feat(auth): validate KYC image URL hosts match MinIO bucket

Closes TEC-2725. Backend KYC presign + submit endpoints already landed in 8f8e20f; this adds the remaining acceptance criterion — host validation on presigned URLs accepted via /auth/kyc/submit. - Add IMediaStorageService.isTrustedUrl(url) — host+bucket check, supports MINIO_TRUSTED_HOSTS for CDN aliases - SubmitKycHandler rejects imageUrls pointing outside our MinIO bucket - Update handler specs with mock + new untrusted-host test Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-18 00:32:02 +07:00
parent e18390ead9
commit 99385d8263
4 changed files with 76 additions and 2 deletions
--- a/apps/api/src/modules/auth/application/tests/generate-kyc-upload-urls.handler.spec.ts
+++ b/apps/api/src/modules/auth/application/tests/generate-kyc-upload-urls.handler.spec.ts
@@ -1,8 +1,8 @@
+import { type IMediaStorageService } from '../../../../listings/infrastructure/services/media-storage.service';
 import { UserEntity } from '../../domain/entities/user.entity';
 import { type IUserRepository } from '../../domain/repositories/user.repository';
 import { type HashedPassword } from '../../domain/value-objects/hashed-password.vo';
 import { Phone } from '../../domain/value-objects/phone.vo';
-import { type IMediaStorageService } from '../../../../listings/infrastructure/services/media-storage.service';
 import { GenerateKycUploadUrlsCommand } from '../commands/generate-kyc-upload-urls/generate-kyc-upload-urls.command';
 import { GenerateKycUploadUrlsHandler } from '../commands/generate-kyc-upload-urls/generate-kyc-upload-urls.handler';

@@ -42,6 +42,7 @@ describe('GenerateKycUploadUrlsHandler', () => {
      getPresignedUploadUrl: vi.fn(),
      generatePresignedUpload: vi.fn(),
      getPublicUrl: vi.fn(),
+      isTrustedUrl: vi.fn().mockReturnValue(true),
    };
    mockLogger = {
      error: vi.fn(),
--- a/apps/api/src/modules/auth/application/tests/submit-kyc.handler.spec.ts
+++ b/apps/api/src/modules/auth/application/tests/submit-kyc.handler.spec.ts
@@ -1,8 +1,8 @@
+import { type IMediaStorageService } from '../../../../listings/infrastructure/services/media-storage.service';
 import { UserEntity } from '../../domain/entities/user.entity';
 import { type IUserRepository } from '../../domain/repositories/user.repository';
 import { type HashedPassword } from '../../domain/value-objects/hashed-password.vo';
 import { Phone } from '../../domain/value-objects/phone.vo';
-import { type IMediaStorageService } from '../../../../listings/infrastructure/services/media-storage.service';
 import { SubmitKycCommand } from '../commands/submit-kyc/submit-kyc.command';
 import { SubmitKycHandler } from '../commands/submit-kyc/submit-kyc.handler';

@@ -43,6 +43,7 @@ describe('SubmitKycHandler', () => {
      getPresignedUploadUrl: vi.fn(),
      generatePresignedUpload: vi.fn(),
      getPublicUrl: vi.fn(),
+      isTrustedUrl: vi.fn().mockReturnValue(true),
    };
    mockCache = {
      invalidate: vi.fn().mockResolvedValue(undefined),
@@ -137,6 +138,27 @@ describe('SubmitKycHandler', () => {
      expect(result.message).toBeTruthy();
      expect(user.kycStatus).toBe('PENDING');
    });
+
+    it('rejects untrusted image URL hosts', async () => {
+      const user = createTestUser();
+      mockUserRepo.findById.mockResolvedValue(user);
+      mockMediaStorage.isTrustedUrl.mockImplementation((url: string) =>
+        url.startsWith('https://minio/'),
+      );
+
+      const command = new SubmitKycCommand(
+        'user-1',
+        'CCCD',
+        '012345678901',
+        undefined,
+        undefined,
+        undefined,
+        { frontImageUrl: 'https://evil.example.com/kyc/front.jpg' },
+      );
+
+      await expect(handler.execute(command)).rejects.toThrow();
+      expect(mockUserRepo.update).not.toHaveBeenCalled();
+    });
  });

  describe('legacy file upload flow', () => {
--- a/apps/api/src/modules/auth/application/commands/submit-kyc/submit-kyc.handler.ts
+++ b/apps/api/src/modules/auth/application/commands/submit-kyc/submit-kyc.handler.ts
@@ -49,6 +49,17 @@ export class SubmitKycHandler implements ICommandHandler<SubmitKycCommand> {
        frontImageUrl = command.imageUrls.frontImageUrl;
        backImageUrl = command.imageUrls.backImageUrl ?? null;
        selfieUrl = command.imageUrls.selfieUrl ?? null;
+
+        // Validate URL hosts match our MinIO bucket (reject SSRF / tampering)
+        const untrusted: string[] = [];
+        if (!this.mediaStorage.isTrustedUrl(frontImageUrl)) untrusted.push('frontImageUrl');
+        if (backImageUrl && !this.mediaStorage.isTrustedUrl(backImageUrl)) untrusted.push('backImageUrl');
+        if (selfieUrl && !this.mediaStorage.isTrustedUrl(selfieUrl)) untrusted.push('selfieUrl');
+        if (untrusted.length > 0) {
+          throw new ValidationException(
+            `URL khong hop le (${untrusted.join(', ')}): chi chap nhan URL tu MinIO bucket cua he thong`,
+          );
+        }
      } else if (command.frontImage) {
        // Legacy file upload flow: upload buffers server-side
        const folder = `${KYC_FOLDER}/${command.userId}`;
--- a/apps/api/src/modules/listings/infrastructure/services/media-storage.service.ts
+++ b/apps/api/src/modules/listings/infrastructure/services/media-storage.service.ts
@@ -30,6 +30,7 @@ export interface IMediaStorageService {
    expiresInSeconds?: number,
  ): Promise<PresignedUploadResult>;
  getPublicUrl(objectKey: string): string;
+  isTrustedUrl(url: string): boolean;
 }

 function requireEnv(key: string): string {
@@ -151,6 +152,45 @@ export class MinioMediaStorageService implements IMediaStorageService, OnModuleI
    return `${protocol}://${this.endpoint}:${this.port}/${this.bucket}/${objectKey}`;
  }

+  /**
+   * Validates that a URL points to our configured MinIO bucket.
+   * Accepts the primary endpoint, plus an optional comma-separated list of
+   * additional trusted hosts via `MINIO_TRUSTED_HOSTS` (e.g. public CDN domains).
+   * Also enforces the bucket is the first path segment.
+   */
+  isTrustedUrl(url: string): boolean {
+    if (!url || typeof url !== 'string') {
+      return false;
+    }
+    let parsed: URL;
+    try {
+      parsed = new URL(url);
+    } catch {
+      return false;
+    }
+
+    const allowedHosts = new Set<string>();
+    allowedHosts.add(this.endpoint.toLowerCase());
+    allowedHosts.add(`${this.endpoint.toLowerCase()}:${this.port}`);
+
+    const extra = process.env['MINIO_TRUSTED_HOSTS'];
+    if (extra) {
+      for (const h of extra.split(',')) {
+        const trimmed = h.trim().toLowerCase();
+        if (trimmed) allowedHosts.add(trimmed);
+      }
+    }
+
+    const host = parsed.host.toLowerCase();
+    if (!allowedHosts.has(host) && !allowedHosts.has(parsed.hostname.toLowerCase())) {
+      return false;
+    }
+
+    // Path must start with /<bucket>/
+    const expectedPrefix = `/${this.bucket}/`;
+    return parsed.pathname.startsWith(expectedPrefix) && parsed.pathname.length > expectedPrefix.length;
+  }
+
  async delete(fileUrl: string): Promise<void> {
    try {
      const urlObj = new URL(fileUrl);