@ai-sdk/provider-utils 3.0.25 → 3.0.27

package/dist/index.js

@@ -38,6 +38,7 @@ __export(index_exports, {
   VERSION: () => VERSION,
   asSchema: () => asSchema,
   asValidator: () => asValidator,
+  cancelResponseBody: () => cancelResponseBody,
   combineHeaders: () => combineHeaders,
   convertAsyncIteratorToReadableStream: () => convertAsyncIteratorToReadableStream,
   convertBase64ToUint8Array: () => convertBase64ToUint8Array,
@@ -56,13 +57,16 @@ __export(index_exports, {
   dynamicTool: () => dynamicTool,
   executeTool: () => executeTool,
   extractResponseHeaders: () => extractResponseHeaders,
+  fetchWithValidatedRedirects: () => fetchWithValidatedRedirects,
   generateId: () => generateId,
   getErrorMessage: () => getErrorMessage,
   getFromApi: () => getFromApi,
   getRuntimeEnvironmentUserAgent: () => getRuntimeEnvironmentUserAgent,
   injectJsonInstructionIntoMessages: () => injectJsonInstructionIntoMessages,
   isAbortError: () => isAbortError,
+  isBrowserRuntime: () => isBrowserRuntime,
   isParsableJson: () => isParsableJson,
+  isSameOrigin: () => isSameOrigin,
   isUrlSupported: () => isUrlSupported,
   isValidator: () => isValidator,
   jsonSchema: () => jsonSchema,
@@ -251,6 +255,201 @@ var DownloadError = class extends (_b = import_provider.AISDKError, _a = symbol,
   }
 };
 
+// src/cancel-response-body.ts
+async function cancelResponseBody(response) {
+  var _a2;
+  try {
+    await ((_a2 = response.body) == null ? void 0 : _a2.cancel());
+  } catch (e) {
+  }
+}
+
+// src/is-browser-runtime.ts
+function isBrowserRuntime(globalThisAny = globalThis) {
+  return globalThisAny.window != null;
+}
+
+// src/validate-download-url.ts
+function validateDownloadUrl(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch (e) {
+    throw new DownloadError({
+      url,
+      message: `Invalid URL: ${url}`
+    });
+  }
+  if (parsed.protocol === "data:") {
+    return;
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new DownloadError({
+      url,
+      message: `URL scheme must be http, https, or data, got ${parsed.protocol}`
+    });
+  }
+  const hostname = parsed.hostname.toLowerCase().replace(/\.+$/, "");
+  if (!hostname) {
+    throw new DownloadError({
+      url,
+      message: `URL must have a hostname`
+    });
+  }
+  if (hostname === "localhost" || hostname.endsWith(".local") || hostname.endsWith(".localhost")) {
+    throw new DownloadError({
+      url,
+      message: `URL with hostname ${hostname} is not allowed`
+    });
+  }
+  if (hostname.startsWith("[") && hostname.endsWith("]")) {
+    const ipv6 = hostname.slice(1, -1);
+    if (isPrivateIPv6(ipv6)) {
+      throw new DownloadError({
+        url,
+        message: `URL with IPv6 address ${hostname} is not allowed`
+      });
+    }
+    return;
+  }
+  if (isIPv4(hostname)) {
+    if (isPrivateIPv4(hostname)) {
+      throw new DownloadError({
+        url,
+        message: `URL with IP address ${hostname} is not allowed`
+      });
+    }
+    return;
+  }
+}
+function isIPv4(hostname) {
+  const parts = hostname.split(".");
+  if (parts.length !== 4) return false;
+  return parts.every((part) => {
+    const num = Number(part);
+    return Number.isInteger(num) && num >= 0 && num <= 255 && String(num) === part;
+  });
+}
+function isPrivateIPv4(ip) {
+  const parts = ip.split(".").map(Number);
+  const [a, b, c] = parts;
+  if (a === 0) return true;
+  if (a === 10) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a === 127) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 0 && c === 0) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 198 && (b === 18 || b === 19)) return true;
+  if (a >= 240) return true;
+  return false;
+}
+function parseIPv6(ip) {
+  let address = ip.toLowerCase();
+  const zoneIndex = address.indexOf("%");
+  if (zoneIndex !== -1) {
+    address = address.slice(0, zoneIndex);
+  }
+  const halves = address.split("::");
+  if (halves.length > 2) return null;
+  const toGroups = (segment) => {
+    if (segment === "") return [];
+    const groups = [];
+    const parts = segment.split(":");
+    for (let i = 0; i < parts.length; i++) {
+      const part = parts[i];
+      if (part.includes(".")) {
+        if (i !== parts.length - 1 || !isIPv4(part)) return null;
+        const [a, b, c, d] = part.split(".").map(Number);
+        groups.push(a << 8 | b, c << 8 | d);
+        continue;
+      }
+      if (!/^[0-9a-f]{1,4}$/.test(part)) return null;
+      groups.push(parseInt(part, 16));
+    }
+    return groups;
+  };
+  const head = toGroups(halves[0]);
+  if (head === null) return null;
+  if (halves.length === 2) {
+    const tail = toGroups(halves[1]);
+    if (tail === null) return null;
+    const fill = 8 - head.length - tail.length;
+    if (fill < 0) return null;
+    return [...head, ...new Array(fill).fill(0), ...tail];
+  }
+  return head.length === 8 ? head : null;
+}
+function isPrivateIPv6(ip) {
+  const groups = parseIPv6(ip);
+  if (groups === null) return true;
+  const topZero = (count) => groups.slice(0, count).every((group) => group === 0);
+  if (topZero(7) && (groups[7] === 0 || groups[7] === 1)) return true;
+  if ((groups[0] & 65024) === 64512) return true;
+  if ((groups[0] & 65472) === 65152) return true;
+  if ((groups[0] & 65472) === 65216) return true;
+  if ((groups[0] & 65280) === 65280) return true;
+  const embedsIPv4 = (
+    // ::/96 — IPv4-compatible (deprecated)
+    topZero(6) || // ::ffff:0:0/96 — IPv4-mapped (ffff in group 5)
+    topZero(5) && groups[5] === 65535 || // ::ffff:0:0/96 — IPv4-translated form (ffff in group 4, group 5 zero)
+    topZero(4) && groups[4] === 65535 && groups[5] === 0 || // 64:ff9b::/96 — NAT64 well-known prefix
+    groups[0] === 100 && groups[1] === 65435 && groups[2] === 0 && groups[3] === 0 && groups[4] === 0 && groups[5] === 0 || // 64:ff9b:1::/48 — NAT64 local-use prefix
+    groups[0] === 100 && groups[1] === 65435 && groups[2] === 1
+  );
+  if (embedsIPv4) {
+    const a = groups[6] >> 8 & 255;
+    const b = groups[6] & 255;
+    const c = groups[7] >> 8 & 255;
+    const d = groups[7] & 255;
+    return isPrivateIPv4(`${a}.${b}.${c}.${d}`);
+  }
+  return false;
+}
+
+// src/fetch-with-validated-redirects.ts
+var MAX_DOWNLOAD_REDIRECTS = 10;
+async function fetchWithValidatedRedirects({
+  url,
+  headers,
+  abortSignal,
+  maxRedirects = MAX_DOWNLOAD_REDIRECTS
+}) {
+  const baseInit = { signal: abortSignal };
+  if (headers !== void 0) {
+    baseInit.headers = headers;
+  }
+  let currentUrl = url;
+  for (let redirectCount = 0; redirectCount <= maxRedirects; redirectCount++) {
+    validateDownloadUrl(currentUrl);
+    const response = await fetch(currentUrl, {
+      ...baseInit,
+      redirect: "manual"
+    });
+    if (response.type === "opaqueredirect") {
+      if (!isBrowserRuntime()) {
+        throw new DownloadError({
+          url,
+          message: `Redirect from ${currentUrl} could not be validated and was blocked`
+        });
+      }
+      return await fetch(currentUrl, { ...baseInit, redirect: "follow" });
+    }
+    const location = response.headers.get("location");
+    if (response.status >= 300 && response.status < 400 && location) {
+      await cancelResponseBody(response);
+      currentUrl = new URL(location, currentUrl).toString();
+      continue;
+    }
+    return response;
+  }
+  throw new DownloadError({
+    url,
+    message: `Too many redirects (max ${maxRedirects})`
+  });
+}
+
 // src/read-response-with-size-limit.ts
 var DEFAULT_MAX_DOWNLOAD_SIZE = 2 * 1024 * 1024 * 1024;
 async function readResponseWithSizeLimit({
@@ -262,6 +461,7 @@ async function readResponseWithSizeLimit({
   if (contentLength != null) {
     const length = parseInt(contentLength, 10);
     if (!isNaN(length) && length > maxBytes) {
+      await cancelResponseBody(response);
       throw new DownloadError({
         url,
         message: `Download of ${url} exceeded maximum size of ${maxBytes} bytes (Content-Length: ${length}).`
@@ -440,7 +640,7 @@ function withUserAgentSuffix(headers, ...userAgentSuffixParts) {
 }
 
 // src/version.ts
-var VERSION = true ? "3.0.25" : "0.0.0-test";
+var VERSION = true ? "3.0.27" : "0.0.0-test";
 
 // src/get-from-api.ts
 var getOriginalFetch = () => globalThis.fetch;
@@ -450,10 +650,10 @@ var getFromApi = async ({
   successfulResponseHandler,
   failedResponseHandler,
   abortSignal,
-  fetch = getOriginalFetch()
+  fetch: fetch2 = getOriginalFetch()
 }) => {
   try {
-    const response = await fetch(url, {
+    const response = await fetch2(url, {
       method: "GET",
       headers: withUserAgentSuffix(
         headers,
@@ -551,6 +751,15 @@ function injectJsonInstructionIntoMessages({
   ];
 }
 
+// src/is-same-origin.ts
+function isSameOrigin(url, baseUrl) {
+  try {
+    return new URL(url).origin === new URL(baseUrl).origin;
+  } catch (e) {
+    return false;
+  }
+}
+
 // src/is-url-supported.ts
 function isUrlSupported({
   mediaType,
@@ -890,7 +1099,7 @@ var postJsonToApi = async ({
   failedResponseHandler,
   successfulResponseHandler,
   abortSignal,
-  fetch
+  fetch: fetch2
 }) => postToApi({
   url,
   headers: {
@@ -904,7 +1113,7 @@ var postJsonToApi = async ({
   failedResponseHandler,
   successfulResponseHandler,
   abortSignal,
-  fetch
+  fetch: fetch2
 });
 var postFormDataToApi = async ({
   url,
@@ -913,7 +1122,7 @@ var postFormDataToApi = async ({
   failedResponseHandler,
   successfulResponseHandler,
   abortSignal,
-  fetch
+  fetch: fetch2
 }) => postToApi({
   url,
   headers,
@@ -924,7 +1133,7 @@ var postFormDataToApi = async ({
   failedResponseHandler,
   successfulResponseHandler,
   abortSignal,
-  fetch
+  fetch: fetch2
 });
 var postToApi = async ({
   url,
@@ -933,10 +1142,10 @@ var postToApi = async ({
   successfulResponseHandler,
   failedResponseHandler,
   abortSignal,
-  fetch = getOriginalFetch2()
+  fetch: fetch2 = getOriginalFetch2()
 }) => {
   try {
-    const response = await fetch(url, {
+    const response = await fetch2(url, {
       method: "POST",
       headers: withUserAgentSuffix(
         headers,
@@ -2558,105 +2767,6 @@ function convertToBase64(value) {
   return value instanceof Uint8Array ? convertUint8ArrayToBase64(value) : value;
 }
 
-// src/validate-download-url.ts
-function validateDownloadUrl(url) {
-  let parsed;
-  try {
-    parsed = new URL(url);
-  } catch (e) {
-    throw new DownloadError({
-      url,
-      message: `Invalid URL: ${url}`
-    });
-  }
-  if (parsed.protocol === "data:") {
-    return;
-  }
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    throw new DownloadError({
-      url,
-      message: `URL scheme must be http, https, or data, got ${parsed.protocol}`
-    });
-  }
-  const hostname = parsed.hostname;
-  if (!hostname) {
-    throw new DownloadError({
-      url,
-      message: `URL must have a hostname`
-    });
-  }
-  if (hostname === "localhost" || hostname.endsWith(".local") || hostname.endsWith(".localhost")) {
-    throw new DownloadError({
-      url,
-      message: `URL with hostname ${hostname} is not allowed`
-    });
-  }
-  if (hostname.startsWith("[") && hostname.endsWith("]")) {
-    const ipv6 = hostname.slice(1, -1);
-    if (isPrivateIPv6(ipv6)) {
-      throw new DownloadError({
-        url,
-        message: `URL with IPv6 address ${hostname} is not allowed`
-      });
-    }
-    return;
-  }
-  if (isIPv4(hostname)) {
-    if (isPrivateIPv4(hostname)) {
-      throw new DownloadError({
-        url,
-        message: `URL with IP address ${hostname} is not allowed`
-      });
-    }
-    return;
-  }
-}
-function isIPv4(hostname) {
-  const parts = hostname.split(".");
-  if (parts.length !== 4) return false;
-  return parts.every((part) => {
-    const num = Number(part);
-    return Number.isInteger(num) && num >= 0 && num <= 255 && String(num) === part;
-  });
-}
-function isPrivateIPv4(ip) {
-  const parts = ip.split(".").map(Number);
-  const [a, b] = parts;
-  if (a === 0) return true;
-  if (a === 10) return true;
-  if (a === 127) return true;
-  if (a === 169 && b === 254) return true;
-  if (a === 172 && b >= 16 && b <= 31) return true;
-  if (a === 192 && b === 168) return true;
-  return false;
-}
-function isPrivateIPv6(ip) {
-  const normalized = ip.toLowerCase();
-  if (normalized === "::1") return true;
-  if (normalized === "::") return true;
-  if (normalized.startsWith("::ffff:")) {
-    const mappedPart = normalized.slice(7);
-    if (isIPv4(mappedPart)) {
-      return isPrivateIPv4(mappedPart);
-    }
-    const hexParts = mappedPart.split(":");
-    if (hexParts.length === 2) {
-      const high = parseInt(hexParts[0], 16);
-      const low = parseInt(hexParts[1], 16);
-      if (!isNaN(high) && !isNaN(low)) {
-        const a = high >> 8 & 255;
-        const b = high & 255;
-        const c = low >> 8 & 255;
-        const d = low & 255;
-        return isPrivateIPv4(`${a}.${b}.${c}.${d}`);
-      }
-    }
-  }
-  if (normalized.startsWith("fc") || normalized.startsWith("fd")) return true;
-  if (normalized.startsWith("fe80")) return true;
-  return false;
-}
-
 // src/without-trailing-slash.ts
 function withoutTrailingSlash(url) {
   return url == null ? void 0 : url.replace(/\/$/, "");
@@ -2698,6 +2808,7 @@ var import_stream2 = require("eventsource-parser/stream");
   VERSION,
   asSchema,
   asValidator,
+  cancelResponseBody,
   combineHeaders,
   convertAsyncIteratorToReadableStream,
   convertBase64ToUint8Array,
@@ -2716,13 +2827,16 @@ var import_stream2 = require("eventsource-parser/stream");
   dynamicTool,
   executeTool,
   extractResponseHeaders,
+  fetchWithValidatedRedirects,
   generateId,
   getErrorMessage,
   getFromApi,
   getRuntimeEnvironmentUserAgent,
   injectJsonInstructionIntoMessages,
   isAbortError,
+  isBrowserRuntime,
   isParsableJson,
+  isSameOrigin,
   isUrlSupported,
   isValidator,
   jsonSchema,