feat: allow to upload file directry from the url query param #18
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds functionality to upload files directly from URL query parameters. When creating or editing a record, users can now specify a file path in the URL query string, which will be automatically downloaded and uploaded to the file field. The implementation includes backend endpoints for generating download URLs and proxying file downloads, plus frontend logic to parse query parameters and handle the file download/upload flow.
Key Changes
- Added two new backend endpoints: one for generating file download URLs and another for proxying file downloads through the server
- Modified the Vue uploader component to read file paths from URL query parameters and automatically trigger file upload on mount
- Added
pathColumnNameconfiguration to support the new URL-based upload feature
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| index.ts | Added two new endpoints for file URL generation and download proxying, plus pathColumnName configuration |
| custom/uploader.vue | Enhanced onMounted hook to parse query parameters and trigger automatic file downloads/uploads, added downloadAsFile helper function |
Comments suppressed due to low confidence (1)
index.ts:6
- Unused import url.
import { url } from 'inspector/promises';
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }); | ||
|
|
||
| server.endpoint({ | ||
| method: 'POST', | ||
| path: `/plugin/${this.pluginInstanceId}/proxy-download`, | ||
| handler: async ({ body, response }) => { | ||
| const { fileDownloadURL } = body; | ||
|
|
||
| if (!fileDownloadURL) { | ||
| return { error: 'Missing fileDownloadURL' }; | ||
| } | ||
|
|
||
| const upstream = await fetch(fileDownloadURL); | ||
| if (!upstream.ok || !upstream.body) { | ||
| return { error: `Failed to download file (status ${upstream.status})` }; | ||
| } | ||
|
|
||
| const contentType = upstream.headers.get('content-type') || 'application/octet-stream'; | ||
| const contentLength = upstream.headers.get('content-length'); | ||
| const contentDisposition = upstream.headers.get('content-disposition'); | ||
|
|
||
| response.setHeader('Content-Type', contentType); | ||
| if (contentLength) response.setHeader('Content-Length', contentLength); | ||
| if (contentDisposition) response.setHeader('Content-Disposition', contentDisposition); | ||
|
|
||
| //@ts-ignore Node 18+: convert Web stream to Node stream and pipe to response | ||
| Readable.fromWeb(upstream.body).pipe(response.blobStream()); | ||
| return null; |
There was a problem hiding this comment.
This proxy endpoint is vulnerable to Server-Side Request Forgery (SSRF) attacks. The fileDownloadURL parameter is not validated, allowing an attacker to potentially make requests to internal services or arbitrary external URLs. Consider:
- Validating that the URL matches expected patterns or domains
- Implementing an allowlist of permitted domains/URLs
- Preventing access to internal IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16, 169.254.0.0/16)
- Adding rate limiting to prevent abuse
No description provided.