@cleandns/whois-rdap 1.0.52 → 1.0.55

package/src/index.ts

@@ -1,3 +1,6 @@
+// Polyfills for Node.js 18 compatibility
+import "./polyfills.js";
+
 import { WhoisOptions, WhoisResponse, WhoisTimestampFields } from "../whois.js";
 import { parseIpResponse } from "./ip.js";
 import { determinePort43Domain, port43 } from "./port43.js";
@@ -5,10 +8,19 @@ import { findInObject } from "./utils/findInObject.js";
 import { fixArrays } from "./utils/fixArrays.js";
 import { ianaIdToRegistrar } from "./utils/ianaIdToRegistrar.js";
 import { tldToRdap } from "./utils/tldToRdap.js";
-import { normalizeWhoisStatus } from "./whoisStatus.js";
 import { resolve4 } from "dns/promises";
-
-const eventMap = new Map<string, WhoisTimestampFields>([
+import { toArray } from "./utils/toArray.js";
+import { validateDomain } from "./utils/validateDomain.js";
+import { findStatus } from "./utils/findStatus.js";
+import { findNameservers } from "./utils/findNameservers.js";
+import { findTimestamps } from "./utils/findTimestamps.js";
+import createDebug from "debug";
+import { escapeRegex } from "./utils/escapeRegex.js";
+
+// Debug logger - enable with DEBUG=whois:* environment variable
+const debug = createDebug("whois:rdap");
+
+export const eventMap = new Map<string, WhoisTimestampFields>([
   ["registration", "created"],
   ["last changed", "updated"],
   ["expiration", "expires"],
@@ -21,10 +33,27 @@ export async function whois(
 ): Promise<WhoisResponse> {
   const _fetch = options.fetch || fetch;
 
-  let domain = origDomain;
+  // Validate and sanitize input
+  let domain: string;
+  try {
+    domain = validateDomain(origDomain);
+  } catch (e: any) {
+    return {
+      found: false,
+      statusCode: 400,
+      error: e.message,
+      registrar: { id: 0, name: null },
+      reseller: null,
+      status: [],
+      statusDelta: [],
+      nameservers: [],
+      ts: { created: null, updated: null, expires: null },
+    };
+  }
+
   let url: string | null = null;
 
-  [domain, url] = await tldToRdap(origDomain);
+  [domain, url] = await tldToRdap(domain);
 
   const response: WhoisResponse = {
     found: false,
@@ -59,7 +88,6 @@ export async function whois(
   thinResponse = await _fetch(thinRdap)
     .then((r) => {
       response.statusCode = r.status;
-      // console.log({ ok: r.ok, status: r.status, statusText: r.statusText });
       if (r.status >= 200 && r.status < 400) {
         return r.json() as any;
       }
@@ -67,7 +95,7 @@ export async function whois(
       return null;
     })
     .catch((error: Error) => {
-      console.warn(`thin RDAP lookup failure: ${error.message}`);
+      debug("thin RDAP lookup failure for %s: %s", domain, error.message);
       return null;
     });
 
@@ -94,14 +122,14 @@ export async function whois(
   let thickResponse: any = null;
 
   if (!options.thinOnly && thickRdap) {
-    // console.log(`fetching thick RDAP: ${thickRdap}`);
+    debug("fetching thick RDAP: %s", thickRdap);
     thickResponse = await _fetch(thickRdap)
       .then((r) => r.json() as any)
       .catch(() => null);
     if (thickResponse && !thickResponse.errorCode && !thickResponse.error) {
     } else {
       thickResponse = null;
-      // console.warn(`thick RDAP failed for ${domain}`);
+      debug("thick RDAP failed for %s", domain);
     }
   }
 
@@ -113,10 +141,14 @@ export async function whois(
   const resellers: any[] = [];
 
   async function extractRegistrarsAndResellers(response: any, url: string, isThick?: boolean) {
-    for (const ent of [
-      ...(response.entities || []),
+    // Use toArray to safely handle entities that might not be iterable
+    const entities = toArray(response.entities);
+    const entityList = [
+      ...entities,
       response.entity ? { events: response.events, ...response.entity } : null,
-    ].filter(Boolean)) {
+    ].filter(Boolean);
+
+    for (const ent of entityList) {
       if (ent.roles?.includes("registrar") || ent.role === "registrar") {
         const pubIds: any[] = [];
         if (ent.publicIds) {
@@ -145,7 +177,6 @@ export async function whois(
           ;
 
         if (reg) {
-          // console.log(ent.vcardArray);
           const id = typeof reg === 'object' ? 0 : reg;
           const name =
             (parseInt(id) == id
@@ -157,8 +188,10 @@ export async function whois(
               (el: any[]) => el[3],
               reg
             );
+          // Safely handle ent.entities
+          const entEntities = toArray(ent.entities);
           const email =
-            [ent, ...(ent.entities || [])]
+            [ent, ...entEntities]
               .filter((e) => e?.vcardArray)
               .map((e) =>
                 findInObject(
@@ -171,7 +204,7 @@ export async function whois(
               .filter(Boolean)?.[0] || "";
 
           const abuseEmail =
-            [ent, ...(ent.entities || [])]
+            [ent, ...entEntities]
               .filter((e) => e?.vcardArray)
               .map((e) =>
                 findInObject(
@@ -187,10 +220,11 @@ export async function whois(
             ent.events || response.events || ent.enents || response.enents;
           registrars.push({ id, name, email, abuseEmail, events });
         }
-        // handles .ca
+        // handles .ca - with safe optional chaining
         else if (ent.vcardArray?.[1]?.[3]?.[3] === 'registrar') {
+          const entEntities = toArray(ent.entities);
           const email =
-            [ent, ...(ent.entities || [])]
+            [ent, ...entEntities]
               .filter((e) => e?.vcardArray)
               .map((e) =>
                 findInObject(
@@ -203,7 +237,7 @@ export async function whois(
               .filter(Boolean)?.[0] || "";
 
           const abuseEmail =
-            [ent, ...(ent.entities || [])]
+            [ent, ...entEntities]
               .filter((e) => e?.vcardArray)
               .map((e) =>
                 findInObject(
@@ -215,12 +249,14 @@ export async function whois(
               )
               .filter(Boolean)?.[0] || "";
 
-          registrars.push({ id: 0, name: ent.vcardArray[1][1][3], email, abuseEmail, events: ent.events || response.events || ent.enents || response.enents });
+          const vcardName = ent.vcardArray?.[1]?.[1]?.[3] || '';
+          registrars.push({ id: 0, name: vcardName, email, abuseEmail, events: ent.events || response.events || ent.enents || response.enents });
         }
-        // handles .si
-        else if (ent.vcardArray && ent.vcardArray[1] && ent.vcardArray[1].find((el: string[]) => el[0] === 'fn')) {
+        // handles .si - with safe array access
+        else if (ent.vcardArray && Array.isArray(ent.vcardArray[1]) && ent.vcardArray[1].find((el: string[]) => el[0] === 'fn')) {
+          const entEntities = toArray(ent.entities);
           const email =
-            [ent, ...(ent.entities || [])]
+            [ent, ...entEntities]
               .filter((e) => e?.vcardArray)
               .map((e) =>
                 findInObject(
@@ -233,7 +269,7 @@ export async function whois(
               .filter(Boolean)?.[0] || "";
 
           const abuseEmail =
-            [ent, ...(ent.entities || [])]
+            [ent, ...entEntities]
               .filter((e) => e?.vcardArray)
               .map((e) =>
                 findInObject(
@@ -260,7 +296,9 @@ export async function whois(
             registrars.push({ id, name, email, abuseEmail, events: ent.events || response.events || ent.enents || response.enents });
           }
           else {
-            registrars.push({ id: ent.handle || 0, name: ent.vcardArray[1].find((el: string[]) => el[0] === 'fn')[3], email, abuseEmail, events: ent.events || response.events || ent.enents || response.enents });
+            const fnEntry = ent.vcardArray[1].find((el: string[]) => el[0] === 'fn');
+            const name = fnEntry ? fnEntry[3] : ent.handle || '';
+            registrars.push({ id: ent.handle || 0, name, email, abuseEmail, events: ent.events || response.events || ent.enents || response.enents });
           }
         }
         // handles .ar
@@ -285,8 +323,9 @@ export async function whois(
             (el: any[]) => el[3],
             id
           );
+        const entEntities = toArray(ent.entities);
         const email =
-          [ent, ...(ent.entities || [])]
+          [ent, ...entEntities]
             .filter((e) => e?.vcardArray)
             .map((e) =>
               findInObject(
@@ -299,7 +338,7 @@ export async function whois(
             .filter(Boolean)?.[0] || "";
 
         const abuseEmail =
-          [ent, ...(ent.entities || [])]
+          [ent, ...entEntities]
             .filter((e) => e?.vcardArray)
             .map((e) =>
               findInObject(
@@ -392,66 +431,3 @@ export async function whois(
 
   return response;
 }
-
-function findStatus(statuses: string | string[], domain: string): string[] {
-  // console.warn({ domain, statuses });
-
-  return (Array.isArray(statuses)
-    ? statuses
-    : statuses && typeof statuses === "object"
-      ? Object.keys(statuses)
-      : typeof statuses === "string"
-        ? statuses.trim().split(/\s*,\s*/)
-        : []
-  ).map((status) => normalizeWhoisStatus(status));
-}
-
-function findNameservers(values: any[]): string[] {
-  let nameservers: any[] = [];
-  if (Array.isArray(values)) {
-    nameservers = values;
-  } else if (typeof values === "object") {
-    nameservers = Object.values(values);
-  }
-
-  return nameservers
-    .map((ns) => ns.ldhName || ns.ldnName || ns.ipAddresses?.v4)
-    .flat()
-    .filter((ns) => ns)
-    .map((ns) => (ns.stringValue || ns).toLocaleLowerCase())
-    .sort();
-}
-
-function findTimestamps(values: any[]) {
-  const ts: Record<WhoisTimestampFields, Date | null> = {
-    created: null,
-    updated: null,
-    expires: null,
-  };
-
-  let events: any = [];
-
-  if (Array.isArray(values)) {
-    events = values;
-  } else if (typeof values === "object") {
-    events = Object.values(values);
-  }
-
-  for (const [event, field] of eventMap) {
-    events.find(
-      (ev: any) => {
-        const isMatch = ev?.eventAction?.toLocaleLowerCase() === event && ev.eventDate;
-        if (isMatch) {
-          const d = new Date(ev.eventDate.toString().replace(/\+0000Z$/, "Z"));
-          // console.log(field, ev.eventDate, d);
-          if (!isNaN(d.valueOf())) {
-            ts[field] = d;
-            return true;
-          }
-        }
-      }
-    );
-  }
-
-  return ts;
-}

package/src/ip.ts

@@ -3,7 +3,15 @@ import { WhoisResponse } from "../whois.js";
 export function parseIpResponse(ip: string, rdap: any, response: WhoisResponse) {
   response.found = Boolean(rdap.handle);
 
-  const registry = rdap.port43 ? rdap.port43.match(/\.(\w+)\./)[1].toUpperCase() : '';
+  // Safely extract registry from port43 with null check
+  let registry = '';
+  if (rdap.port43) {
+    const match = rdap.port43.match(/\.(\w+)\./);
+    if (match) {
+      registry = match[1].toUpperCase();
+    }
+  }
+
   const realRdapServer = rdap.links?.find(({ rel }: { rel: string }) => rel === 'self')?.value?.replace(/\/ip\/.*/, '/ip/');
 
   response.server = realRdapServer || 'https://rdap.org/ip/';

package/src/polyfills.ts

@@ -0,0 +1,76 @@
+/**
+ * Polyfills for Node.js 18 compatibility.
+ * String.prototype.toWellFormed was added in Node.js 20.
+ */
+
+// Extend String interface for TypeScript
+declare global {
+  interface String {
+    toWellFormed(): string;
+    isWellFormed(): boolean;
+  }
+}
+
+// Polyfill for String.prototype.toWellFormed (ES2024)
+// Replaces lone surrogates with U+FFFD (replacement character)
+if (typeof String.prototype.toWellFormed !== 'function') {
+  String.prototype.toWellFormed = function () {
+    const str = String(this);
+    const len = str.length;
+    let result = '';
+
+    for (let i = 0; i < len; i++) {
+      const code = str.charCodeAt(i);
+
+      // Check for lone surrogates
+      if (code >= 0xD800 && code <= 0xDBFF) {
+        // High surrogate
+        if (i + 1 < len) {
+          const next = str.charCodeAt(i + 1);
+          if (next >= 0xDC00 && next <= 0xDFFF) {
+            // Valid surrogate pair
+            result += str[i] + str[i + 1];
+            i++;
+            continue;
+          }
+        }
+        // Lone high surrogate - replace with U+FFFD
+        result += '\uFFFD';
+      } else if (code >= 0xDC00 && code <= 0xDFFF) {
+        // Lone low surrogate - replace with U+FFFD
+        result += '\uFFFD';
+      } else {
+        result += str[i];
+      }
+    }
+
+    return result;
+  };
+}
+
+// Polyfill for String.prototype.isWellFormed (ES2024)
+if (typeof String.prototype.isWellFormed !== 'function') {
+  String.prototype.isWellFormed = function () {
+    const str = String(this);
+    const len = str.length;
+
+    for (let i = 0; i < len; i++) {
+      const code = str.charCodeAt(i);
+
+      if (code >= 0xD800 && code <= 0xDBFF) {
+        // High surrogate - check for valid pair
+        if (i + 1 >= len) return false;
+        const next = str.charCodeAt(i + 1);
+        if (next < 0xDC00 || next > 0xDFFF) return false;
+        i++; // Skip the low surrogate
+      } else if (code >= 0xDC00 && code <= 0xDFFF) {
+        // Lone low surrogate
+        return false;
+      }
+    }
+
+    return true;
+  };
+}
+
+export {};

package/src/port43.ts

@@ -5,6 +5,12 @@ import { port43servers, port43parsers } from "./port43servers.js";
 import { ianaToRegistrarCache } from "./utils/ianaIdToRegistrar.js";
 import { WhoisResponse } from "../whois.js";
 import { normalizeWhoisStatus } from "./whoisStatus.js";
+import createDebug from "debug";
+import { escapeRegex } from "./utils/escapeRegex.js";
+
+// Debug logger - enable with DEBUG=whois:* environment variable
+const debug = createDebug("whois:port43");
+
 
 export function determinePort43Domain(actor: string) {
   const parsed = parseDomain(actor);
@@ -36,7 +42,7 @@ export async function port43(actor: string, _fetch: typeof fetch): Promise<Whois
     : `${domain}\r\n`;
   const port = opts?.port || 43;
 
-  // console.log(`looking up ${domain} on ${server}`);
+  debug("looking up %s on %s:%d", domain, server, port);
 
   const response: WhoisResponse = {
     found: true,
@@ -82,7 +88,7 @@ export async function port43(actor: string, _fetch: typeof fetch): Promise<Whois
       }
     }
   } catch (error: any) {
-    console.warn({ port, server, query, error: error.message });
+    debug("port43 lookup error: %O", { port, server, query, error: error.message });
     response.found = false;
     response.statusCode = 500;
     response.error = error.message || "Unknown error during port 43 lookup";
@@ -93,7 +99,6 @@ export async function port43(actor: string, _fetch: typeof fetch): Promise<Whois
   }
 
   port43response = port43response.replace(/^[ \t]+/gm, "");
-  // console.log(port43response);
 
   let m;
 
@@ -145,12 +150,6 @@ export async function port43(actor: string, _fetch: typeof fetch): Promise<Whois
     )) &&
     (response.reseller = m[1].trim());
 
-    // console.log(port43response)
-
-// Updated Date: 2024-11-21T13:42:54Z
-// Creation Date: 2017-12-16T02:11:08Z
-// Registry Expiry Date: 2031-07-10T02:11:08Z
-
   !response.ts.updated &&
     (m = port43response.match(
       /^(?:Last Modified|Updated Date|Last updated on|domain_datelastmodified|last-update|modified|last modified)\.*:[ \t]*(\S.+)/im
@@ -235,6 +234,7 @@ export async function port43(actor: string, _fetch: typeof fetch): Promise<Whois
   if (response.ts.updated && !response.ts.updated.valueOf()) response.ts.updated = null;
   if (response.ts.expires && !response.ts.expires.valueOf()) response.ts.expires = null;
 
+  // Match registrar name against IANA cache using escaped regex to prevent ReDoS
   if (response.registrar.id === 0 && response.registrar.name !== "") {
     for (const [id, { name }] of ianaToRegistrarCache.entries()) {
       if (name === response.registrar.name) {
@@ -244,24 +244,32 @@ export async function port43(actor: string, _fetch: typeof fetch): Promise<Whois
     }
   }
 
-  if (response.registrar.id === 0 && response.registrar.name !== "") {
+  if (response.registrar.id === 0 && response.registrar.name && response.registrar.name !== "") {
+    const escapedName = escapeRegex(response.registrar.name);
     for (const [id, { name }] of ianaToRegistrarCache.entries()) {
-      if (name.match(new RegExp(`\\b${response.registrar.name}\\b`, "i"))) {
-        response.registrar.id = id;
-        break;
+      try {
+        if (name.match(new RegExp(`\\b${escapedName}\\b`, "i"))) {
+          response.registrar.id = id;
+          break;
+        }
+      } catch {
+        // Skip if regex still fails for some reason
+        continue;
       }
     }
   }
 
   if (response.registrar.id === 0 && response.registrar.name) {
+    const escapedName = escapeRegex(response.registrar.name.replace(/,.*/, ""));
     for (const [id, { name }] of ianaToRegistrarCache.entries()) {
-      if (
-        name.match(
-          new RegExp(`\\b${response.registrar.name.replace(/,.*/, "")}\\b`, "i")
-        )
-      ) {
-        response.registrar.id = id;
-        break;
+      try {
+        if (name.match(new RegExp(`\\b${escapedName}\\b`, "i"))) {
+          response.registrar.id = id;
+          break;
+        }
+      } catch {
+        // Skip if regex still fails for some reason
+        continue;
       }
     }
   }
@@ -292,4 +300,4 @@ function reformatDate(date: string) {
   }
 
   return date;
-}
+}

package/src/utils/escapeRegex.ts

@@ -0,0 +1,7 @@
+/**
+ * Escapes special regex characters in a string.
+ * Prevents ReDoS attacks when using user input in RegExp constructor.
+ */
+export function escapeRegex(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/src/utils/findInObject.ts

@@ -7,17 +7,32 @@ export function findInObject(
   const found = _findInObject(obj, condition);
   return found === undefined ? fallback : extractor(found);
 }
+
 function _findInObject(obj: any, condition: (el: any) => boolean): any {
+  // Handle null/undefined
+  if (obj === null || obj === undefined) {
+    return undefined;
+  }
+
   for (const key in obj) {
-    if (condition(obj[key])) {
-      return obj[key];
+    // Skip inherited properties
+    if (!Object.prototype.hasOwnProperty.call(obj, key)) {
+      continue;
     }
 
-    if (typeof obj[key] === "object") {
-      const result = _findInObject(obj[key], condition);
+    const value = obj[key];
+
+    if (condition(value)) {
+      return value;
+    }
+
+    if (value !== null && typeof value === "object") {
+      const result = _findInObject(value, condition);
       if (result !== undefined) {
         return result;
       }
     }
   }
+
+  return undefined;
 }

package/src/utils/findNameservers.ts

@@ -0,0 +1,15 @@
+export function findNameservers(values: any[]): string[] {
+  let nameservers: any[] = [];
+  if (Array.isArray(values)) {
+    nameservers = values;
+  } else if (typeof values === "object") {
+    nameservers = Object.values(values);
+  }
+
+  return nameservers
+    .map((ns) => ns.ldhName || ns.ldnName || ns.ipAddresses?.v4)
+    .flat()
+    .filter((ns) => ns)
+    .map((ns) => (ns.stringValue || ns).toLocaleLowerCase())
+    .sort();
+}

package/src/utils/findStatus.ts

@@ -0,0 +1,12 @@
+import { normalizeWhoisStatus } from "../whoisStatus.js";
+
+export function findStatus(statuses: string | string[], domain: string): string[] {
+  return (Array.isArray(statuses)
+    ? statuses
+    : statuses && typeof statuses === "object"
+      ? Object.keys(statuses)
+      : typeof statuses === "string"
+        ? statuses.trim().split(/\s*,\s*/)
+        : []
+  ).map((status) => normalizeWhoisStatus(status));
+}

package/src/utils/findTimestamps.ts

@@ -0,0 +1,44 @@
+import { WhoisTimestampFields } from "../../whois.js";
+import { eventMap } from "../index.js";
+
+/**
+ * Extracts timestamps from RDAP events array.
+ * Properly iterates through events and breaks when a match is found.
+ */
+export function findTimestamps(values: any[]) {
+  const ts: Record<WhoisTimestampFields, Date | null> = {
+    created: null,
+    updated: null,
+    expires: null,
+  };
+
+  let events: any[] = [];
+
+  if (Array.isArray(values)) {
+    events = values;
+  } else if (typeof values === "object" && values !== null) {
+    events = Object.values(values);
+  }
+
+  // Iterate through each event type we're looking for
+  for (const [eventAction, field] of eventMap) {
+    // Skip if we already have a value for this field
+    if (ts[field] !== null) {
+      continue;
+    }
+
+    // Find matching event and extract date
+    for (const ev of events) {
+      if (ev?.eventAction?.toLocaleLowerCase() === eventAction && ev.eventDate) {
+        const dateStr = ev.eventDate.toString().replace(/\+0000Z$/, "Z");
+        const d = new Date(dateStr);
+        if (!isNaN(d.valueOf())) {
+          ts[field] = d;
+          break; // Found valid date, stop searching for this field
+        }
+      }
+    }
+  }
+
+  return ts;
+}

package/src/utils/toArray.ts

@@ -0,0 +1,17 @@
+/**
+ * Safely converts a value to an array.
+ * Handles cases where the value might be null, undefined, or a non-iterable object.
+ */
+export function toArray<T>(value: T | T[] | null | undefined): T[] {
+  if (value === null || value === undefined) {
+    return [];
+  }
+  if (Array.isArray(value)) {
+    return value;
+  }
+  // Handle object case - some RDAP responses return objects instead of arrays
+  if (typeof value === "object") {
+    return Object.values(value) as T[];
+  }
+  return [];
+}

package/src/utils/validateDomain.ts

@@ -0,0 +1,18 @@
+/**
+ * Validates domain input format.
+ * Returns sanitized domain or throws on invalid input.
+ */
+export function validateDomain(domain: string): string {
+  if (!domain || typeof domain !== 'string') {
+    throw new Error('Domain must be a non-empty string');
+  }
+  // Basic sanitization - trim whitespace
+  const sanitized = domain.trim().toLowerCase();
+  if (sanitized.length === 0) {
+    throw new Error('Domain must be a non-empty string');
+  }
+  if (sanitized.length > 253) {
+    throw new Error('Domain name too long');
+  }
+  return sanitized;
+}

package/tsconfig.json

@@ -26,7 +26,7 @@
 
     /* Modules */
     "module": "nodenext",                                /* Specify what module code is generated. */
-    // "rootDir": "./",                                  /* Specify the root folder within your source files. */
+    "rootDir": "./src",                                  /* Specify the root folder within your source files. */
     // "moduleResolution": "node10",                     /* Specify how TypeScript looks up a file from a given module specifier. */
     // "baseUrl": "./",                                  /* Specify the base directory to resolve non-relative module names. */
     // "paths": {},                                      /* Specify a set of entries that re-map imports to additional lookup locations. */

package/dist/wwwservers.d.ts

@@ -1 +0,0 @@
-export declare const loadWWWServers: Record<string, string>;

package/dist/wwwservers.js

@@ -1,3 +0,0 @@
-export const loadWWWServers = {
-    "it.com": `https://engine.itcomdomains.com/api/v1/domain/%%domain%%/whois_info`
-};

package/pnpm-workspace.yaml

@@ -1,2 +0,0 @@
-onlyBuiltDependencies:
-  - core-js