@ai-sdk/provider-utils 3.0.21 → 3.0.23

package/CHANGELOG.md

@@ -1,12 +1,25 @@
 # @ai-sdk/provider-utils
 
+## 3.0.23
+
+### Patch Changes
+
+- a27a978: fix: allow inline data URLs in download validation
+
+## 3.0.22
+
+### Patch Changes
+
+- 6a2f01b: Add URL validation to `download` to prevent blind SSRF attacks. Private/internal IP addresses, localhost, and non-HTTP protocols are now rejected before fetching.
+- 17d64e3: fix(provider-utils): prevent unicode escape bypass in secureJsonParse
+
 ## 3.0.21
 
 ### Patch Changes
 
 - 20565b8: security: prevent unbounded memory growth in download functions
 
-  The `download()` and `downloadBlob()` functions now enforce a default 2 GiB size limit when downloading from user-provided URLs. Downloads that exceed this limit are aborted with a `DownloadError` instead of consuming unbounded memory and crashing the process. The `abortSignal` parameter is now passed through to `fetch()` in all download call sites.
+  The `download()` function now enforces a default 2 GiB size limit when downloading from user-provided URLs. Downloads that exceed this limit are aborted with a `DownloadError` instead of consuming unbounded memory and crashing the process. The `abortSignal` parameter is now passed through to `fetch()` in all download call sites.
 
   Added `download` option to `transcribe()` and `experimental_generateVideo()` for providing a custom download function. Use the new `createDownload({ maxBytes })` factory to configure download size limits.
 

package/dist/index.d.mts

@@ -872,6 +872,15 @@ declare function convertBase64ToUint8Array(base64String: string): Uint8Array<Arr
 declare function convertUint8ArrayToBase64(array: Uint8Array): string;
 declare function convertToBase64(value: string | Uint8Array): string;
 
+/**
+ * Validates that a URL is safe to download from, blocking private/internal addresses
+ * to prevent SSRF attacks.
+ *
+ * @param url - The URL string to validate.
+ * @throws DownloadError if the URL is unsafe.
+ */
+declare function validateDownloadUrl(url: string): void;
+
 /**
  * Validates the types of an unknown object using a schema and
  * return a strongly-typed object.
@@ -1004,4 +1013,4 @@ interface ToolResult<NAME extends string, INPUT, OUTPUT> {
     dynamic?: boolean;
 }
 
-export { type AssistantContent, type AssistantModelMessage, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type FlexibleValidator, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type InferValidator, type LazySchema, type LazyValidator, type ModelMessage, type ParseResult, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderOptions, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolModelMessage, type ToolResult, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, type Validator, asSchema, asValidator, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertToBase64, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createJsonStreamResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, delay, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isParsableJson, isUrlSupported, isValidator, jsonSchema, lazySchema, lazyValidator, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, standardSchemaValidator, tool, validateTypes, validator, withUserAgentSuffix, withoutTrailingSlash, zodSchema };
+export { type AssistantContent, type AssistantModelMessage, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type FlexibleValidator, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type InferValidator, type LazySchema, type LazyValidator, type ModelMessage, type ParseResult, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderOptions, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolModelMessage, type ToolResult, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, type Validator, asSchema, asValidator, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertToBase64, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createJsonStreamResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, delay, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isParsableJson, isUrlSupported, isValidator, jsonSchema, lazySchema, lazyValidator, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, standardSchemaValidator, tool, validateDownloadUrl, validateTypes, validator, withUserAgentSuffix, withoutTrailingSlash, zodSchema };

package/dist/index.d.ts

@@ -872,6 +872,15 @@ declare function convertBase64ToUint8Array(base64String: string): Uint8Array<Arr
 declare function convertUint8ArrayToBase64(array: Uint8Array): string;
 declare function convertToBase64(value: string | Uint8Array): string;
 
+/**
+ * Validates that a URL is safe to download from, blocking private/internal addresses
+ * to prevent SSRF attacks.
+ *
+ * @param url - The URL string to validate.
+ * @throws DownloadError if the URL is unsafe.
+ */
+declare function validateDownloadUrl(url: string): void;
+
 /**
  * Validates the types of an unknown object using a schema and
  * return a strongly-typed object.
@@ -1004,4 +1013,4 @@ interface ToolResult<NAME extends string, INPUT, OUTPUT> {
     dynamic?: boolean;
 }
 
-export { type AssistantContent, type AssistantModelMessage, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type FlexibleValidator, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type InferValidator, type LazySchema, type LazyValidator, type ModelMessage, type ParseResult, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderOptions, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolModelMessage, type ToolResult, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, type Validator, asSchema, asValidator, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertToBase64, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createJsonStreamResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, delay, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isParsableJson, isUrlSupported, isValidator, jsonSchema, lazySchema, lazyValidator, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, standardSchemaValidator, tool, validateTypes, validator, withUserAgentSuffix, withoutTrailingSlash, zodSchema };
+export { type AssistantContent, type AssistantModelMessage, DEFAULT_MAX_DOWNLOAD_SIZE, type DataContent, DelayedPromise, DownloadError, type FetchFunction, type FilePart, type FlexibleSchema, type FlexibleValidator, type IdGenerator, type ImagePart, type InferSchema, type InferToolInput, type InferToolOutput, type InferValidator, type LazySchema, type LazyValidator, type ModelMessage, type ParseResult, type ProviderDefinedToolFactory, type ProviderDefinedToolFactoryWithOutputSchema, type ProviderOptions, type ReasoningPart, type Resolvable, type ResponseHandler, type Schema, type SystemModelMessage, type TextPart, type Tool, type ToolCall, type ToolCallOptions, type ToolCallPart, type ToolContent, type ToolExecuteFunction, type ToolModelMessage, type ToolResult, type ToolResultPart, type UserContent, type UserModelMessage, VERSION, type ValidationResult, type Validator, asSchema, asValidator, combineHeaders, convertAsyncIteratorToReadableStream, convertBase64ToUint8Array, convertToBase64, convertUint8ArrayToBase64, createBinaryResponseHandler, createEventSourceResponseHandler, createIdGenerator, createJsonErrorResponseHandler, createJsonResponseHandler, createJsonStreamResponseHandler, createProviderDefinedToolFactory, createProviderDefinedToolFactoryWithOutputSchema, createStatusCodeErrorResponseHandler, delay, dynamicTool, executeTool, extractResponseHeaders, generateId, getErrorMessage, getFromApi, getRuntimeEnvironmentUserAgent, injectJsonInstructionIntoMessages, isAbortError, isParsableJson, isUrlSupported, isValidator, jsonSchema, lazySchema, lazyValidator, loadApiKey, loadOptionalSetting, loadSetting, mediaTypeToExtension, normalizeHeaders, parseJSON, parseJsonEventStream, parseProviderOptions, postFormDataToApi, postJsonToApi, postToApi, readResponseWithSizeLimit, removeUndefinedEntries, resolve, safeParseJSON, safeValidateTypes, standardSchemaValidator, tool, validateDownloadUrl, validateTypes, validator, withUserAgentSuffix, withoutTrailingSlash, zodSchema };

package/dist/index.js

@@ -29,8 +29,8 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
-var src_exports = {};
-__export(src_exports, {
+var index_exports = {};
+__export(index_exports, {
   DEFAULT_MAX_DOWNLOAD_SIZE: () => DEFAULT_MAX_DOWNLOAD_SIZE,
   DelayedPromise: () => DelayedPromise,
   DownloadError: () => DownloadError,
@@ -86,13 +86,14 @@ __export(src_exports, {
   safeValidateTypes: () => safeValidateTypes,
   standardSchemaValidator: () => standardSchemaValidator,
   tool: () => tool,
+  validateDownloadUrl: () => validateDownloadUrl,
   validateTypes: () => validateTypes,
   validator: () => validator,
   withUserAgentSuffix: () => withUserAgentSuffix,
   withoutTrailingSlash: () => withoutTrailingSlash,
   zodSchema: () => zodSchema
 });
-module.exports = __toCommonJS(src_exports);
+module.exports = __toCommonJS(index_exports);
 
 // src/combine-headers.ts
 function combineHeaders(...headers) {
@@ -439,7 +440,7 @@ function withUserAgentSuffix(headers, ...userAgentSuffixParts) {
 }
 
 // src/version.ts
-var VERSION = true ? "3.0.21" : "0.0.0-test";
+var VERSION = true ? "3.0.23" : "0.0.0-test";
 
 // src/get-from-api.ts
 var getOriginalFetch = () => globalThis.fetch;
@@ -669,8 +670,8 @@ function mediaTypeToExtension(mediaType) {
 var import_provider9 = require("@ai-sdk/provider");
 
 // src/secure-json-parse.ts
-var suspectProtoRx = /"__proto__"\s*:/;
-var suspectConstructorRx = /"constructor"\s*:/;
+var suspectProtoRx = /"(?:_|\\u005[Ff])(?:_|\\u005[Ff])(?:p|\\u0070)(?:r|\\u0072)(?:o|\\u006[Ff])(?:t|\\u0074)(?:o|\\u006[Ff])(?:_|\\u005[Ff])(?:_|\\u005[Ff])"\s*:/;
+var suspectConstructorRx = /"(?:c|\\u0063)(?:o|\\u006[Ff])(?:n|\\u006[Ee])(?:s|\\u0073)(?:t|\\u0074)(?:r|\\u0072)(?:u|\\u0075)(?:c|\\u0063)(?:t|\\u0074)(?:o|\\u006[Ff])(?:r|\\u0072)"\s*:/;
 function _parse(text) {
   const obj = JSON.parse(text);
   if (obj === null || typeof obj !== "object") {
@@ -690,7 +691,7 @@ function filter(obj) {
       if (Object.prototype.hasOwnProperty.call(node, "__proto__")) {
         throw new SyntaxError("Object contains forbidden prototype property");
       }
-      if (Object.prototype.hasOwnProperty.call(node, "constructor") && Object.prototype.hasOwnProperty.call(node.constructor, "prototype")) {
+      if (Object.prototype.hasOwnProperty.call(node, "constructor") && node.constructor !== null && typeof node.constructor === "object" && Object.prototype.hasOwnProperty.call(node.constructor, "prototype")) {
         throw new SyntaxError("Object contains forbidden prototype property");
       }
       for (const key in node) {
@@ -722,7 +723,7 @@ var import_provider8 = require("@ai-sdk/provider");
 
 // src/validator.ts
 var import_provider7 = require("@ai-sdk/provider");
-var validatorSymbol = Symbol.for("vercel.ai.validator");
+var validatorSymbol = /* @__PURE__ */ Symbol.for("vercel.ai.validator");
 function validator(validate) {
   return { [validatorSymbol]: true, validate };
 }
@@ -1280,7 +1281,7 @@ var getRelativePath = (pathA, pathB) => {
 };
 
 // src/zod-to-json-schema/options.ts
-var ignoreOverride = Symbol(
+var ignoreOverride = /* @__PURE__ */ Symbol(
   "Let zodToJsonSchema decide on which parser to use"
 );
 var defaultOptions = {
@@ -2500,7 +2501,7 @@ function zodSchema(zodSchema2, options) {
 }
 
 // src/schema.ts
-var schemaSymbol = Symbol.for("vercel.ai.schema");
+var schemaSymbol = /* @__PURE__ */ Symbol.for("vercel.ai.schema");
 function lazySchema(createSchema) {
   let schema;
   return () => {
@@ -2555,6 +2556,105 @@ function convertToBase64(value) {
   return value instanceof Uint8Array ? convertUint8ArrayToBase64(value) : value;
 }
 
+// src/validate-download-url.ts
+function validateDownloadUrl(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch (e) {
+    throw new DownloadError({
+      url,
+      message: `Invalid URL: ${url}`
+    });
+  }
+  if (parsed.protocol === "data:") {
+    return;
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new DownloadError({
+      url,
+      message: `URL scheme must be http, https, or data, got ${parsed.protocol}`
+    });
+  }
+  const hostname = parsed.hostname;
+  if (!hostname) {
+    throw new DownloadError({
+      url,
+      message: `URL must have a hostname`
+    });
+  }
+  if (hostname === "localhost" || hostname.endsWith(".local") || hostname.endsWith(".localhost")) {
+    throw new DownloadError({
+      url,
+      message: `URL with hostname ${hostname} is not allowed`
+    });
+  }
+  if (hostname.startsWith("[") && hostname.endsWith("]")) {
+    const ipv6 = hostname.slice(1, -1);
+    if (isPrivateIPv6(ipv6)) {
+      throw new DownloadError({
+        url,
+        message: `URL with IPv6 address ${hostname} is not allowed`
+      });
+    }
+    return;
+  }
+  if (isIPv4(hostname)) {
+    if (isPrivateIPv4(hostname)) {
+      throw new DownloadError({
+        url,
+        message: `URL with IP address ${hostname} is not allowed`
+      });
+    }
+    return;
+  }
+}
+function isIPv4(hostname) {
+  const parts = hostname.split(".");
+  if (parts.length !== 4) return false;
+  return parts.every((part) => {
+    const num = Number(part);
+    return Number.isInteger(num) && num >= 0 && num <= 255 && String(num) === part;
+  });
+}
+function isPrivateIPv4(ip) {
+  const parts = ip.split(".").map(Number);
+  const [a, b] = parts;
+  if (a === 0) return true;
+  if (a === 10) return true;
+  if (a === 127) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  return false;
+}
+function isPrivateIPv6(ip) {
+  const normalized = ip.toLowerCase();
+  if (normalized === "::1") return true;
+  if (normalized === "::") return true;
+  if (normalized.startsWith("::ffff:")) {
+    const mappedPart = normalized.slice(7);
+    if (isIPv4(mappedPart)) {
+      return isPrivateIPv4(mappedPart);
+    }
+    const hexParts = mappedPart.split(":");
+    if (hexParts.length === 2) {
+      const high = parseInt(hexParts[0], 16);
+      const low = parseInt(hexParts[1], 16);
+      if (!isNaN(high) && !isNaN(low)) {
+        const a = high >> 8 & 255;
+        const b = high & 255;
+        const c = low >> 8 & 255;
+        const d = low & 255;
+        return isPrivateIPv4(`${a}.${b}.${c}.${d}`);
+      }
+    }
+  }
+  if (normalized.startsWith("fc") || normalized.startsWith("fd")) return true;
+  if (normalized.startsWith("fe80")) return true;
+  return false;
+}
+
 // src/without-trailing-slash.ts
 function withoutTrailingSlash(url) {
   return url == null ? void 0 : url.replace(/\/$/, "");
@@ -2585,7 +2685,7 @@ async function* executeTool({
 }
 
 // src/index.ts
-__reExport(src_exports, require("@standard-schema/spec"), module.exports);
+__reExport(index_exports, require("@standard-schema/spec"), module.exports);
 var import_stream2 = require("eventsource-parser/stream");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
@@ -2644,6 +2744,7 @@ var import_stream2 = require("eventsource-parser/stream");
   safeValidateTypes,
   standardSchemaValidator,
   tool,
+  validateDownloadUrl,
   validateTypes,
   validator,
   withUserAgentSuffix,