fix: get external resource blocked (#12927)

## Fix - Use `[Config].upload.skipSafeFetch` to allow specific external urls - Use `[Config].upload.pasteURL.allowList` to allow specific external urls Documentation: [Uploading files from remote urls](https://payloadcms.com/docs/upload/overview#uploading-files-from-remote-urls) Fixes: https://github.com/payloadcms/payload/issues/12876 Mentioned: https://github.com/payloadcms/payload/issues/7037, https://github.com/payloadcms/payload/issues/12934 Source PR: https://github.com/payloadcms/payload/pull/12622 Issue Trace: 1. [`allowList` Added](8b7f2ddbf4 (diff-92acf7b8d30e447a791e37820136bcbf23c42f0358daca0fdea4e7b77f7d4bc9) ) 2. [`allowList` Removed](648c168f86 (diff-92acf7b8d30e447a791e37820136bcbf23c42f0358daca0fdea4e7b77f7d4bc9))
2025-06-26 15:24:39 -04:00
parent d62d9b4b8e
commit a7ad573a0e
8 changed files with 135 additions and 11 deletions
--- a/test/uploads/config.ts
+++ b/test/uploads/config.ts
@@ -1,5 +1,3 @@
-/* eslint-disable no-restricted-exports */
-
 import type { CollectionSlug, File } from 'payload'

 import path from 'path'
@@ -33,6 +31,7 @@ import {
  reduceSlug,
  relationPreviewSlug,
  relationSlug,
+  skipSafeFetchMediaSlug,
  threeDimensionalSlug,
  unstoredMediaSlug,
  versionSlug,
@@ -429,6 +428,14 @@ export default buildConfigWithDefaults({
        staticDir: path.resolve(dirname, './media'),
      },
    },
+    {
+      slug: skipSafeFetchMediaSlug,
+      fields: [],
+      upload: {
+        skipSafeFetch: true,
+        staticDir: path.resolve(dirname, './media'),
+      },
+    },
    {
      slug: animatedTypeMedia,
      fields: [],
--- a/test/uploads/int.spec.ts
+++ b/test/uploads/int.spec.ts
@@ -1,4 +1,4 @@
-import type { Payload } from 'payload'
+import type { CollectionSlug, Payload } from 'payload'

 import fs from 'fs'
 import path from 'path'
@@ -19,6 +19,7 @@ import {
  mediaSlug,
  reduceSlug,
  relationSlug,
+  skipSafeFetchMediaSlug,
  unstoredMediaSlug,
  usersSlug,
 } from './shared.js'
@@ -585,6 +586,22 @@ describe('Collections - Uploads', () => {
          )
        },
      )
+      it('should fetch when skipSafeFetch is enabled', async () => {
+        await expect(
+          payload.create({
+            collection: skipSafeFetchMediaSlug as CollectionSlug,
+            data: {
+              filename: 'test.png',
+              url: 'http://127.0.0.1/file.png',
+            },
+          }),
+        ).rejects.toThrow(
+          expect.objectContaining({
+            name: 'FileRetrievalError',
+            message: expect.not.stringContaining('unsafe'),
+          }),
+        )
+      })
    })
  })

--- a/test/uploads/shared.ts
+++ b/test/uploads/shared.ts
@@ -25,7 +25,7 @@ export const withoutMetadataSlug = 'without-meta-data'
 export const withOnlyJPEGMetadataSlug = 'with-only-jpeg-meta-data'
 export const customFileNameMediaSlug = 'custom-file-name-media'
 export const allowListMediaSlug = 'allow-list-media'
-
+export const skipSafeFetchMediaSlug = 'skip-safe-fetch-media'
 export const listViewPreviewSlug = 'list-view-preview'
 export const threeDimensionalSlug = 'three-dimensional'
 export const constructorOptionsSlug = 'constructor-options'