExpression(body)) {
         return reply.status(400).send(INVALID_CRON_EXPRESSION_ERROR);
       }
@@ -127,6 +144,10 @@ const jobs: FastifyPluginCallback = (fastify, opts, done) => {
           );
       }
 
+      if (!isAbsoluteURL(endpoint)) {
+        return reply.status(400).send(INVALID_ENDPOINT_ERROR);
+      }
+
       if (!body.every(hasValidCronExpression)) {
         return reply.status(400).send(INVALID_CRON_EXPRESSION_ERROR);
       }

src/api/test/jobs.test.ts

@@ -542,6 +542,21 @@ describeAcrossBackends("Jobs", (backend) => {
     expect(bodies).toEqual(["delay & repeat.every", "delay & repeat.every"]);
   });
 
+  test("regression: non-absolute URLs shouldn't be accepted", async () => {
+    await request(quirrel)
+      .post(
+        "/queues/" + encodeURIComponent("https://${SOME_ENV_VAR}/api/someQueue")
+      )
+      .send({
+        body: "something",
+      })
+      .expect(400, {
+        statusCode: 400,
+        error: "Bad Request",
+        message: "endpoint needs to be absolute URL.",
+      });
+  });
+
   describe("cron jobs", () => {
     test("work", async () => {
       await request(quirrel)