From 1987c934164ba2608626b6460fe57efe61b30dd1 Mon Sep 17 00:00:00 2001
From: Nir Gazit <nir.gzt@gmail.com>
Date: Tue, 2 Mar 2021 10:34:02 +0200
Subject: [PATCH] Added a verification for URLs in proxy backend

---
 .changeset/hot-islands-kick.md                   | 5 +++++
 plugins/proxy-backend/src/service/router.test.ts | 9 +++++++++
 plugins/proxy-backend/src/service/router.ts      | 9 +++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 .changeset/hot-islands-kick.md

diff --git a/.changeset/hot-islands-kick.md b/.changeset/hot-islands-kick.md
new file mode 100644
index 0000000000..67222245de
--- /dev/null
+++ b/.changeset/hot-islands-kick.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-proxy-backend': patch
+---
+
+Added a verification for well formed URLs when processing proxy targets. Otherwise users gets a cryptic error message thrown from Express which makes it hard to debug.
diff --git a/plugins/proxy-backend/src/service/router.test.ts b/plugins/proxy-backend/src/service/router.test.ts
index d0eca55ee0..3005b12766 100644
--- a/plugins/proxy-backend/src/service/router.test.ts
+++ b/plugins/proxy-backend/src/service/router.test.ts
@@ -268,4 +268,13 @@ describe('buildMiddleware', () => {
 
     expect(Object.keys(testClientResponse.headers!)).toEqual(['set-cookie']);
   });
+
+  it('rejects malformed target URLs', async () => {
+    expect(() =>
+      buildMiddleware('/api/', logger, 'test', 'backstage.io'),
+    ).toThrowError(/Proxy target is not a valid URL/);
+    expect(() =>
+      buildMiddleware('/api/', logger, 'test', { target: 'backstage.io' }),
+    ).toThrowError(/Proxy target is not a valid URL/);
+  });
 });
diff --git a/plugins/proxy-backend/src/service/router.ts b/plugins/proxy-backend/src/service/router.ts
index 036e3a8d1b..917ec2383c 100644
--- a/plugins/proxy-backend/src/service/router.ts
+++ b/plugins/proxy-backend/src/service/router.ts
@@ -68,6 +68,15 @@ export function buildMiddleware(
   const fullConfig =
     typeof config === 'string' ? { target: config } : { ...config };
 
+  // Validate that target is a valid URL.
+  try {
+    // eslint-disable-next-line no-new
+    new URL(fullConfig.target!);
+  } catch {
+    throw new Error(
+      `Proxy target is not a valid URL: ${fullConfig.target ?? ''}`,
+    );
+  }
   // Default is to do a path rewrite that strips out the proxy's path prefix
   // and the rest of the route.
   if (fullConfig.pathRewrite === undefined) {