fix: validate fileDownloadURL format in file download handler

yaroslav8765 · yaroslav8765 · commit 47d4366def1c · 2025-11-24T08:49:31.000+02:00
diff --git a/index.ts b/index.ts
@@ -3,7 +3,6 @@ import { PluginOptions } from './types.js';
 import { AdminForthPlugin, AdminForthResourceColumn, AdminForthResource, Filters, IAdminForth, IHttpServer, suggestIfTypo } from "adminforth";
 import { Readable } from "stream";
 import { RateLimiter } from "adminforth";
-import { url } from 'inspector/promises';
 
 const ADMINFORTH_NOT_YET_USED_TAG = 'adminforth-candidate-for-cleanup';
 
@@ -439,6 +438,10 @@ export default class UploadPlugin extends AdminForthPlugin {
           return { error: 'Missing fileDownloadURL' };
         }
 
+        if (!fileDownloadURL.startsWith(`http://${(this.options.storageAdapter as any).options.bucket}`) && !fileDownloadURL.startsWith(`https://${(this.options.storageAdapter as any).options.bucket}`)) {
+          return { error: 'Invalid fileDownloadURL ' };
+        }
+
         const upstream = await fetch(fileDownloadURL);
         if (!upstream.ok || !upstream.body) {
           return { error: `Failed to download file (status ${upstream.status})` };
