allow http for localhost

viamrobotics · Nov 19, 2024 · d2f5cb9 · d2f5cb9
1 parent c4a86f8
commit d2f5cb9
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/web/backto.go b/web/backto.go
@@ -15,6 +15,18 @@ func isWhitelisted(hostname string) bool {
 	return hostnameWhitelist[hostname]
 }
 
+func isAllowedURLScheme(url *url.URL) bool {
+	if url.Scheme == "https" {
+		return true
+	}
+
+	if url.Hostname() == "localhost" && url.Scheme == "http" {
+		return true
+	}
+
+	return false
+}
+
 // IsValidBacktoURL returns true if the passed string is a secure URL to a whitelisted
 // hostname. The whitelisted hostnames are: "localhost", "app.viam.dev", and "app.viam.com".
 //
@@ -29,7 +41,7 @@ func IsValidBacktoURL(path string) bool {
 		return false
 	}
 
-	if url.Scheme != "" && url.Scheme != "https" {
+	if !isAllowedURLScheme(url) {
 		// ignore non-secure URLs
 		return false
 	}

diff --git a/web/backto_test.go b/web/backto_test.go
@@ -50,7 +50,6 @@ func TestIsValidBacktoURL(t *testing.T) {
 	})
 
 	t.Run("rejects invalid local URLs", func(t *testing.T) {
-		test.That(t, IsValidBacktoURL("http://localhost"), test.ShouldBeFalse)
 		test.That(t, IsValidBacktoURL("ftp://localhost"), test.ShouldBeFalse)
 		test.That(t, IsValidBacktoURL("://localhost"), test.ShouldBeFalse)
 		test.That(t, IsValidBacktoURL("//localhost"), test.ShouldBeFalse)
@@ -62,5 +61,7 @@ func TestIsValidBacktoURL(t *testing.T) {
 	t.Run("accepts valid local URLs", func(t *testing.T) {
 		test.That(t, IsValidBacktoURL("https://localhost"), test.ShouldBeTrue)
 		test.That(t, IsValidBacktoURL("https://localhost/some/path"), test.ShouldBeTrue)
+		test.That(t, IsValidBacktoURL("http://localhost"), test.ShouldBeTrue)
+		test.That(t, IsValidBacktoURL("http://localhost/some/path"), test.ShouldBeTrue)
 	})
 }