@abtnode/util 1.16.47-beta-20250805-140707-3a4df7fd → 1.16.47-beta-20250808-102837-d10f3b40

package/lib/did-document.js

@@ -3,6 +3,8 @@ const { toBase64, toBase58, toDid } = require('@ocap/util');
 const { joinURL } = require('ufo');
 const pRetry = require('p-retry');
 const debug = require('debug')('@abtnode/util:did-document');
+
+const sleep = require('./sleep');
 const axios = require('./axios');
 const { encode: encodeBase32 } = require('./base32');
 
@@ -60,7 +62,27 @@ const update = ({ id, services, didRegistryUrl, wallet, alsoKnownAs = [], blockl
   });
 };
 
-const updateWithRetry = (...args) => pRetry(() => update(...args), { retries: 3 });
+const DEFAULT_RETRY_COUNT = 6;
+const getRetryCount = () => {
+  try {
+    let retryCount = parseInt(process.env.ABT_NODE_UPDATE_DID_DOCUMENT_RETRY_COUNT, 10);
+    retryCount = Number.isNaN(retryCount) ? DEFAULT_RETRY_COUNT : retryCount;
+    debug('get retry count', retryCount);
+    return retryCount;
+  } catch (error) {
+    debug('get retry count error', error);
+    return DEFAULT_RETRY_COUNT;
+  }
+};
+
+const updateWithRetry = (...args) =>
+  pRetry(() => update(...args), {
+    retries: getRetryCount(),
+    onFailedAttempt: async (error) => {
+      debug('update did document failed', error);
+      await sleep(10 * 1000);
+    },
+  });
 
 const getServerServices = ({ ips, wallet, domain }) => {
   const records = ips.map((ip) => ({
@@ -148,9 +170,12 @@ const updateBlockletDocument = ({
 };
 
 module.exports = {
+  DEFAULT_RETRY_COUNT,
   updateServerDocument,
   updateBlockletDocument,
   getDID,
   getServerServices,
   getBlockletServices,
+  updateWithRetry,
+  getRetryCount,
 };

package/lib/sanitize.js

@@ -12,9 +12,12 @@ const sanitizeTag = (content) => {
 
   const sanitize = initSanitize({
     whiteList: {},
-    stripIgnoreTag: true,
-    onIgnoreTag: false,
+    stripIgnoreTag: false,
     stripIgnoreTagBody: [],
+    onIgnoreTag: (tag, html) => html.replace(/</g, '&lt;').replace(/>/g, '&gt;'),
+    onIgnoreTagAttr: (tag, name, value) => `${name}="${value}"`,
+    onTag: (tag, html) => html.replace(/</g, '&lt;').replace(/>/g, '&gt;'),
+    escapeHtml: (html) => html.replace(/</g, '&lt;').replace(/>/g, '&gt;'),
   });
   return sanitize(content);
 };

package/lib/ssrf-protector.js

@@ -0,0 +1,111 @@
+/**
+ * SSRF Protector
+ */
+const isPrivateIP = require('private-ip');
+const isIP = require('is-ip');
+const dns = require('dns');
+
+// 允许的协议， 只允许 https
+function isAllowedProtocol(protocol) {
+  if (!protocol) {
+    return false;
+  }
+
+  const _protocol = protocol.toLowerCase().replace(':', '');
+
+  return ['https'].includes(_protocol);
+}
+
+// 允许的 host, 只能是当前站点
+function isAllowedReferer(referer, host) {
+  if (!referer || !host) {
+    return false;
+  }
+
+  try {
+    const refererUrl = new URL(referer);
+
+    // 检查referer是否来自当前站点
+    return refererUrl.hostname === host || refererUrl.hostname === host.split(':')[0]; // 处理端口号情况
+  } catch {
+    return false;
+  }
+}
+
+const resolveDomain = (domain) => {
+  return new Promise((resolve, reject) => {
+    dns.lookup(domain, { all: false }, (error, address) => {
+      if (!error) {
+        resolve(address);
+      } else {
+        reject(error);
+      }
+    });
+  });
+};
+
+/**
+ * 解析域名并验证是否为私有IP
+ * @param {string} hostname - 要解析的域名
+ * @returns {Promise<boolean>} - 如果解析到的IP不是私有IP则返回true，否则返回false
+ */
+async function resolveAndValidateHostname(hostname) {
+  if (!hostname) {
+    return false;
+  }
+
+  try {
+    // 使用 lookup 方法解析域名
+    const address = await resolveDomain(hostname);
+
+    // 检查是否为私有IP，返回相反的结果
+    return !isPrivateIP(address);
+  } catch (error) {
+    // DNS解析失败，拒绝访问
+    return false;
+  }
+}
+
+/**
+ * 解析URL为IP地址并验证是否为私有IP
+ * @param {string} url - 要验证的URL
+ * @returns {Promise<boolean>} - 如果IP不是私有IP则返回true，否则返回false
+ */
+async function isAllowedURL(url) {
+  if (!url) {
+    return false;
+  }
+
+  try {
+    const { hostname, protocol } = new URL(url);
+
+    if (!isAllowedProtocol(protocol)) {
+      return false;
+    }
+
+    // 如果是IP地址，直接验证
+    if (isIP(hostname)) {
+      return !isPrivateIP(hostname);
+    }
+
+    // 测试和开发环境不进行 DNS 解析验证
+    if (process.env.NODE_ENV === 'test' || process.env.NODE_ENV === 'development') {
+      return true;
+    }
+
+    // 如果是域名，进行DNS解析
+    const result = await resolveAndValidateHostname(hostname);
+
+    return result;
+  } catch (error) {
+    // URL解析失败
+    return false;
+  }
+}
+
+module.exports = {
+  isAllowedProtocol,
+  isAllowedReferer,
+  isAllowedURL,
+  resolveAndValidateHostname,
+};

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.47-beta-20250805-140707-3a4df7fd",
+  "version": "1.16.47-beta-20250808-102837-d10f3b40",
   "description": "ArcBlock's JavaScript utility",
   "main": "lib/index.js",
   "files": [
@@ -18,18 +18,18 @@
   "author": "polunzh <polunzh@gmail.com> (http://github.com/polunzh)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@abtnode/db-cache": "1.16.47-beta-20250805-140707-3a4df7fd",
-    "@arcblock/did": "1.21.0",
+    "@abtnode/constant": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@abtnode/db-cache": "1.16.47-beta-20250808-102837-d10f3b40",
+    "@arcblock/did": "1.21.2",
     "@arcblock/pm2": "^6.0.12",
-    "@blocklet/constant": "1.16.47-beta-20250805-140707-3a4df7fd",
+    "@blocklet/constant": "1.16.47-beta-20250808-102837-d10f3b40",
     "@blocklet/error": "^0.2.5",
-    "@blocklet/meta": "1.16.47-beta-20250805-140707-3a4df7fd",
+    "@blocklet/meta": "1.16.47-beta-20250808-102837-d10f3b40",
     "@blocklet/xss": "^0.2.3",
-    "@ocap/client": "1.21.0",
-    "@ocap/mcrypto": "1.21.0",
-    "@ocap/util": "1.21.0",
-    "@ocap/wallet": "1.21.0",
+    "@ocap/client": "1.21.2",
+    "@ocap/mcrypto": "1.21.2",
+    "@ocap/util": "1.21.2",
+    "@ocap/wallet": "1.21.2",
     "archiver": "^7.0.1",
     "axios": "^1.7.9",
     "axios-mock-adapter": "^2.1.0",
@@ -63,6 +63,7 @@
     "p-retry": "^4.6.2",
     "p-wait-for": "^3.2.0",
     "parallel-transform": "^1.2.0",
+    "private-ip": "^2.3.4",
     "public-ip": "^4.0.4",
     "pump": "^3.0.0",
     "request-ip": "^3.3.0",
@@ -89,5 +90,5 @@
     "fs-extra": "^11.2.0",
     "jest": "^29.7.0"
   },
-  "gitHead": "eee7c229e99cc764a20be2ce0347d6895766a8a0"
+  "gitHead": "545f4b619e4e872f3cb6645aa95a0c22c06b58d0"
 }