Validate async TUS URLs and retry delays

kvz · kvz · commit 5750d70c16bb · 2026-05-21T10:52:52.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ### 2.0.0 / 2026-05-20 ###
 * **Breaking Change**: Raised the supported Python runtime floor from 3.9+ to 3.12+ so the SDK no longer has to retain vulnerable locked dependency versions for EOL Python 3.9 or depend on tooling lines that are already dropping older runtime support.
 * Added explicit asyncio support with `AsyncTransloadit`, async request/assembly/template helpers, and `asyncio.sleep`-based polling. Resumable uploads stay on the existing TUS client, but run through `asyncio.to_thread()` so the event loop remains responsive instead of pretending the sync uploader is natively async.
+* Hardened sync and async request handling by preserving custom `auth` constraints, quoting path IDs, and rejecting absolute API URLs outside Transloadit origins.
 * Raised the runtime HTTP stack to patched versions by requiring `requests` 2.33+ and adding an explicit `urllib3` 2.7+ floor.
 * Updated development and documentation tooling, including `pytest` 9.0.3, `Sphinx` 9.1, `sphinx-autobuild` 2025.8, `coverage` 7.14, `tox` 4.54, and `requests-mock` 1.12.
 * Updated CI and local Docker test coverage to a representative Python 3.12, 3.13, and 3.14 matrix.
diff --git a/tests/test_async_client.py b/tests/test_async_client.py
@@ -1037,6 +1037,37 @@ def uploader(self, **kwargs):
         post_mock.assert_awaited_once()
         self.assertEqual(calls, [])
 
+    async def test_async_assembly_resumable_response_rejects_external_tus_url(self):
+        calls = []
+
+        class _TusClient:
+            def __init__(self, tus_url):
+                calls.append(("client", tus_url))
+
+            def uploader(self, **kwargs):
+                raise AssertionError("TUS upload should not start with an external upload URL")
+
+        async with AsyncTransloadit("key", "secret", service=self.server.base_url) as client:
+            assembly = client.new_assembly()
+            assembly.add_file(io.BytesIO(b"payload"))
+
+            response = Response(
+                data={
+                    "assembly_ssl_url": f"{self.server.base_url}/assemblies/assembly-123",
+                    "tus_url": "https://example.com/uploads",
+                },
+                status_code=200,
+                headers={},
+            )
+
+            with mock.patch.object(client.request, "post", new=mock.AsyncMock(return_value=response)) as post_mock:
+                with mock.patch("transloadit.async_assembly.tus.TusClient", new=_TusClient):
+                    with self.assertRaises(ValueError):
+                        await assembly.create(resumable=True)
+
+        post_mock.assert_awaited_once()
+        self.assertEqual(calls, [])
+
     async def test_async_assembly_wait_returns_response_without_assembly_url(self):
         incomplete_response = Response(
             data={"ok": "ASSEMBLY_PROCESSING"},
@@ -1334,6 +1365,18 @@ async def test_async_assembly_rate_limit_ignores_malformed_error_values(self):
         self.assertFalse(assembly._rate_limit_reached({"error": ["RATE_LIMIT_REACHED"]}))
         self.assertFalse(assembly._rate_limit_reached({"error": {"code": "RATE_LIMIT_REACHED"}}))
 
+    async def test_async_assembly_retry_delay_sanitizes_response_info(self):
+        client = AsyncTransloadit("key", "secret", service=self.server.base_url)
+        assembly = client.new_assembly()
+
+        self.assertEqual(assembly._retry_delay({}), 1)
+        self.assertEqual(assembly._retry_delay({"info": None}), 1)
+        self.assertEqual(assembly._retry_delay({"info": {"retryIn": "bad"}}), 1)
+        self.assertEqual(assembly._retry_delay({"info": {"retryIn": float("nan")}}), 1)
+        self.assertEqual(assembly._retry_delay({"info": {"retryIn": -2}}), 0)
+        self.assertEqual(assembly._retry_delay({"info": {"retryIn": 0.25}}), 0.25)
+        self.assertEqual(assembly._retry_delay({"info": {"retryIn": 9999}}), 60)
+
     async def test_async_tus_upload_cancellation_returns_before_thread_finishes(self):
         client = AsyncTransloadit("key", "secret", service=self.server.base_url)
         assembly = client.new_assembly()
diff --git a/transloadit/async_assembly.py b/transloadit/async_assembly.py
@@ -1,9 +1,13 @@
 import asyncio
+import math
 
 from tusclient import client as tus
 
 from . import optionbuilder
 from .async_request import _get_upload_filename
+from .url_utils import validate_absolute_api_url
+
+MAX_RETRY_DELAY_SECONDS = 60
 
 
 class AsyncAssembly(optionbuilder.OptionBuilder):
@@ -62,6 +66,8 @@ def _rewind_files(self, positions):
                 raise RuntimeError(f"Unable to rewind file stream {key!r}.") from exc
 
     def _do_tus_upload(self, assembly_url, tus_url, retries):
+        validate_absolute_api_url(self.transloadit.service, assembly_url)
+        validate_absolute_api_url(self.transloadit.service, tus_url)
         tus_client = tus.TusClient(tus_url)
         for key, file_stream in self.files.items():
             filename = _get_upload_filename(file_stream, key)
@@ -78,6 +84,8 @@ def _do_tus_upload(self, assembly_url, tus_url, retries):
             ).upload()
 
     async def _do_tus_upload_async(self, assembly_url, tus_url, retries):
+        # tuspy is synchronous: cancelling this awaiter cannot stop a worker thread already in flight.
+        # Returning cancellation promptly is safer than making callers wait on a stalled sync upload.
         await asyncio.to_thread(self._do_tus_upload, assembly_url, tus_url, retries)
 
     async def create(self, wait=False, resumable=True, retries=3):
@@ -116,7 +124,7 @@ async def create(self, wait=False, resumable=True, retries=3):
                         )
                     if not resumable:
                         self._rewind_files(file_positions)
-                    await asyncio.sleep(response_data.get("info", {}).get("retryIn", 1))
+                    await asyncio.sleep(self._retry_delay(response_data))
                     retries -= 1
                     continue
                 return response
@@ -145,7 +153,7 @@ async def create(self, wait=False, resumable=True, retries=3):
                         if remaining_rate_limit_retries <= 0:
                             return poll_response
                         remaining_rate_limit_retries -= 1
-                    sleep_time = poll_data.get("info", {}).get("retryIn", 1)
+                    sleep_time = self._retry_delay(poll_data)
                     await asyncio.sleep(sleep_time)
                     poll_response = await self.transloadit.get_assembly(
                         assembly_url=assembly_url
@@ -179,3 +187,15 @@ def _rate_limit_reached(self, response_data):
             "RATE_LIMIT_REACHED",
             "ASSEMBLY_STATUS_FETCHING_RATE_LIMIT_REACHED",
         }
+
+    def _retry_delay(self, response_data):
+        info = response_data.get("info")
+        if not isinstance(info, dict):
+            return 1
+        try:
+            delay = float(info.get("retryIn", 1))
+        except (TypeError, ValueError):
+            return 1
+        if not math.isfinite(delay):
+            return 1
+        return min(max(delay, 0), MAX_RETRY_DELAY_SECONDS)
diff --git a/transloadit/async_request.py b/transloadit/async_request.py
@@ -8,21 +8,17 @@
 import json
 from types import MappingProxyType
 from datetime import datetime, timedelta, timezone
-from urllib.parse import urlparse
 
 import aiohttp
 from requests.structures import CaseInsensitiveDict
 
 from . import __version__
 from .response import Response
+from .url_utils import validate_absolute_api_url
 
 TIMEOUT = 60
 
 
-def _is_transloadit_host(hostname):
-    return hostname == "transloadit.com" or hostname.endswith(".transloadit.com")
-
-
 def _get_upload_filename(file_stream, fallback):
     name = getattr(file_stream, "name", None)
     if isinstance(name, (bytes, os.PathLike)):
@@ -271,15 +267,6 @@ def _sign_data(self, message):
 
     def _get_full_url(self, url):
         if url.startswith(("http://", "https://")):
-            service = urlparse(self.transloadit.service)
-            target = urlparse(url)
-            same_origin = (target.scheme, target.netloc) == (service.scheme, service.netloc)
-            transloadit_origin = (
-                target.scheme == service.scheme
-                and _is_transloadit_host(service.hostname or "")
-                and _is_transloadit_host(target.hostname or "")
-            )
-            if not (same_origin or transloadit_origin):
-                raise ValueError("Absolute API URLs must use the configured Transloadit service origin.")
+            validate_absolute_api_url(self.transloadit.service, url)
             return url
         return self.transloadit.service + url
diff --git a/transloadit/request.py b/transloadit/request.py
@@ -3,20 +3,15 @@
 import json
 import copy
 from datetime import datetime, timedelta, timezone
-from urllib.parse import urlparse
 
 import requests
 
 from .response import as_response
 from . import __version__
+from .url_utils import validate_absolute_api_url
 
 TIMEOUT = 60
 
-
-def _is_transloadit_host(hostname):
-    return hostname == "transloadit.com" or hostname.endswith(".transloadit.com")
-
-
 class Request:
     """
     Transloadit tailored HTTP Request object.
@@ -136,16 +131,7 @@ def _sign_data(self, message):
 
     def _get_full_url(self, url):
         if url.startswith(("http://", "https://")):
-            service = urlparse(self.transloadit.service)
-            target = urlparse(url)
-            same_origin = (target.scheme, target.netloc) == (service.scheme, service.netloc)
-            transloadit_origin = (
-                target.scheme == service.scheme
-                and _is_transloadit_host(service.hostname or "")
-                and _is_transloadit_host(target.hostname or "")
-            )
-            if not (same_origin or transloadit_origin):
-                raise ValueError("Absolute API URLs must use the configured Transloadit service origin.")
+            validate_absolute_api_url(self.transloadit.service, url)
             return url
         else:
             return self.transloadit.service + url
diff --git a/transloadit/url_utils.py b/transloadit/url_utils.py
@@ -0,0 +1,21 @@
+from urllib.parse import urlparse
+
+
+def is_transloadit_host(hostname):
+    return hostname == "transloadit.com" or hostname.endswith(".transloadit.com")
+
+
+def validate_absolute_api_url(service_url, target_url):
+    if not target_url.startswith(("http://", "https://")):
+        return
+
+    service = urlparse(service_url)
+    target = urlparse(target_url)
+    same_origin = (target.scheme, target.netloc) == (service.scheme, service.netloc)
+    transloadit_origin = (
+        target.scheme == service.scheme
+        and is_transloadit_host(service.hostname or "")
+        and is_transloadit_host(target.hostname or "")
+    )
+    if not (same_origin or transloadit_origin):
+        raise ValueError("Absolute API URLs must use the configured Transloadit service or regional Transloadit origin.")
