@fanboynz/network-scanner 2.0.55 → 2.0.57

package/lib/cloudflare.js

@@ -1,5 +1,20 @@
 /**
  * Cloudflare bypass and challenge handling module - Optimized with smart detection and adaptive timeouts
+ * Version: 2.7.0 - Major fixes and performance overhaul
+ *   - Fix: Challenge solvers had empty if-blocks (JS/Turnstile/Legacy never executed in non-debug mode)
+ *   - Fix: a[href*="continue"] false positive removed (matched nearly every website)
+ *   - Perf: Domain-level detection cache (was per-URL, now per-hostname)
+ *   - Perf: Timeout outcome caching (domain times out once -> all subsequent URLs skip instantly)
+ *   - Perf: Short-circuit quick detection (title/URL -> fast selectors -> slow text, early return at each stage)
+ *   - Perf: Eliminated body.textContent in quick detection (was extracting entire DOM text tree)
+ *   - Perf: Capped body.textContent to 2KB in analyzeCloudflareChallenge
+ *   - Perf: No-indicator pages skip immediately regardless of config (was 10-15s wasted)
+ *   - Perf: Quick detection timeout 4s->2s, retries 2->1
+ *   - Perf: PAGE_EVALUATION timeout 12s->5s, detached frame delay 3s->1s
+ *   - Perf: Inner timeouts tightened to fit within outer adaptive timeouts
+ *   - Perf: CHALLENGE_SOLVING 30s->12s, TURNSTILE_COMPLETION 20s->10s, JS_CHALLENGE_BUFFER 26s->12s
+ *   - Perf: MAX_RETRIES 3->2, baseDelay 1000->800ms, maxDelay 8000->5000ms
+ *   - Perf: Parallel detection gated behind cloudflare config (was running on every URL)
  * Version: 2.6.3 - Fixes Cannot read properties of undefined (reading 'hasIndicators')
  * Version: 2.6.2 - Further detached Frame fixes 
  * Version: 2.6.1 - timeoutId is not defined & race condition fix
@@ -20,7 +35,7 @@ const { formatLogMessage } = require('./colorize');
 /**
  * Module version information
  */
-const CLOUDFLARE_MODULE_VERSION = '2.6.3';
+const CLOUDFLARE_MODULE_VERSION = '2.7.0';
 
 /**
  * Timeout constants for various operations (in milliseconds)
@@ -28,13 +43,13 @@ const CLOUDFLARE_MODULE_VERSION = '2.6.3';
  * All values tuned for maximum scanning speed while maintaining functionality
  */
 const TIMEOUTS = {
-  PAGE_EVALUATION: 12000,           // Standard page evaluation timeout
-  PAGE_EVALUATION_SAFE: 12000,     // Safe page evaluation with extra buffer
+  PAGE_EVALUATION: 5000,             // Standard page evaluation timeout (DOM queries are instant)
+  PAGE_EVALUATION_SAFE: 5000,       // Safe page evaluation with extra buffer
   PHISHING_CLICK: 3000,           // Timeout for clicking phishing continue button
   PHISHING_NAVIGATION: 8000,       // Wait for navigation after phishing bypass
-  JS_CHALLENGE_BUFFER: 26000,     // JS challenge with safety buffer
-  TURNSTILE_COMPLETION: 20000,    // Turnstile completion check
-  TURNSTILE_COMPLETION_BUFFER: 25000, // Turnstile completion with buffer
+  JS_CHALLENGE_BUFFER: 12000,     // JS challenge -- must fit within 15s adaptive outer timeout
+  TURNSTILE_COMPLETION: 10000,    // Turnstile completion check -- fits within adaptive timeout
+  TURNSTILE_COMPLETION_BUFFER: 12000, // Turnstile completion with buffer
   CLICK_TIMEOUT: 5000,            // Standard click operation timeout
   CLICK_TIMEOUT_BUFFER: 1000,     // Click timeout safety buffer
   NAVIGATION_TIMEOUT: 15000,      // Standard navigation timeout
@@ -45,21 +60,21 @@ const TIMEOUTS = {
   ADAPTIVE_TIMEOUT_AUTO_WITHOUT_INDICATORS: 10000, // Adaptive timeout for auto-detected without indicators
   // New timeouts for enhanced functionality
   RETRY_DELAY: 1000,              // Delay between retry attempts
-  MAX_RETRIES: 3,                 // Maximum retry attempts for operations
+  MAX_RETRIES: 2,                 // Maximum retry attempts (only 2 fit within 25s outer timeout)
   CHALLENGE_POLL_INTERVAL: 500,   // Interval for polling challenge completion
   CHALLENGE_MAX_POLLS: 20         // Maximum polling attempts
 };
 
 // Fast timeout constants - optimized for speed
 const FAST_TIMEOUTS = {
-  QUICK_DETECTION: 4000,           // Fast Cloudflare detection
+  QUICK_DETECTION: 2000,           // Fast Cloudflare detection (DOM check, instant on loaded pages)
   PHISHING_WAIT: 1000,            // Fast phishing check
   CHALLENGE_WAIT: 500,            // Fast challenge detection
   ELEMENT_INTERACTION_DELAY: 250, // Fast element interactions
   SELECTOR_WAIT: 3000,            // Fast selector waits
   TURNSTILE_OPERATION: 6000,      // Fast Turnstile operations
   JS_CHALLENGE: 10000,            // Fast JS challenge completion
-  CHALLENGE_SOLVING: 30000,       // Fast overall challenge solving
+  CHALLENGE_SOLVING: 12000,       // Overall challenge solving -- fits within 15s adaptive outer
   CHALLENGE_COMPLETION: 8000      // Fast completion check
 };
 
@@ -68,7 +83,7 @@ const FAST_TIMEOUTS = {
  * Returns {found, clicked, x, y} - coordinates allow fallback mouse.click
  */
 async function clickInShadowDOM(context, selectors, forceDebug = false, waitMs = 1500) {
-  // Try Puppeteer's pierce/ selector first � handles CLOSED shadow roots via CDP
+  // Try Puppeteer's pierce/ selector first -- handles CLOSED shadow roots via CDP
   for (const selector of selectors) {
     try {
       // Wait for element to appear (handles delayed rendering)
@@ -77,7 +92,7 @@ async function clickInShadowDOM(context, selectors, forceDebug = false, waitMs =
       if (element) {
         const box = await element.boundingBox();
         if (box && box.width > 0 && box.height > 0) {
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `pierce/${selector} matched in ${Date.now() - start}ms � box: ${box.width}x${box.height} at (${box.x},${box.y})`));
+          if (forceDebug) console.log(formatLogMessage('cloudflare', `pierce/${selector} matched in ${Date.now() - start}ms -- box: ${box.width}x${box.height} at (${box.x},${box.y})`));
           await element.click();
           await element.dispose();
           return { found: true, clicked: true, selector, x: box.x + box.width / 2, y: box.y + box.height / 2 };
@@ -185,9 +200,9 @@ function detectChallengeLoop(url, previousUrls = []) {
  * Retry configuration with exponential backoff
  */
 const RETRY_CONFIG = {
-  maxAttempts: 3,
-  baseDelay: 1000,
-  maxDelay: 8000,
+  maxAttempts: 2,       // Only 2 attempts fit within 25s outer timeout
+  baseDelay: 800,       // Slightly faster retry delay
+  maxDelay: 5000,       // Lower max delay cap
   backoffMultiplier: 2,
   retryableErrors: [ERROR_TYPES.NETWORK, ERROR_TYPES.TIMEOUT, ERROR_TYPES.ELEMENT_NOT_FOUND, ERROR_TYPES.DETACHED_FRAME]
 };
@@ -209,7 +224,7 @@ class CloudflareDetectionCache {
   getCacheKey(url) {
     try {
       const urlObj = new URL(url);
-      return `${urlObj.hostname}${urlObj.pathname}`;
+      return urlObj.hostname; // Domain-level caching: all URLs from same host share one entry
     } catch {
       return url;
     }
@@ -441,8 +456,8 @@ async function safePageEvaluate(page, func, timeout = TIMEOUTS.PAGE_EVALUATION_S
         if (forceDebug) {
           console.warn(formatLogMessage('cloudflare', `Detached frame detected on attempt ${attempt}/${maxRetries} - using longer delay`));
         }
-        // For detached frames, wait longer
-        await new Promise(resolve => setTimeout(resolve, 3000)); // Longer delay
+        // For detached frames, brief delay before retry
+        await new Promise(resolve => setTimeout(resolve, 1000));
         
         // For detached frames, only retry once more
         if (attempt >= 2) {
@@ -541,44 +556,67 @@ async function quickCloudflareDetection(page, forceDebug = false) {
     // Perform actual detection with enhanced error handling
     const quickCheck = await safePageEvaluate(page, () => {
       const title = document.title || '';
-      const bodyText = document.body ? document.body.textContent.substring(0, 500) : '';
       const url = window.location.href;
       
-      // Enhanced indicators with 2025 patterns
-      const hasCloudflareIndicators = 
+      // FAST PATH: Check title + URL first (string ops, no DOM traversal)
+      const titleMatch = 
         title.includes('Just a moment') ||
         title.includes('Checking your browser') ||
         title.includes('Attention Required') ||
-        title.includes('Security check') || // New pattern
+        title.includes('Security check');
+      
+      const urlMatch =
+        url.includes('/cdn-cgi/challenge-platform/') ||
+        url.includes('cloudflare.com');
+      
+      if (titleMatch || urlMatch) {
+        return { hasIndicators: true, title, url, bodySnippet: '' };
+      }
+      
+      // MEDIUM PATH: Check a few fast selectors before expensive text extraction
+      const selectorMatch =
+        document.querySelector('[data-ray]') ||
+        document.querySelector('[data-cf-challenge]') ||
+        document.querySelector('.cf-challenge-running') ||
+        document.querySelector('.cf-turnstile') ||
+        document.querySelector('.cf-managed-challenge') ||
+        document.querySelector('[data-cf-managed]') ||
+        document.querySelector('script[src*="/cdn-cgi/challenge-platform/"]');
+      
+      if (selectorMatch) {
+        return { hasIndicators: true, title, url, bodySnippet: '' };
+      }
+      
+      // SLOW PATH: Extract limited body text only if fast checks failed
+      // Use body.innerText capped to first child nodes instead of full textContent
+      let bodyText = '';
+      if (document.body) {
+        const el = document.body.querySelector('.main-wrapper, .main-content, #challenge-body-text, .cf-challenge-container');
+        bodyText = el ? el.textContent.substring(0, 300) : (document.body.firstElementChild ? document.body.firstElementChild.textContent.substring(0, 300) : '');
+      }
+      
+      const textMatch =
         bodyText.includes('Cloudflare') ||
         bodyText.includes('cf-ray') ||
         bodyText.includes('Verify you are human') ||
         bodyText.includes('This website has been reported for potential phishing') ||
         bodyText.includes('Please wait while we verify') ||
-        bodyText.includes('Checking if the site connection is secure') || // New pattern
-        url.includes('/cdn-cgi/challenge-platform/') ||
-        url.includes('cloudflare.com') ||
-        document.querySelector('[data-ray]') ||
-        document.querySelector('[data-cf-challenge]') ||
-        document.querySelector('.cf-challenge-running') ||
+        bodyText.includes('Checking if the site connection is secure');
+      
+      // Remaining slower selectors
+      const slowSelectorMatch =
         document.querySelector('.cf-challenge-container') ||
-        document.querySelector('.cf-turnstile') ||
         document.querySelector('.ctp-checkbox-container') ||
         document.querySelector('iframe[src*="challenges.cloudflare.com"]') ||
-        document.querySelector('iframe[title*="Cloudflare security challenge"]') ||
-        document.querySelector('script[src*="/cdn-cgi/challenge-platform/"]') ||
-        document.querySelector('a[href*="continue"]') ||
-        // New selectors for 2025
-        document.querySelector('.cf-managed-challenge') ||
-        document.querySelector('[data-cf-managed]');
+        document.querySelector('iframe[title*="Cloudflare security challenge"]');
       
       return {
-        hasIndicators: hasCloudflareIndicators,
+        hasIndicators: !!(textMatch || slowSelectorMatch),
         title,
         url,
         bodySnippet: bodyText.substring(0, 200)
       };
-    }, FAST_TIMEOUTS.QUICK_DETECTION, { maxRetries: 2, forceDebug });
+    }, FAST_TIMEOUTS.QUICK_DETECTION, { maxRetries: 1, forceDebug });
     
     // Cache the result
     detectionCache.set(currentPageUrl, quickCheck);
@@ -607,7 +645,7 @@ async function quickCloudflareDetection(page, forceDebug = false) {
  */
 async function analyzeCloudflareChallenge(page) {
   try {
-    // CDP-level frame check � bypasses closed shadow roots
+    // CDP-level frame check -- bypasses closed shadow roots
     const frames = page.frames();
     const hasChallengeFrame = frames.some(f => {
       const url = f.url();
@@ -616,7 +654,8 @@ async function analyzeCloudflareChallenge(page) {
 
     const result = await safePageEvaluate(page, () => {
       const title = document.title || '';
-      const bodyText = document.body ? document.body.textContent : '';
+      // Cap text extraction -- on content-heavy pages body.textContent can be megabytes
+      const bodyText = document.body ? document.body.textContent.substring(0, 2000) : '';
       
       // Updated selectors for 2025 Cloudflare challenges
       const hasTurnstileIframe = document.querySelector('iframe[title*="Cloudflare security challenge"]') !== null ||
@@ -649,8 +688,7 @@ async function analyzeCloudflareChallenge(page) {
                             bodyText.includes('Please wait while we verify');
       
       const hasPhishingWarning = bodyText.includes('This website has been reported for potential phishing') ||
-                                title.includes('Attention Required') ||
-                                document.querySelector('a[href*="continue"]') !== null;
+                                title.includes('Attention Required');
       
       const hasTurnstileResponse = document.querySelector('input[name="cf-turnstile-response"]') !== null;
       
@@ -687,7 +725,7 @@ async function analyzeCloudflareChallenge(page) {
       };
     }, TIMEOUTS.PAGE_EVALUATION);
 
-    // Merge CDP frame detection � catches iframes behind closed shadow roots
+    // Merge CDP frame detection -- catches iframes behind closed shadow roots
     if (hasChallengeFrame && !result.hasTurnstileIframe) {
       result.hasTurnstileIframe = true;
       result.isTurnstile = true;
@@ -1088,20 +1126,10 @@ async function attemptChallengeSolve(page, currentUrl, challengeInfo, forceDebug
       if (jsResult.success) {
         // Wait for redirect after challenge completion
         try {
-          const startUrl = await page.url();
-          await page.waitForFunction(
-            (origUrl) => {
-              const bodyText = document.body?.textContent || '';
-              return document.title !== 'Just a moment...' ||
-                     window.location.href !== origUrl ||
-                     bodyText.includes('Verification successful');
-            },
-            { timeout: 10000 },
-            startUrl
-          );
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Challenge page cleared for ${currentUrl}`));
-        } catch (_) {
-          if (forceDebug) console.log(formatLogMessage('cloudflare', `Challenge page not cleared after 10s � continuing`));
+          await page.waitForNavigation({ waitUntil: 'domcontentloaded', timeout: 10000 });
+          if (forceDebug) console.log(formatLogMessage('cloudflare', `Post-challenge redirect completed for ${currentUrl}`));
+        } catch (navErr) {
+          if (forceDebug) console.log(formatLogMessage('cloudflare', `Post-challenge redirect timeout (may already be on target page): ${navErr.message}`));
         }
         result.success = true;
         result.method = 'js_challenge_wait';
@@ -1183,7 +1211,7 @@ async function handleEmbeddedIframeChallenge(page, forceDebug = false) {
   try {
     if (forceDebug) console.log(formatLogMessage('cloudflare', `Checking for embedded iframe challenges`));
 
-    // Use CDP-level frame detection � bypasses closed shadow roots
+    // Use CDP-level frame detection -- bypasses closed shadow roots
     const frames = page.frames();
     if (forceDebug) {
       console.log(formatLogMessage('cloudflare', `Available frames (${frames.length}):`));
@@ -1624,10 +1652,11 @@ async function handleCloudflareProtection(page, currentUrl, siteConfig, forceDeb
 
   // Early return structure when no Cloudflare indicators found
   // Sets attempted: false, success: true for both protection types
- 
-  // Only proceed if we have indicators OR explicit config enables Cloudflare handling
-  if (!quickDetection.hasIndicators && !cfPhishEnabled && !cfBypassEnabled) {
-    if (forceDebug) console.log(formatLogMessage('cloudflare', `No Cloudflare indicators found and no explicit config, skipping protection handling for ${currentUrl}`));
+  // Skip immediately if no Cloudflare indicators detected
+  // Trust the detection -- explicit config only matters when indicators ARE found
+  // This avoids a 10s adaptive timeout on non-Cloudflare sites
+  if (!quickDetection.hasIndicators) {
+    if (forceDebug) console.log(formatLogMessage('cloudflare', `No Cloudflare indicators found, skipping protection handling for ${currentUrl}`));
     if (forceDebug) console.log(formatLogMessage('cloudflare', `Quick detection details: title="${quickDetection.title}", bodySnippet="${quickDetection.bodySnippet}"`));
     return {
       phishingWarning: { attempted: false, success: true },
@@ -1663,10 +1692,24 @@ async function handleCloudflareProtection(page, currentUrl, siteConfig, forceDeb
       console.log(formatLogMessage('cloudflare', `Using adaptive timeout of ${adaptiveTimeout}ms for ${currentUrl} (indicators: ${quickDetection.hasIndicators}, explicit config: ${!!(siteConfig.cloudflare_phish || siteConfig.cloudflare_bypass)})`));
     }
     
-    return await Promise.race([
-      performCloudflareHandling(page, currentUrl, siteConfig, cfDebug),
+    // Check if this domain already timed out -- skip immediately
+    try {
+      const outcomeCacheKey = 'outcome:' + new URL(currentUrl).hostname;
+      const cachedOutcome = detectionCache.cache.get(outcomeCacheKey);
+      if (cachedOutcome && cachedOutcome.data && cachedOutcome.data.timedOut && Date.now() - cachedOutcome.timestamp < detectionCache.ttl) {
+        if (forceDebug) console.log(formatLogMessage('cloudflare', `Skipping ${currentUrl} -- domain already timed out on a previous URL`));
+        return cachedOutcome.data;
+      }
+    } catch (e) { /* malformed URL, proceed normally */ }
+    
+    let adaptiveTimeoutId = null;
+    const handlingResult = await Promise.race([
+      performCloudflareHandling(page, currentUrl, siteConfig, cfDebug).then(r => {
+        if (adaptiveTimeoutId) clearTimeout(adaptiveTimeoutId);
+        return r;
+      }),
       new Promise((resolve) => {
-        setTimeout(() => {
+        adaptiveTimeoutId = setTimeout(() => {
         console.warn(formatLogMessage('cloudflare', `Adaptive timeout (${adaptiveTimeout}ms) for ${currentUrl} - continuing with scan`));
           resolve({
             phishingWarning: { attempted: false, success: true },
@@ -1678,6 +1721,16 @@ async function handleCloudflareProtection(page, currentUrl, siteConfig, forceDeb
         }, adaptiveTimeout);
       })
     ]);
+    
+    // Cache timeout results at domain level so subsequent URLs skip immediately
+    if (handlingResult.timedOut) {
+      try {
+        const setOutcomeKey = 'outcome:' + new URL(currentUrl).hostname;
+        detectionCache.cache.set(setOutcomeKey, { data: handlingResult, timestamp: Date.now() });
+      } catch (e) { /* malformed URL, skip caching */ }
+    }
+    
+    return handlingResult;
   } catch (error) {
     result.overallSuccess = false;
     result.errors.push(`Cloudflare handling failed: ${error.message}`);
@@ -1809,8 +1862,7 @@ async function parallelChallengeDetection(page, forceDebug = false) {
         { type: 'turnstile', detected: document.querySelector('.cf-turnstile') !== null ||
             document.querySelector('iframe[src*="challenges.cloudflare.com"]') !== null ||
             document.querySelector('.ctp-checkbox-container') !== null },
-        { type: 'phishing', detected: bodyText.includes('This website has been reported for potential phishing') ||
-            document.querySelector('a[href*="continue"]') !== null },
+        { type: 'phishing', detected: bodyText.includes('This website has been reported for potential phishing') },
         { type: 'managed', detected: document.querySelector('.cf-managed-challenge') !== null ||
             document.querySelector('[data-cf-managed]') !== null }
       ];