@abtnode/core 1.16.47-beta-20250805-095401-14eb156b → 1.16.47-beta-20250807-110715-19ad6b43

package/lib/blocklet/migration-dist/migration.cjs

@@ -38918,7 +38918,7 @@ module.exports = require("zlib");
 /***/ ((module) => {
 
 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@abtnode/core","publishConfig":{"access":"public"},"version":"1.16.46","description":"","main":"lib/index.js","files":["lib"],"scripts":{"lint":"eslint tests lib --ignore-pattern \'tests/assets/*\'","lint:fix":"eslint --fix tests lib","test":"node tools/jest.js","coverage":"npm run test -- --coverage"},"keywords":[],"author":"wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)","license":"Apache-2.0","dependencies":{"@abtnode/analytics":"1.16.46","@abtnode/auth":"1.16.46","@abtnode/certificate-manager":"1.16.46","@abtnode/client":"1.16.46","@abtnode/constant":"1.16.46","@abtnode/cron":"1.16.46","@abtnode/db-cache":"1.16.46","@abtnode/docker-utils":"1.16.46","@abtnode/logger":"1.16.46","@abtnode/models":"1.16.46","@abtnode/queue":"1.16.46","@abtnode/rbac":"1.16.46","@abtnode/router-provider":"1.16.46","@abtnode/static-server":"1.16.46","@abtnode/timemachine":"1.16.46","@abtnode/util":"1.16.46","@aigne/aigne-hub":"^0.2.2","@arcblock/did":"1.21.0","@arcblock/did-auth":"1.21.0","@arcblock/did-ext":"1.21.0","@arcblock/did-motif":"^1.1.14","@arcblock/did-util":"1.21.0","@arcblock/event-hub":"1.21.0","@arcblock/jwt":"1.21.0","@arcblock/pm2-events":"^0.0.5","@arcblock/validator":"1.21.0","@arcblock/vc":"1.21.0","@blocklet/constant":"1.16.46","@blocklet/did-space-js":"^1.1.13","@blocklet/env":"1.16.46","@blocklet/error":"^0.2.5","@blocklet/meta":"1.16.46","@blocklet/resolver":"1.16.46","@blocklet/sdk":"1.16.46","@blocklet/store":"1.16.46","@blocklet/theme":"^3.0.37","@fidm/x509":"^1.2.1","@ocap/mcrypto":"1.21.0","@ocap/util":"1.21.0","@ocap/wallet":"1.21.0","@slack/webhook":"^5.0.4","archiver":"^7.0.1","axios":"^1.7.9","axon":"^2.0.3","chalk":"^4.1.2","cross-spawn":"^7.0.3","dayjs":"^1.11.13","deep-diff":"^1.0.2","detect-port":"^1.5.1","envfile":"^7.1.0","escape-string-regexp":"^4.0.0","fast-glob":"^3.3.2","filesize":"^10.1.1","flat":"^5.0.2","fs-extra":"^11.2.0","get-port":"^5.1.1","hasha":"^5.2.2","is-base64":"^1.1.0","is-cidr":"4","is-ip":"3","is-url":"^1.2.4","joi":"17.12.2","joi-extension-semver":"^5.0.0","js-yaml":"^4.1.0","kill-port":"^2.0.1","lodash":"^4.17.21","node-stream-zip":"^1.15.0","p-all":"^3.0.0","p-limit":"^3.1.0","p-map":"^4.0.0","p-retry":"^4.6.2","p-wait-for":"^3.2.0","rate-limiter-flexible":"^5.0.5","read-last-lines":"^1.8.0","semver":"^7.6.3","sequelize":"^6.35.0","shelljs":"^0.8.5","slugify":"^1.6.6","ssri":"^8.0.1","stream-throttle":"^0.1.3","stream-to-promise":"^3.0.0","systeminformation":"^5.23.3","tail":"^2.2.4","tar":"^6.1.11","transliteration":"^2.3.5","ua-parser-js":"^1.0.2","ufo":"^1.5.3","uuid":"^11.1.0","valid-url":"^1.0.9","which":"^2.0.2","xbytes":"^1.8.0"},"devDependencies":{"expand-tilde":"^2.0.2","express":"^4.18.2","jest":"^29.7.0","unzipper":"^0.10.11"},"gitHead":"e5764f753181ed6a7c615cd4fc6682aacf0cb7cd"}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@abtnode/core","publishConfig":{"access":"public"},"version":"1.16.46","description":"","main":"lib/index.js","files":["lib"],"scripts":{"lint":"eslint tests lib --ignore-pattern \'tests/assets/*\'","lint:fix":"eslint --fix tests lib","test":"node tools/jest.js","coverage":"npm run test -- --coverage"},"keywords":[],"author":"wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)","license":"Apache-2.0","dependencies":{"@abtnode/analytics":"1.16.46","@abtnode/auth":"1.16.46","@abtnode/certificate-manager":"1.16.46","@abtnode/client":"1.16.46","@abtnode/constant":"1.16.46","@abtnode/cron":"1.16.46","@abtnode/db-cache":"1.16.46","@abtnode/docker-utils":"1.16.46","@abtnode/logger":"1.16.46","@abtnode/models":"1.16.46","@abtnode/queue":"1.16.46","@abtnode/rbac":"1.16.46","@abtnode/router-provider":"1.16.46","@abtnode/static-server":"1.16.46","@abtnode/timemachine":"1.16.46","@abtnode/util":"1.16.46","@aigne/aigne-hub":"^0.4.5","@arcblock/did":"1.21.2","@arcblock/did-connect-js":"1.21.2","@arcblock/did-ext":"1.21.2","@arcblock/did-motif":"^1.1.14","@arcblock/did-util":"1.21.2","@arcblock/event-hub":"1.21.2","@arcblock/jwt":"1.21.2","@arcblock/pm2-events":"^0.0.5","@arcblock/validator":"1.21.2","@arcblock/vc":"1.21.2","@blocklet/constant":"1.16.46","@blocklet/did-space-js":"^1.1.13","@blocklet/env":"1.16.46","@blocklet/error":"^0.2.5","@blocklet/meta":"1.16.46","@blocklet/resolver":"1.16.46","@blocklet/sdk":"1.16.46","@blocklet/store":"1.16.46","@blocklet/theme":"^3.0.42","@fidm/x509":"^1.2.1","@ocap/mcrypto":"1.21.2","@ocap/util":"1.21.2","@ocap/wallet":"1.21.2","@slack/webhook":"^5.0.4","archiver":"^7.0.1","axios":"^1.7.9","axon":"^2.0.3","chalk":"^4.1.2","cross-spawn":"^7.0.3","dayjs":"^1.11.13","deep-diff":"^1.0.2","detect-port":"^1.5.1","envfile":"^7.1.0","escape-string-regexp":"^4.0.0","fast-glob":"^3.3.2","filesize":"^10.1.1","flat":"^5.0.2","fs-extra":"^11.2.0","get-port":"^5.1.1","hasha":"^5.2.2","is-base64":"^1.1.0","is-cidr":"4","is-ip":"3","is-url":"^1.2.4","joi":"17.12.2","joi-extension-semver":"^5.0.0","js-yaml":"^4.1.0","kill-port":"^2.0.1","lodash":"^4.17.21","node-stream-zip":"^1.15.0","p-all":"^3.0.0","p-limit":"^3.1.0","p-map":"^4.0.0","p-retry":"^4.6.2","p-wait-for":"^3.2.0","private-ip":"^2.3.4","rate-limiter-flexible":"^5.0.5","read-last-lines":"^1.8.0","semver":"^7.6.3","sequelize":"^6.35.0","shelljs":"^0.8.5","slugify":"^1.6.6","ssri":"^8.0.1","stream-throttle":"^0.1.3","stream-to-promise":"^3.0.0","systeminformation":"^5.23.3","tail":"^2.2.4","tar":"^6.1.11","transliteration":"^2.3.5","ua-parser-js":"^1.0.2","ufo":"^1.5.3","uuid":"^11.1.0","valid-url":"^1.0.9","which":"^2.0.2","xbytes":"^1.8.0"},"devDependencies":{"expand-tilde":"^2.0.2","express":"^4.18.2","jest":"^29.7.0","unzipper":"^0.10.11"},"gitHead":"e5764f753181ed6a7c615cd4fc6682aacf0cb7cd"}');
 
 /***/ }),
 

package/lib/states/base.js

@@ -1,4 +1,6 @@
 const { BaseState } = require('@abtnode/models');
+const { isAllowedURL } = require('@abtnode/util/lib/ssrf-protector');
+const { CustomError } = require('@blocklet/error');
 const logger = require('@abtnode/logger')('@abtnode/core:states:base');
 
 const { isCLI } = require('../util');
@@ -20,6 +22,37 @@ class ExtendedBase extends BaseState {
   update(condition, updates, options) {
     return super.update(condition, updates, { returnUpdatedDocs: true, ...options });
   }
+
+  /**
+   * 验证输入的URL是否合法，如果非法禁止保存
+   */
+  async validateURL(urls = [], label = '') {
+    if (urls.length === 0) {
+      return true;
+    }
+    const validateResults = await Promise.all(
+      urls.map(async (url) => {
+        try {
+          const allowed = await isAllowedURL(url);
+          return { url, allowed };
+        } catch (error) {
+          logger.warn('URL validation failed', { url, error });
+          return { url, allowed: false };
+        }
+      })
+    );
+
+    const allowed = validateResults.every((item) => item.allowed);
+    if (!allowed) {
+      const invalidUrls = validateResults
+        .filter((result) => !result.allowed)
+        .map((result) => result.url)
+        .filter(Boolean);
+
+      throw new CustomError(400, `Invalid ${label || 'URLs'}: ${invalidUrls.join(', ')}`);
+    }
+    return true;
+  }
 }
 
 module.exports = ExtendedBase;

package/lib/states/user.js

@@ -121,6 +121,10 @@ class User extends ExtendBase {
       Object.assign(pending, await this._extractInviteInfo({ did, ...pending }));
     }
 
+    // 验证 webhooks 中 URL 是否合法
+    const webhooks = get(pending, 'extra.webhooks', []);
+    await this.validateURL(webhooks.map((x) => x.url));
+
     await super.update({ did }, { $set: pending });
     await Promise.all(
       (get(cloneData, 'passports') || [])

package/lib/states/webhook-endpoint.js

@@ -1,4 +1,6 @@
 const Joi = require('joi');
+const { CustomError } = require('@blocklet/error');
+
 const BaseState = require('./base');
 
 const webhookEndpointSchema = Joi.object({
@@ -41,6 +43,9 @@ const updateWebhookEndpointSchema = Joi.object({
  */
 class WebhookEndpointState extends BaseState {
   async create(input) {
+    // 校验非法的URL
+    await this.validateURL([input.url], 'webhook endpoint URL');
+
     await webhookEndpointSchema.validateAsync(input, { stripUnknown: true });
 
     const webhook = await this.insert(input);
@@ -55,7 +60,7 @@ class WebhookEndpointState extends BaseState {
   async updateWebhook(id, updates) {
     const doc = await this.findOne({ where: { id } });
     if (!doc) {
-      throw new Error('webhook endpoint not found');
+      throw new CustomError(400, 'webhook endpoint not found');
     }
 
     await updateWebhookEndpointSchema.validateAsync(updates, { stripUnknown: true });
@@ -67,7 +72,7 @@ class WebhookEndpointState extends BaseState {
   async deleteWebhook(id) {
     const doc = await this.findOne({ where: { id } });
     if (!doc) {
-      throw new Error('webhook endpoint not found');
+      throw new CustomError(400, 'webhook endpoint not found');
     }
 
     await this.remove({ id });

package/lib/states/webhook.js

@@ -9,6 +9,10 @@ const { validateWebhook } = require('../validators/webhook');
 class WebhookState extends BaseState {
   async create(info, { mock } = {}) {
     const { type, params } = info;
+
+    const urls = params.map((item) => item.value);
+    await this.validateURL(urls, 'webhook URLs');
+
     const filterParams = params.map((item) => {
       const data = {
         name: item.name,

package/lib/util/aigne-verify.js

@@ -49,7 +49,7 @@ const verifyAigneHub = async (config, blocklet) => {
     const { did, name } = blocklet.meta || {};
 
     const modelConfig = {
-      accessKey: decryptValue(config.key, did),
+      apiKey: decryptValue(config.key, did),
       model: !config.model || config.model === 'auto' ? undefined : config.model,
       url: baseUrl,
     };

package/lib/util/blocklet.js

@@ -21,7 +21,7 @@ const diff = require('deep-diff');
 const createArchive = require('archiver');
 const isUrl = require('is-url');
 const semver = require('semver');
-const { chainInfo: chainInfoSchema } = require('@arcblock/did-auth/lib/schema');
+const { chainInfo: chainInfoSchema } = require('@arcblock/did-connect-js/lib/schema');
 
 const urlPathFriendly = require('@blocklet/meta/lib/url-path-friendly').default;
 const { fromSecretKey, fromPublicKey } = require('@ocap/wallet');
@@ -737,6 +737,7 @@ const startBlockletProcess = async (
 
     if (b.mode === BLOCKLET_MODES.DEVELOPMENT) {
       options.env.NODE_ENV = e2eMode ? 'e2e' : 'development';
+      options.env.IS_E2E = e2eMode ? '1' : undefined;
       options.env.BROWSER = 'none';
       options.env.PORT = options.env[BLOCKLET_DEFAULT_PORT_NAME];
 

package/lib/util/env.js

@@ -1,6 +1,7 @@
 const serverJobBackoffSeconds = process.env.ABT_NODE_JOB_BACKOFF_SECONDS
   ? +process.env.ABT_NODE_JOB_BACKOFF_SECONDS
   : 600;
+const isE2E = process.env.NODE_ENV === 'e2e' || ['1', 'true'].includes(process.env.IS_E2E);
 
 const shouldJobBackoff = () => {
   if (process.env.ABT_NODE_JOB_BACKOFF_SECONDS === '0') {
@@ -13,4 +14,5 @@ const shouldJobBackoff = () => {
 module.exports = {
   serverJobBackoffSeconds,
   shouldJobBackoff,
+  isE2E,
 };

package/lib/util/reset-node.js

@@ -1,6 +1,7 @@
 const logger = require('@abtnode/logger')('@abtnode/core:util:reset');
 
 const states = require('../states');
+const { isE2E } = require('./env');
 
 const noop = () => true;
 
@@ -121,7 +122,7 @@ module.exports = async ({
   teamManager,
   certManager,
 }) => {
-  if (process.env.NODE_ENV !== 'e2e') {
+  if (!isE2E) {
     throw new Error('Reset node only exists for test purpose');
   }
 

package/lib/webhook/index.js

@@ -3,6 +3,7 @@ const { evaluateURLs } = require('@abtnode/util/lib/url-evaluation');
 const checkURLAccessible = require('@abtnode/util/lib/url-evaluation/check-accessible-node');
 const { EVENTS } = require('@abtnode/constant');
 const isEmpty = require('lodash/isEmpty');
+const { isAllowedReferer } = require('@abtnode/util/lib/ssrf-protector');
 
 const { joinURL } = require('ufo');
 const isUrl = require('is-url');
@@ -235,13 +236,21 @@ module.exports = ({ events, dataDirs, instance, teamManager }) => {
     }
   };
 
-  const sendTestMessage = async (msg) => {
+  const sendTestMessage = async (msg, context) => {
     const { webhookId, message } = msg;
     try {
+      if (context?.referer) {
+        const { host = '' } = context || {};
+        if (!isAllowedReferer(context.referer, host)) {
+          throw new Error('Invalid request');
+        }
+      }
       const webhook = webhookId ? await webhookState.findOne(webhookId) : msg.webhook;
+
       await sentTextMessage(webhook, message);
     } catch (error) {
       logger.error('webhook sender error', { error, msg });
+      throw new Error(error.message);
     }
   };
 

package/lib/webhook/sender/api/index.js

@@ -1,6 +1,7 @@
 const Joi = require('joi');
 const axios = require('@abtnode/util/lib/axios');
 const logger = require('@abtnode/logger')('@abtnode/core:sender:api');
+const { isAllowedURL } = require('@abtnode/util/lib/ssrf-protector');
 const BaseSender = require('../base');
 
 class APISender extends BaseSender {
@@ -9,6 +10,9 @@ class APISender extends BaseSender {
     const { status, name, title, description } = message;
 
     try {
+      if (!(await isAllowedURL(url))) {
+        throw new Error('Invalid URL');
+      }
       await axios.post(
         url,
         {

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.47-beta-20250805-095401-14eb156b",
+  "version": "1.16.47-beta-20250807-110715-19ad6b43",
   "description": "",
   "main": "lib/index.js",
   "files": [
@@ -19,46 +19,46 @@
   "author": "wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/analytics": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/auth": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/certificate-manager": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/client": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/constant": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/cron": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/db-cache": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/docker-utils": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/logger": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/models": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/queue": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/rbac": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/router-provider": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/static-server": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/timemachine": "1.16.47-beta-20250805-095401-14eb156b",
-    "@abtnode/util": "1.16.47-beta-20250805-095401-14eb156b",
-    "@aigne/aigne-hub": "^0.2.2",
-    "@arcblock/did": "1.21.0",
-    "@arcblock/did-auth": "1.21.0",
-    "@arcblock/did-ext": "1.21.0",
+    "@abtnode/analytics": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/auth": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/certificate-manager": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/client": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/constant": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/cron": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/db-cache": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/docker-utils": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/logger": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/models": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/queue": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/rbac": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/router-provider": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/static-server": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/timemachine": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@abtnode/util": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@aigne/aigne-hub": "^0.4.5",
+    "@arcblock/did": "1.21.2",
+    "@arcblock/did-connect-js": "1.21.2",
+    "@arcblock/did-ext": "1.21.2",
     "@arcblock/did-motif": "^1.1.14",
-    "@arcblock/did-util": "1.21.0",
-    "@arcblock/event-hub": "1.21.0",
-    "@arcblock/jwt": "1.21.0",
+    "@arcblock/did-util": "1.21.2",
+    "@arcblock/event-hub": "1.21.2",
+    "@arcblock/jwt": "1.21.2",
     "@arcblock/pm2-events": "^0.0.5",
-    "@arcblock/validator": "1.21.0",
-    "@arcblock/vc": "1.21.0",
-    "@blocklet/constant": "1.16.47-beta-20250805-095401-14eb156b",
+    "@arcblock/validator": "1.21.2",
+    "@arcblock/vc": "1.21.2",
+    "@blocklet/constant": "1.16.47-beta-20250807-110715-19ad6b43",
     "@blocklet/did-space-js": "^1.1.13",
-    "@blocklet/env": "1.16.47-beta-20250805-095401-14eb156b",
+    "@blocklet/env": "1.16.47-beta-20250807-110715-19ad6b43",
     "@blocklet/error": "^0.2.5",
-    "@blocklet/meta": "1.16.47-beta-20250805-095401-14eb156b",
-    "@blocklet/resolver": "1.16.47-beta-20250805-095401-14eb156b",
-    "@blocklet/sdk": "1.16.47-beta-20250805-095401-14eb156b",
-    "@blocklet/store": "1.16.47-beta-20250805-095401-14eb156b",
-    "@blocklet/theme": "^3.0.37",
+    "@blocklet/meta": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@blocklet/resolver": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@blocklet/sdk": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@blocklet/store": "1.16.47-beta-20250807-110715-19ad6b43",
+    "@blocklet/theme": "^3.0.42",
     "@fidm/x509": "^1.2.1",
-    "@ocap/mcrypto": "1.21.0",
-    "@ocap/util": "1.21.0",
-    "@ocap/wallet": "1.21.0",
+    "@ocap/mcrypto": "1.21.2",
+    "@ocap/util": "1.21.2",
+    "@ocap/wallet": "1.21.2",
     "@slack/webhook": "^5.0.4",
     "archiver": "^7.0.1",
     "axios": "^1.7.9",
@@ -91,6 +91,7 @@
     "p-map": "^4.0.0",
     "p-retry": "^4.6.2",
     "p-wait-for": "^3.2.0",
+    "private-ip": "^2.3.4",
     "rate-limiter-flexible": "^5.0.5",
     "read-last-lines": "^1.8.0",
     "semver": "^7.6.3",
@@ -117,5 +118,5 @@
     "jest": "^29.7.0",
     "unzipper": "^0.10.11"
   },
-  "gitHead": "db2c143c5986281db1ae735aac70cbeb8c817773"
+  "gitHead": "639aa367b25d6885e38cba99f73d753b2831393d"
 }