From 6883f8b870494a1d6016646bbbd03eb54ac1a20a Mon Sep 17 00:00:00 2001
From: George Goodall <ggoodall@scottlogic.com>
Date: Tue, 5 Nov 2024 16:38:30 +0000
Subject: [PATCH 1/2] dont perform local head validation if head request fails
 or is not allowed

---
 src/controllers/submitUrlController.js | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/controllers/submitUrlController.js b/src/controllers/submitUrlController.js
index b81ceb65..192d140b 100644
--- a/src/controllers/submitUrlController.js
+++ b/src/controllers/submitUrlController.js
@@ -8,6 +8,8 @@ import axios from 'axios'
 import { allowedFileTypes } from '../utils/utils.js'
 import config from '../../config/index.js'
 
+const HTTP_STATUS_METHOD_NOT_ALLOWED = 405
+
 class SubmitUrlController extends UploadController {
   async post (req, res, next) {
     const localValidationErrorType = await SubmitUrlController.localUrlValidation(req.body.url)
@@ -61,7 +63,24 @@ class SubmitUrlController extends UploadController {
       { type: 'filetype', fn: () => SubmitUrlController.validateAcceptedFileType(resp) },
       { type: 'size', fn: () => SubmitUrlController.urlResponseIsNotTooLarge(resp) }
     ])
-    const headResponse = await SubmitUrlController.headRequest(url)
+    let headResponse
+    try {
+      headResponse = await SubmitUrlController.headRequest(url)
+    } catch (error) {
+      logger.warn('submitUrlController/localUrlValidation: failed to get the submitted urls head. skipping post validators', {
+        type: types.DataFetch,
+        errorMessage: error.message
+      })
+      return null
+    }
+
+    if (headResponse.status === HTTP_STATUS_METHOD_NOT_ALLOWED) {
+      // HEAD request not allowed, return null or a specific error message
+      logger.warn('submitUrlController/localUrlValidation: failed to get the submitted urls head as it was not allowed (405) skipping post validators', {
+        type: types.DataFetch
+      })
+      return null
+    }
 
     return postValidators(headResponse).find(validator => !validator.fn())?.type
   }

From aeb11438f49009825e5a339e7266a4ef7494a3cc Mon Sep 17 00:00:00 2001
From: George Goodall <ggoodall@scottlogic.com>
Date: Wed, 6 Nov 2024 11:26:22 +0000
Subject: [PATCH 2/2] add additional tests

---
 src/controllers/submitUrlController.js | 14 ++++++--------
 test/unit/submitUrlController.test.js  | 12 ++++++++++++
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/src/controllers/submitUrlController.js b/src/controllers/submitUrlController.js
index 192d140b..d83763ac 100644
--- a/src/controllers/submitUrlController.js
+++ b/src/controllers/submitUrlController.js
@@ -63,18 +63,16 @@ class SubmitUrlController extends UploadController {
       { type: 'filetype', fn: () => SubmitUrlController.validateAcceptedFileType(resp) },
       { type: 'size', fn: () => SubmitUrlController.urlResponseIsNotTooLarge(resp) }
     ])
-    let headResponse
-    try {
-      headResponse = await SubmitUrlController.headRequest(url)
-    } catch (error) {
-      logger.warn('submitUrlController/localUrlValidation: failed to get the submitted urls head. skipping post validators', {
-        type: types.DataFetch,
-        errorMessage: error.message
+    const headResponse = await SubmitUrlController.headRequest(url)
+
+    if (!headResponse) {
+      logger.warn('submitUrlController/localUrlValidation: failed to get the submitted urls head, skipping post validators', {
+        type: types.DataFetch
       })
       return null
     }
 
-    if (headResponse.status === HTTP_STATUS_METHOD_NOT_ALLOWED) {
+    if (headResponse?.status === HTTP_STATUS_METHOD_NOT_ALLOWED) {
       // HEAD request not allowed, return null or a specific error message
       logger.warn('submitUrlController/localUrlValidation: failed to get the submitted urls head as it was not allowed (405) skipping post validators', {
         type: types.DataFetch
diff --git a/test/unit/submitUrlController.test.js b/test/unit/submitUrlController.test.js
index 8322ab63..24fb7467 100644
--- a/test/unit/submitUrlController.test.js
+++ b/test/unit/submitUrlController.test.js
@@ -130,6 +130,18 @@ describe('SubmitUrlController', async () => {
         url += 'a'.repeat(2048)
         expect(await SubmitUrlController.localUrlValidation(url)).toBe('length')
       })
+
+      it('should return null if the head request fails', async () => {
+        mocks.headMock.mockImplementation(() => { throw new Error('Head request failed') })
+        const url = 'http://example.com'
+        expect(await SubmitUrlController.localUrlValidation(url)).toBeNull()
+      })
+
+      it('should return null if the head request method is not allowed', async () => {
+        mocks.headMock.mockImplementation(() => ({ status: 405 }))
+        const url = 'http://example.com'
+        expect(await SubmitUrlController.localUrlValidation(url)).toBeNull()
+      })
     })
 
     describe('urlIsValid', () => {