@actuate-media/cms-core 0.11.1 → 0.12.0

package/dist/security/webhook.js

@@ -1,37 +1,90 @@
-const PRIVATE_RANGES = [
-    /^10\./,
-    /^172\.(1[6-9]|2\d|3[01])\./,
-    /^192\.168\./,
-    /^127\./,
-    /^0\./,
-    /^169\.254\./,
-    /^::1$/,
-    /^fc00:/i,
-    /^fe80:/i,
-];
-/** Validate that a webhook URL does not target private/internal networks (SSRF prevention). */
+import { canonicalizeHostname, isPrivateAddress } from './ip-canon.js';
+/**
+ * Validate that a webhook URL does not target private/internal networks
+ * (string-level SSRF prevention).
+ *
+ * Catches every IP-literal encoding `getaddrinfo` accepts: decimal
+ * (`http://2130706433`), octal (`http://0177.0.0.1`), hex
+ * (`http://0x7f.0.0.1`), short-form (`http://127.1`), IPv4-mapped IPv6
+ * (`http://[::ffff:127.0.0.1]`), bracketed IPv6, and the reserved
+ * `100.64.0.0/10` carrier-grade NAT range that previously slipped through.
+ *
+ * **Important caveat:** this only validates the URL **as written**. A hostname
+ * like `attacker-controlled.tld` that resolves to a public IP at validation
+ * time and to `127.0.0.1` at fetch time (DNS rebinding) still bypasses this
+ * check — `safeFetch` calls `resolveAndCheck()` on top to defend against that.
+ */
 export function validateWebhookUrl(url) {
+    let parsed;
     try {
-        const parsed = new URL(url);
-        if (!['https:', 'http:'].includes(parsed.protocol)) {
-            return { valid: false, error: 'Only HTTP(S) protocols are allowed' };
-        }
-        if (parsed.hostname === 'localhost' || parsed.hostname === '0.0.0.0') {
-            return { valid: false, error: 'Localhost URLs are not allowed' };
-        }
-        for (const range of PRIVATE_RANGES) {
-            if (range.test(parsed.hostname)) {
-                return { valid: false, error: 'Private/internal IP addresses are not allowed' };
-            }
-        }
-        return { valid: true };
+        parsed = new URL(url);
     }
     catch {
         return { valid: false, error: 'Invalid URL' };
     }
+    if (!['https:', 'http:'].includes(parsed.protocol)) {
+        return { valid: false, error: 'Only HTTP(S) protocols are allowed' };
+    }
+    // Special-case the well-known names — they're DNS hostnames so the
+    // canonicalizer can't catch them via numeric ranges.
+    const lowerHost = parsed.hostname.toLowerCase();
+    if (lowerHost === 'localhost' || lowerHost === 'ip6-localhost' || lowerHost === 'ip6-loopback') {
+        return { valid: false, error: 'Localhost hostnames are not allowed' };
+    }
+    // metadata.google.internal and AWS' internal DNS shadow real metadata IPs
+    // we already block — but the hostname can be redirected via /etc/hosts in
+    // self-hosted contexts, so block it explicitly.
+    if (lowerHost === 'metadata.google.internal' || lowerHost.endsWith('.internal')) {
+        return { valid: false, error: 'Cloud metadata hostnames are not allowed' };
+    }
+    const canonical = canonicalizeHostname(parsed.hostname);
+    if (!canonical.isHostname) {
+        // Three sub-cases for `!isHostname`:
+        //   1. Valid IP literal that's private  → reject with the range reason.
+        //   2. Valid IP literal that's public   → allow (fall through).
+        //   3. Malformed IP literal (e.g. `::1::1`, IPv6 with garbage) →
+        //      `isValidIp` is false. Fail closed: the URL was clearly not a
+        //      DNS hostname, so a `getaddrinfo` will reject it too — but
+        //      worse, on some platforms it may resolve to *something*. Reject
+        //      here rather than risk that ambiguity.
+        if (!canonical.isValidIp) {
+            return {
+                valid: false,
+                error: `Malformed IP literal in URL hostname: ${parsed.hostname}`,
+            };
+        }
+        const denied = isPrivateAddress(canonical);
+        if (denied) {
+            return {
+                valid: false,
+                error: `Private/internal IP address rejected: ${denied.reason}`,
+            };
+        }
+    }
+    return { valid: true };
 }
-/** Resolve a hostname and verify the resulting IP isn't in a private range. */
+/**
+ * Resolve a hostname's A/AAAA records and verify none of them land in a
+ * private range. Pair with `validateWebhookUrl` to defend against DNS
+ * rebinding — see `safeFetch`.
+ */
 export async function resolveAndCheck(hostname) {
+    // If the hostname is already an IP literal, skip DNS and check directly.
+    const directCanonical = canonicalizeHostname(hostname);
+    if (!directCanonical.isHostname) {
+        // Malformed IP literal — treat as unsafe. Without this, a bad IPv6
+        // string (e.g. `::1::garbage`) would slip through the SSRF gate
+        // because `isPrivateAddress` legitimately returns null when there's
+        // no parsed IP to check.
+        if (!directCanonical.isValidIp) {
+            return { safe: false, resolvedIp: hostname, error: 'malformed IP literal' };
+        }
+        const denied = isPrivateAddress(directCanonical);
+        if (denied) {
+            return { safe: false, resolvedIp: hostname, error: denied.reason };
+        }
+        return { safe: true, resolvedIp: hostname };
+    }
     const { resolve4, resolve6 } = await import('node:dns/promises');
     const ips = [];
     try {
@@ -51,11 +104,28 @@ export async function resolveAndCheck(hostname) {
     if (ips.length === 0) {
         return { safe: false, error: `DNS resolution failed for ${hostname}` };
     }
+    // Check EVERY resolved IP, not just the first — a multi-A-record response
+    // could mix public + private IPs and we must reject if any single one is
+    // private to defeat round-robin DNS rebinding.
     for (const ip of ips) {
-        for (const range of PRIVATE_RANGES) {
-            if (range.test(ip)) {
-                return { safe: false, resolvedIp: ip, error: `Resolved IP ${ip} is in a private range` };
-            }
+        const c = canonicalizeHostname(ip);
+        // DNS resolvers return canonical IP literals, so `isValidIp` should be
+        // true. If a resolver ever returns something we can't parse, treat it
+        // as unsafe rather than trusting it.
+        if (!c.isValidIp) {
+            return {
+                safe: false,
+                resolvedIp: ip,
+                error: `Unparseable IP returned from DNS for ${hostname}: ${ip}`,
+            };
+        }
+        const denied = isPrivateAddress(c);
+        if (denied) {
+            return {
+                safe: false,
+                resolvedIp: ip,
+                error: `Resolved IP ${ip} is in a private range: ${denied.reason}`,
+            };
         }
     }
     return { safe: true, resolvedIp: ips[0] };

package/dist/security/webhook.js.map

@@ -1 +1 @@
-{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAAA,MAAM,cAAc,GAAG;IACrB,OAAO;IACP,4BAA4B;IAC5B,aAAa;IACb,QAAQ;IACR,MAAM;IACN,aAAa;IACb,OAAO;IACP,SAAS;IACT,SAAS;CACV,CAAA;AAED,+FAA+F;AAC/F,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;QAE3B,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAA;QACtE,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAA;QAClE,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,+CAA+C,EAAE,CAAA;YACjF,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAA;IAC/C,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB;IAEhB,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAA;IAEhE,MAAM,GAAG,GAAa,EAAE,CAAA;IACxB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAA;QACnC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAA;QACnC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,qBAAqB;IACvB,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,QAAQ,EAAE,EAAE,CAAA;IACxE,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;gBACnB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,wBAAwB,EAAE,CAAA;YAC1F,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAA;AAC3C,CAAC"}
+{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAEtE;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,MAAW,CAAA;IACf,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAA;IAC/C,CAAC;IAED,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAA;IACtE,CAAC;IAED,mEAAmE;IACnE,qDAAqD;IACrD,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAA;IAC/C,IAAI,SAAS,KAAK,WAAW,IAAI,SAAS,KAAK,eAAe,IAAI,SAAS,KAAK,cAAc,EAAE,CAAC;QAC/F,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAA;IACvE,CAAC;IACD,0EAA0E;IAC1E,0EAA0E;IAC1E,gDAAgD;IAChD,IAAI,SAAS,KAAK,0BAA0B,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAChF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,0CAA0C,EAAE,CAAA;IAC5E,CAAC;IAED,MAAM,SAAS,GAAG,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACvD,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;QAC1B,qCAAqC;QACrC,wEAAwE;QACxE,gEAAgE;QAChE,iEAAiE;QACjE,oEAAoE;QACpE,iEAAiE;QACjE,sEAAsE;QACtE,6CAA6C;QAC7C,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACzB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,yCAAyC,MAAM,CAAC,QAAQ,EAAE;aAClE,CAAA;QACH,CAAC;QACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAA;QAC1C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,yCAAyC,MAAM,CAAC,MAAM,EAAE;aAChE,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;AACxB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB;IAEhB,yEAAyE;IACzE,MAAM,eAAe,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAA;IACtD,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,CAAC;QAChC,mEAAmE;QACnE,gEAAgE;QAChE,oEAAoE;QACpE,yBAAyB;QACzB,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,CAAC;YAC/B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAA;QAC7E,CAAC;QACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAA;QAChD,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,CAAA;QACpE,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAA;IAC7C,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAA;IAEhE,MAAM,GAAG,GAAa,EAAE,CAAA;IACxB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAA;QACnC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAA;QACnC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,qBAAqB;IACvB,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,QAAQ,EAAE,EAAE,CAAA;IACxE,CAAC;IAED,0EAA0E;IAC1E,yEAAyE;IACzE,+CAA+C;IAC/C,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,CAAC,GAAG,oBAAoB,CAAC,EAAE,CAAC,CAAA;QAClC,uEAAuE;QACvE,sEAAsE;QACtE,qCAAqC;QACrC,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;YACjB,OAAO;gBACL,IAAI,EAAE,KAAK;gBACX,UAAU,EAAE,EAAE;gBACd,KAAK,EAAE,wCAAwC,QAAQ,KAAK,EAAE,EAAE;aACjE,CAAA;QACH,CAAC;QACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAA;QAClC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO;gBACL,IAAI,EAAE,KAAK;gBACX,UAAU,EAAE,EAAE;gBACd,KAAK,EAAE,eAAe,EAAE,2BAA2B,MAAM,CAAC,MAAM,EAAE;aACnE,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAA;AAC3C,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@actuate-media/cms-core",
-  "version": "0.11.1",
+  "version": "0.12.0",
   "repository": {
     "type": "git",
     "url": "https://github.com/actuate-media/actuatecms.git",