@ai-sdk/provider-utils 5.0.0-beta.0 → 5.0.0-beta.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/dist/index.js +4 -1
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +4 -1
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
- package/src/download-blob.ts +5 -0
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# @ai-sdk/provider-utils
|
|
2
2
|
|
|
3
|
+
## 5.0.0-beta.1
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 531251e: fix(security): validate redirect targets in download functions to prevent SSRF bypass
|
|
8
|
+
|
|
9
|
+
Both `downloadBlob` and `download` now validate the final URL after following HTTP redirects, preventing attackers from bypassing SSRF protections via open redirects to internal/private addresses.
|
|
10
|
+
|
|
3
11
|
## 5.0.0-beta.0
|
|
4
12
|
|
|
5
13
|
### Major Changes
|
package/dist/index.js
CHANGED
|
@@ -488,6 +488,9 @@ async function downloadBlob(url, options) {
|
|
|
488
488
|
const response = await fetch(url, {
|
|
489
489
|
signal: options == null ? void 0 : options.abortSignal
|
|
490
490
|
});
|
|
491
|
+
if (response.redirected) {
|
|
492
|
+
validateDownloadUrl(response.url);
|
|
493
|
+
}
|
|
491
494
|
if (!response.ok) {
|
|
492
495
|
throw new DownloadError({
|
|
493
496
|
url,
|
|
@@ -672,7 +675,7 @@ function withUserAgentSuffix(headers, ...userAgentSuffixParts) {
|
|
|
672
675
|
}
|
|
673
676
|
|
|
674
677
|
// src/version.ts
|
|
675
|
-
var VERSION = true ? "5.0.0-beta.
|
|
678
|
+
var VERSION = true ? "5.0.0-beta.1" : "0.0.0-test";
|
|
676
679
|
|
|
677
680
|
// src/get-from-api.ts
|
|
678
681
|
var getOriginalFetch = () => globalThis.fetch;
|