npm - @fanboynz/network-scanner - Versions diffs - 2.0.65 → 2.0.66 - Mend

@fanboynz/network-scanner 2.0.65 → 2.0.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/lib/proxy.js CHANGED Viewed

@@ -18,6 +18,15 @@
  *
  *   SOCKS5 with auth:
  *     "proxy": "socks5://user:pass@127.0.0.1:1080"
+ *     Chromium itself cannot authenticate SOCKS5 (crbug.com/256785), so
+ *     this module auto-starts an in-process no-auth SOCKS5 relay
+ *     (lib/socks-relay.js) that does the upstream RFC 1929 auth. Chromium
+ *     connects to the local relay (no auth — which it CAN do) and the
+ *     relay tunnels to the authenticated upstream. Transparent: keep the
+ *     socks5://user:pass@host form in config. Requires prepareSocksRelays()
+ *     to be awaited once before the scan loop (nwss.js does this).
+ *     NOTE: socks4 with auth is still unsupported (userId-only,
+ *     near-extinct) — use socks5 or an authenticated HTTP proxy.
  *
  *   HTTP proxy (corporate):
  *     "proxy": "http://proxy.corp.com:3128"
@@ -56,8 +65,9 @@
  */
 const { formatLogMessage } = require('./colorize');
+const { ensureRelay, getRelayPort } = require('./socks-relay');
-const PROXY_MODULE_VERSION = '1.1.0';
+const PROXY_MODULE_VERSION = '1.2.0';
 const SUPPORTED_PROTOCOLS = ['socks5', 'socks4', 'http', 'https'];
 const DEFAULT_PORTS = {
@@ -105,8 +115,12 @@ function parseProxyUrl(proxyUrl) {
     if (!host) return null;
     const port = parseInt(url.port, 10) || DEFAULT_PORTS[protocol] || 1080;
-    const username = url.username ? decodeURIComponent(url.username) : null;
-    const password = url.password ? decodeURIComponent(url.password) : null;
+    // decodeURIComponent throws URIError on a literal '%' that isn't a valid
+    // escape (e.g. a password containing '%'). Fall back to the raw value so
+    // an otherwise-valid proxy isn't rejected as "Invalid proxy URL".
+    const safeDecode = (v) => { try { return decodeURIComponent(v); } catch (_) { return v; } };
+    const username = url.username ? safeDecode(url.username) : null;
+    const password = url.password ? safeDecode(url.password) : null;
     return { protocol, host, port, username, password };
   } catch (_) {
@@ -124,6 +138,41 @@ function needsProxy(siteConfig) {
   return !!getConfiguredProxy(siteConfig);
 }
+/**
+ * Pre-start local no-auth SOCKS5 relays for every distinct authenticated
+ * SOCKS5 upstream across the given site configs. Must be awaited ONCE
+ * before the scan loop — getProxyArgs() then does a pure sync lookup of
+ * the relay port, so the fragile per-batch browser-launch path stays
+ * synchronous.
+ *
+ * @param {object[]} siteConfigs
+ * @param {boolean} forceDebug
+ * @returns {Promise<number>} count of relays started
+ */
+async function prepareSocksRelays(siteConfigs, forceDebug = false) {
+  let started = 0;
+  const seen = new Set();
+  for (const cfg of (siteConfigs || [])) {
+    const url = getConfiguredProxy(cfg);
+    if (!url) continue;
+    const parsed = parseProxyUrl(url);
+    // Only socks5 with credentials needs a relay. socks4-auth stays
+    // unsupported (near-extinct, userId-only); http/https auth works
+    // natively via page.authenticate().
+    if (!parsed || parsed.protocol !== 'socks5' || !parsed.username) continue;
+    const key = `${parsed.host}:${parsed.port}:${parsed.username}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    try {
+      await ensureRelay(parsed, forceDebug);
+      started++;
+    } catch (e) {
+      console.warn(formatLogMessage('proxy', `Failed to start SOCKS5 auth relay for ${parsed.host}:${parsed.port}: ${e.message}`));
+    }
+  }
+  return started;
+}
 /**
  * Returns Chromium launch arguments for the configured proxy.
  *
@@ -141,15 +190,45 @@ function getProxyArgs(siteConfig, forceDebug = false) {
     return [];
   }
+  // Authenticated SOCKS5: Chromium can't auth SOCKS, so point it at the
+  // local no-auth relay (started upfront by prepareSocksRelays) which does
+  // the upstream auth. Credentials never reach Chromium. The relay speaks
+  // SOCKS5 and forwards domain addresses, so the remote-DNS rule below
+  // still applies correctly to the localhost hop.
+  let effectiveHost = parsed.host;
+  let effectivePort = parsed.port;
+  let effectiveProto = parsed.protocol;
+  if (parsed.protocol === 'socks5' && parsed.username) {
+    const relayPort = getRelayPort(parsed);
+    if (relayPort) {
+      effectiveHost = '127.0.0.1';
+      effectivePort = relayPort;
+      const debug = forceDebug || siteConfig.proxy_debug || siteConfig.socks5_debug;
+      if (debug) {
+        console.log(formatLogMessage('proxy', `SOCKS5 auth via local relay 127.0.0.1:${relayPort} -> ${parsed.host}:${parsed.port}`));
+      }
+    } else {
+      // prepareSocksRelays should have started this; defensive only.
+      console.warn(formatLogMessage('proxy', `No SOCKS5 auth relay for ${parsed.host}:${parsed.port} — call prepareSocksRelays() before the scan. Connection will fail (Chromium can't auth SOCKS).`));
+    }
+  }
   const args = [
-    `--proxy-server=${parsed.protocol}://${parsed.host}:${parsed.port}`
+    `--proxy-server=${effectiveProto}://${effectiveHost}:${effectivePort}`
   ];
-  // Remote DNS: resolve hostnames through the proxy (prevents DNS leaks)
-  // Only meaningful for SOCKS proxies; HTTP proxies resolve remotely by default
+  // Remote DNS: force proxy-side hostname resolution (prevents DNS leaks).
+  // SOCKS5 only — it can carry a hostname to the proxy for remote
+  // resolution. SOCKS4 cannot (the protocol only accepts an IPv4 address;
+  // resolution must happen client-side), so applying MAP * ~NOTFOUND there
+  // makes Chromium's local resolver fail with nothing able to resolve the
+  // hostname — every request breaks. HTTP/HTTPS proxies resolve remotely
+  // by default and need no rule.
   const remoteDns = siteConfig.proxy_remote_dns ?? siteConfig.socks5_remote_dns;
-  if ((parsed.protocol === 'socks5' || parsed.protocol === 'socks4') && remoteDns !== false) {
+  if (parsed.protocol === 'socks5' && remoteDns !== false) {
     args.push('--host-resolver-rules=MAP * ~NOTFOUND , EXCLUDE 127.0.0.1');
+  } else if (parsed.protocol === 'socks4' && remoteDns === true) {
+    console.warn(formatLogMessage('proxy', `proxy_remote_dns ignored: SOCKS4 cannot do proxy-side DNS resolution (use SOCKS5)`));
   }
   // Bypass list: domains that skip the proxy
@@ -182,6 +261,20 @@ async function applyProxyAuth(page, siteConfig, forceDebug = false) {
   const parsed = parseProxyUrl(proxyUrl);
   if (!parsed || !parsed.username) return false;
+  // Chromium can't authenticate SOCKS proxies, and page.authenticate() is
+  // HTTP-407-only. SOCKS5+creds is handled out-of-band by the local
+  // no-auth relay (prepareSocksRelays + getProxyArgs rewrite) — Chromium
+  // talks no-auth to 127.0.0.1, so there's nothing for page.authenticate
+  // to do here; return quietly. SOCKS4 auth (userId-only, near-extinct)
+  // stays genuinely unsupported.
+  if (parsed.protocol === 'socks5') {
+    return false; // relay handles upstream auth
+  }
+  if (parsed.protocol === 'socks4') {
+    console.warn(formatLogMessage('proxy', `SOCKS4 proxy auth is unsupported (use SOCKS5, which is auto-relayed, or an authenticated HTTP proxy).`));
+    return false;
+  }
   try {
     await page.authenticate({
       username: parsed.username,
@@ -265,9 +358,14 @@ function getModuleInfo() {
   return { version: PROXY_MODULE_VERSION, name: 'Proxy Handler' };
 }
+// Re-export relay teardown so nwss.js cleanup paths can close listeners.
+const { closeAllRelays: closeAllSocksRelays } = require('./socks-relay');
 module.exports = {
   parseProxyUrl,
   needsProxy,
+  prepareSocksRelays,
+  closeAllSocksRelays,
   getProxyArgs,
   applyProxyAuth,
   testProxy,

package/lib/socks-relay.js ADDED Viewed

@@ -0,0 +1,266 @@
+/**
+ * Local no-auth SOCKS5 relay for authenticated SOCKS5 upstreams.
+ *
+ * Chromium cannot authenticate SOCKS5 proxies (crbug.com/256785 — it only
+ * implements the no-auth method 0x00; credentials in --proxy-server are
+ * discarded, and page.authenticate() is HTTP-407-only so it can't help —
+ * SOCKS auth happens at the TCP handshake before any HTTP).
+ *
+ * Workaround: run an in-process no-auth SOCKS5 server bound to 127.0.0.1.
+ * Chromium connects to it without auth (which it CAN do); for each
+ * connection we open an authenticated tunnel to the real upstream via the
+ * `socks` package (RFC 1929 user/pass) and pipe the two together. Domain
+ * address types are forwarded as hostnames so remote DNS still works
+ * end-to-end (no DNS leak).
+ *
+ * Relays are keyed by upstream identity and reused. closeAllRelays() must
+ * be called on scan exit / signal so listening sockets don't leak.
+ */
+const net = require('net');
+const { SocksClient } = require('socks');
+const { formatLogMessage } = require('./colorize');
+// upstreamKey -> { server, port, activeSockets:Set<net.Socket> }
+const _relays = new Map();
+function upstreamKey(u) {
+  return `${u.host}:${u.port}:${u.username || ''}`;
+}
+/**
+ * Handle one Chromium->relay connection: minimal SOCKS5 server handshake,
+ * then an authenticated upstream tunnel, then bidirectional pipe.
+ */
+// Bail on a client that connects and never completes SOCKS5 negotiation.
+// Generous enough for a Chromium loopback handshake (microseconds), short
+// enough to catch a stalled / half-open client before the OS TCP keepalive
+// notices (default ~2 hours on Linux).
+const HANDSHAKE_TIMEOUT_MS = 10000;
+function handleClient(client, upstream, forceDebug) {
+  let phase = 'greeting';
+  let buf = Buffer.alloc(0);
+  let upstreamSock = null;
+  let settled = false;
+  // Handshake-phase watchdog handle. Assigned after cleanup is declared so
+  // both references in this scope resolve unambiguously.
+  let handshakeTimer = null;
+  const cleanup = () => {
+    if (settled) return;
+    settled = true;
+    if (handshakeTimer) { clearTimeout(handshakeTimer); handshakeTimer = null; }
+    try { client.destroy(); } catch (_) {}
+    if (upstreamSock) { try { upstreamSock.destroy(); } catch (_) {} }
+  };
+  // Bail on a client that connects and never completes SOCKS5 negotiation
+  // (stalled / half-open / non-SOCKS protocol). Without this, such a socket
+  // sits in activeSockets until the OS TCP keepalive notices — default
+  // ~2 hours on Linux. unref'd so a pending watchdog never holds the
+  // process alive after closeAllRelays().
+  handshakeTimer = setTimeout(() => {
+    if (phase !== 'piping') {
+      if (forceDebug) {
+        console.log(formatLogMessage('proxy', `[socks-relay] handshake timeout (phase=${phase}) — closing`));
+      }
+      cleanup();
+    }
+  }, HANDSHAKE_TIMEOUT_MS);
+  if (typeof handshakeTimer.unref === 'function') handshakeTimer.unref();
+  const onData = async (chunk) => {
+    buf = Buffer.concat([buf, chunk]);
+    try {
+      if (phase === 'greeting') {
+        // [0x05, NMETHODS, METHODS...]
+        if (buf.length < 2) return;
+        const nMethods = buf[1];
+        if (buf.length < 2 + nMethods) return;
+        const offered = buf.subarray(2, 2 + nMethods);
+        buf = buf.subarray(2 + nMethods);
+        // We only speak no-auth (0x00) to the local client. Chromium always
+        // offers it; if a client somehow didn't, reply "no acceptable
+        // methods" rather than violate the protocol by selecting unoffered.
+        if (!offered.includes(0x00)) {
+          try { client.write(Buffer.from([0x05, 0xFF])); } catch (_) {}
+          return cleanup();
+        }
+        client.write(Buffer.from([0x05, 0x00])); // select "no auth"
+        phase = 'request';
+      }
+      if (phase === 'request') {
+        // [0x05, CMD, 0x00, ATYP, ADDR..., PORT(2 BE)]
+        if (buf.length < 4) return;
+        if (buf[0] !== 0x05) { failReply(client, 0x01); return cleanup(); }
+        const cmd = buf[1];
+        const atyp = buf[3];
+        let host, port, hdrLen;
+        if (atyp === 0x01) {                 // IPv4
+          if (buf.length < 10) return;
+          host = `${buf[4]}.${buf[5]}.${buf[6]}.${buf[7]}`;
+          port = buf.readUInt16BE(8);
+          hdrLen = 10;
+        } else if (atyp === 0x03) {          // domain
+          if (buf.length < 5) return;
+          const dLen = buf[4];
+          if (buf.length < 7 + dLen) return;
+          host = buf.subarray(5, 5 + dLen).toString('utf8');
+          port = buf.readUInt16BE(5 + dLen);
+          hdrLen = 7 + dLen;
+        } else if (atyp === 0x04) {          // IPv6
+          if (buf.length < 22) return;
+          const seg = [];
+          for (let i = 0; i < 16; i += 2) seg.push(buf.readUInt16BE(4 + i).toString(16));
+          host = seg.join(':');
+          port = buf.readUInt16BE(20);
+          hdrLen = 22;
+        } else {
+          failReply(client, 0x08);            // address type not supported
+          return cleanup();
+        }
+        if (cmd !== 0x01) {                    // only CONNECT
+          failReply(client, 0x07);
+          return cleanup();
+        }
+        // Hand the stream to .pipe() from here. Pause + detach this handler
+        // so a data event during the upstream connect can't re-enter.
+        phase = 'connecting';
+        client.pause();
+        client.off('data', onData);
+        const early = buf.subarray(hdrLen);   // any bytes after the request header
+        buf = null;
+        let info;
+        try {
+          info = await SocksClient.createConnection({
+            proxy: {
+              host: upstream.host,
+              port: upstream.port,
+              type: 5,
+              userId: upstream.username,
+              password: upstream.password || '',
+            },
+            command: 'connect',
+            destination: { host, port },
+            timeout: 20000,
+          });
+        } catch (e) {
+          if (forceDebug) {
+            console.log(formatLogMessage('proxy', `[socks-relay] upstream connect failed (${host}:${port}): ${e.message}`));
+          }
+          failReply(client, 0x05);             // connection refused
+          return cleanup();
+        }
+        upstreamSock = info.socket;
+        try { upstreamSock.setNoDelay(true); } catch (_) {}
+        upstreamSock.on('error', cleanup);
+        upstreamSock.on('close', cleanup);
+        client.on('error', cleanup);
+        client.on('close', cleanup);
+        // SOCKS5 success (BND.ADDR 0.0.0.0:0 — Chromium ignores it for CONNECT)
+        client.write(Buffer.from([0x05, 0x00, 0x00, 0x01, 0, 0, 0, 0, 0, 0]));
+        if (early && early.length) upstreamSock.write(early);
+        client.pipe(upstreamSock);
+        upstreamSock.pipe(client);
+        client.resume();
+        phase = 'piping';
+        // Negotiation complete — disarm the handshake watchdog so a
+        // long-running download isn't killed mid-transfer.
+        if (handshakeTimer) { clearTimeout(handshakeTimer); handshakeTimer = null; }
+      }
+    } catch (e) {
+      if (forceDebug) {
+        console.log(formatLogMessage('proxy', `[socks-relay] handler error: ${e.message}`));
+      }
+      cleanup();
+    }
+  };
+  client.on('data', onData);
+  client.on('error', cleanup);
+}
+// SOCKS5 failure reply (valid only before piping starts).
+function failReply(client, code) {
+  try { client.write(Buffer.from([0x05, code, 0x00, 0x01, 0, 0, 0, 0, 0, 0])); } catch (_) {}
+}
+/**
+ * Ensure a relay exists for the given upstream; returns its local port.
+ * Idempotent — repeated calls for the same upstream reuse one relay.
+ *
+ * @param {{host:string,port:number,username:string,password:string}} upstream
+ * @param {boolean} forceDebug
+ * @returns {Promise<number>} local 127.0.0.1 port the relay listens on
+ */
+async function ensureRelay(upstream, forceDebug = false) {
+  const key = upstreamKey(upstream);
+  const existing = _relays.get(key);
+  if (existing) return existing.port;
+  const activeSockets = new Set();
+  const server = net.createServer((clientSock) => {
+    // Disable Nagle: page scanning is full of small-packet phases (per-origin
+    // TLS handshakes, small XHR/API calls, the SOCKS handshake itself).
+    // Nagle + delayed-ACK adds ~40ms stalls on those; relays should not.
+    try { clientSock.setNoDelay(true); } catch (_) {}
+    activeSockets.add(clientSock);
+    clientSock.on('close', () => activeSockets.delete(clientSock));
+    handleClient(clientSock, upstream, forceDebug);
+  });
+  await new Promise((resolve, reject) => {
+    const onErr = (e) => reject(e);
+    server.once('error', onErr);
+    server.listen(0, '127.0.0.1', () => {
+      server.removeListener('error', onErr);
+      // Keep a listener so a late server error doesn't crash the process.
+      server.on('error', (e) => {
+        if (forceDebug) console.log(formatLogMessage('proxy', `[socks-relay] server error: ${e.message}`));
+      });
+      resolve();
+    });
+  });
+  const port = server.address().port;
+  _relays.set(key, { server, port, activeSockets });
+  if (forceDebug) {
+    console.log(formatLogMessage('proxy', `[socks-relay] 127.0.0.1:${port} -> ${upstream.host}:${upstream.port} (auth user "${upstream.username}")`));
+  }
+  return port;
+}
+/**
+ * Sync lookup of an already-started relay's port. Returns null if no relay
+ * has been started for this upstream (caller should have called ensureRelay
+ * upfront).
+ */
+function getRelayPort(upstream) {
+  const r = _relays.get(upstreamKey(upstream));
+  return r ? r.port : null;
+}
+/**
+ * Tear down every relay: destroy in-flight sockets, close listeners.
+ * Safe to call multiple times.
+ */
+async function closeAllRelays(forceDebug = false) {
+  for (const [key, r] of _relays) {
+    for (const s of r.activeSockets) { try { s.destroy(); } catch (_) {} }
+    await new Promise((res) => {
+      try { r.server.close(() => res()); } catch (_) { res(); }
+    });
+    if (forceDebug) console.log(formatLogMessage('proxy', `[socks-relay] closed relay for ${key}`));
+  }
+  _relays.clear();
+}
+module.exports = { ensureRelay, getRelayPort, closeAllRelays };

package/nwss.js CHANGED Viewed

@@ -9,6 +9,7 @@ const fs = require('fs');
 const os = require('os');
 const psl = require('psl');
 const path = require('path');
+const dnsPromises = require('node:dns/promises');
 const { createGrepHandler, validateGrepAvailability } = require('./lib/grep');
 const { compressMultipleFiles, formatFileSize } = require('./lib/compress');
 const { parseSearchStrings, createResponseHandler, createCurlHandler } = require('./lib/searchstring');
@@ -50,7 +51,7 @@ const { isGhostCursorAvailable, createGhostCursor, ghostMove, ghostClick, ghostR
 const { createGlobalHelpers, getTotalDomainsSkipped, getDetectedDomainsCount } = require('./lib/domain-cache');
 const { createSmartCache } = require('./lib/smart-cache'); // Smart cache system
 const { clearPersistentCache } = require('./lib/smart-cache');
-const { needsProxy, getProxyArgs, applyProxyAuth, getProxyInfo, testProxy } = require('./lib/proxy');
+const { needsProxy, getProxyArgs, applyProxyAuth, getProxyInfo, testProxy, prepareSocksRelays, closeAllSocksRelays } = require('./lib/proxy');
 // Dry run functionality
 const { initializeDryRunCollections, addDryRunMatch, addDryRunNetTools, processDryRunResults, writeDryRunOutput } = require('./lib/dry-run');
 // Enhanced site data clearing functionality
@@ -266,6 +267,13 @@ if (fs.existsSync(NWSSCONFIG_PATH)) {
 }
 const headfulMode = args.includes('--headful');
+// Sites (esp. video/streaming) call element.requestFullscreen() on load or
+// click. In --headful that hijacks the real Chrome window into true
+// fullscreen, forcing a manual ESC. Neutralize the Fullscreen API by
+// default so it can't. Harmless in headless (no screen — the API is
+// already inert there), so default-on keeps headful consistent with the
+// primary headless path. --allow-fullscreen restores native behavior.
+const allowFullscreen = args.includes('--allow-fullscreen');
 const SOURCES_FOLDER = 'sources';
 let outputFile = null;
@@ -326,6 +334,31 @@ const cacheRequests = args.includes('--cache-requests');
 const dnsCacheMode = args.includes('--dns-cache');
 if (dnsCacheMode) enableDiskCache();
+// DNS pre-check before page.goto() — default-on, --no-dns-precheck disables.
+// Filters NXDOMAIN / unresolvable hostnames in <100ms before paying the
+// ~5-15s Puppeteer + Cloudflare detection round-trip on each.
+const dnsPrecheckEnabled = !args.includes('--no-dns-precheck');
+const dnsPrecheckTimeoutMs = 2000;
+// Per-scan cache of negative DNS lookups. OS resolvers don't always cache
+// NXDOMAIN responses, and a scan can hit the same dead hostname many times
+// (different URL paths on the same site). Positive results are left to the
+// OS cache; failure-cache avoids repeated lookup latency for known-dead hosts.
+// FIFO eviction at DNS_NEGATIVE_CACHE_MAX so pathological scans (thousands
+// of unique dead hosts) can't grow the cache unboundedly. Same pattern as
+// the rest of the codebase's in-memory caches.
+const dnsNegativeCache = new Map(); // hostname -> { error, timestamp }
+const DNS_NEGATIVE_CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const DNS_NEGATIVE_CACHE_MAX = 1000;
+let dnsPrecheckSkips = 0;
+function dnsNegativeCacheSet(hostname, error) {
+  if (dnsNegativeCache.size >= DNS_NEGATIVE_CACHE_MAX) {
+    dnsNegativeCache.delete(dnsNegativeCache.keys().next().value);
+  }
+  dnsNegativeCache.set(hostname, { error, timestamp: Date.now() });
+}
 let validateRulesFile = null;
 const validateRulesIndex = args.findIndex(arg => arg === '--validate-rules');
 if (validateRulesIndex !== -1 && args[validateRulesIndex + 1] && !args[validateRulesIndex + 1].startsWith('--')) {
@@ -643,6 +676,8 @@ General Options:
   --custom-json <file>           Use a custom config JSON file instead of config.json
   --headful                      Launch browser with GUI (not headless)
   --keep-open                    Keep browser open after scan completes (use with --headful)
+  --allow-fullscreen             Allow sites to use the Fullscreen API. By default it is
+                                 neutralized so sites can't hijack the window in --headful
   --use-puppeteer-core           Use puppeteer-core with system Chrome instead of bundled Chromium
   --use-obscura                  Connect to running Obscura CDP server (ws://127.0.0.1:9222 or OBSCURA_WS env)
                                  Skips fingerprint injection — Obscura provides built-in stealth
@@ -659,6 +694,9 @@ General Options:
 Validation Options:
   --cache-requests               Cache HTTP requests to avoid re-requesting same URLs within scan
   --dns-cache                    Persist dig/whois results to disk between runs (3hr/4hr TTL)
+  --no-dns-precheck              Disable per-URL DNS resolution check before page navigation.
+                                 By default, URLs whose hostname doesn't resolve are skipped
+                                 immediately (saves ~5-15s of Puppeteer time per dead host).
   --validate-config              Validate config.json file and exit
   --validate-rules [file]        Validate rule file format (uses --output/--compare files if no file specified)
   --clean-rules [file]           Clean rule files by removing invalid lines and optionally duplicates (uses --output/--compare files if no file specified)
@@ -1831,6 +1869,7 @@ function setupFrameHandling(page, forceDebug) {
     ovpnDisconnectAll(forceDebug);
     cleanupCloudflareCache();
     purgeStaleTrackers();
+    try { await closeAllSocksRelays(forceDebug); } catch (_) {}
   }
   let siteCounter = 0;
@@ -2438,6 +2477,29 @@ function setupFrameHandling(page, forceDebug) {
         } else if (forceDebug) {
           console.log(formatLogMessage('debug', `Skipping fingerprint injection — Obscura provides built-in stealth`));
         }
+        // Neutralize the Fullscreen API before any page script runs so a
+        // site can't force the real browser window fullscreen in --headful
+        // (or trip an anti-bot check that reads document.fullscreenElement).
+        // requestFullscreen is stubbed to a resolved no-op — which is also
+        // how browsers already behave when it's called without a user
+        // gesture, so this looks normal, not automated. fullscreenElement
+        // stays null naturally since we never enter fullscreen.
+        if (!allowFullscreen) {
+          try {
+            await page.evaluateOnNewDocument(() => {
+              const noop = function () { return Promise.resolve(); };
+              const legacyNoop = function () {};
+              try { Element.prototype.requestFullscreen = noop; } catch (_) {}
+              try { Element.prototype.webkitRequestFullscreen = legacyNoop; } catch (_) {}
+              try { Element.prototype.webkitRequestFullScreen = legacyNoop; } catch (_) {}
+              try { Element.prototype.mozRequestFullScreen = legacyNoop; } catch (_) {}
+              try { Element.prototype.msRequestFullscreen = legacyNoop; } catch (_) {}
+            });
+          } catch (fsErr) {
+            if (forceDebug) console.log(formatLogMessage('debug', `Fullscreen neutralization injection failed: ${fsErr.message}`));
+          }
+        }
         // Client Hints protection for Chrome user agents (skipped under Obscura — it sets its own)
         if (!useObscura && siteConfig.userAgent && siteConfig.userAgent.toLowerCase().includes('chrome')) {
@@ -4300,6 +4362,19 @@ function setupFrameHandling(page, forceDebug) {
   // Sort tasks so proxy groups are contiguous — direct connections first, then each proxy
   allTasks.sort((a, b) => proxyKeyFor(a.config).localeCompare(proxyKeyFor(b.config)));
+  // Pre-start local no-auth SOCKS5 relays for any authenticated socks5://
+  // upstreams. Done once here (the only async step) so getProxyArgs stays a
+  // sync lookup in the per-batch browser-launch path. Chromium can't auth
+  // SOCKS5; the relay does the upstream auth transparently.
+  try {
+    const relayCount = await prepareSocksRelays(sites, forceDebug);
+    if (relayCount > 0 && !silentMode) {
+      console.log(messageColors.processing(`Started ${relayCount} SOCKS5 auth relay(s)`));
+    }
+  } catch (relayErr) {
+    console.warn(formatLogMessage('proxy', `SOCKS5 relay setup failed: ${relayErr.message}`));
+  }
   let results = [];
   let processedUrlCount = 0;
   let urlsSinceLastCleanup = 0;
@@ -4580,6 +4655,66 @@ function setupFrameHandling(page, forceDebug) {
          if (!silentMode) console.log(formatLogMessage('info', `Skipping ${task.url} — ${taskDomain} timed out ${DOMAIN_TIMEOUT_THRESHOLD} times`));
          return { url: task.url, rules: [], success: false, error: 'Domain repeatedly timed out', skipped: true };
        }
+       // DNS pre-check — fails fast on NXDOMAIN/unresolvable hosts before
+       // we pay ~5-15s for Puppeteer navigation + Cloudflare detection.
+       // Skips IP literals. Respects an in-memory negative cache so a dead
+       // host hit by many URL paths only costs one DNS round-trip per TTL.
+       //
+       // Uses dns.resolve* (c-ares, async network I/O) NOT dns.lookup
+       // (getaddrinfo, libuv threadpool). Under scan concurrency Puppeteer
+       // saturates the default 4-slot threadpool with filesystem I/O, so
+       // dns.lookup calls sit queued and blow the timeout while never
+       // actually starting — wrongly skipping live domains. c-ares isn't
+       // threadpool-bound so it's immune to that contention.
+       if (dnsPrecheckEnabled && taskDomain && !/^[\d.:]+$|^\[/.test(taskDomain)) {
+         const cached = dnsNegativeCache.get(taskDomain);
+         if (cached && Date.now() - cached.timestamp < DNS_NEGATIVE_CACHE_TTL_MS) {
+           dnsPrecheckSkips++;
+           if (forceDebug) console.log(formatLogMessage('debug', `DNS pre-check (cached): ${taskDomain} — ${cached.error}`));
+           return { url: task.url, rules: [], success: false, error: `DNS: ${cached.error}`, skipped: true };
+         }
+         const dnsResolve = async () => {
+           // resolve4 first; on no-IPv4 (ENODATA / ENOTFOUND) fall back to
+           // resolve6 so IPv6-only hosts aren't wrongly skipped. Only a
+           // failure of BOTH means the host is genuinely unresolvable.
+           // 2s timeout kept as a real safety net — with c-ares off the
+           // threadpool it should now rarely fire.
+           let timer;
+           try {
+             const timeoutP = new Promise((_, reject) => {
+               timer = setTimeout(() => reject(new Error('DNS timeout')), dnsPrecheckTimeoutMs);
+             });
+             const resolveChain = dnsPromises.resolve4(taskDomain)
+               .catch(() => dnsPromises.resolve6(taskDomain));
+             await Promise.race([resolveChain, timeoutP]);
+           } finally {
+             if (timer) clearTimeout(timer);
+           }
+         };
+         // c-ares transient codes — retry once so a momentary resolver
+         // hiccup doesn't poison the negative cache for 5 minutes.
+         const TRANSIENT = new Set(['ETIMEOUT', 'ESERVFAIL', 'EREFUSED', 'ECONNREFUSED']);
+         try {
+           try {
+             await dnsResolve();
+           } catch (firstErr) {
+             const code = firstErr && firstErr.code;
+             if (TRANSIENT.has(code) || (firstErr && firstErr.message === 'DNS timeout')) {
+               if (forceDebug) console.log(formatLogMessage('debug', `DNS pre-check transient (${code || 'timeout'}) for ${taskDomain}, retrying once`));
+               await dnsResolve();
+             } else {
+               throw firstErr;
+             }
+           }
+         } catch (dnsErr) {
+           const errCode = dnsErr.code || dnsErr.message || 'DNS resolve failed';
+           dnsNegativeCacheSet(taskDomain, errCode);
+           dnsPrecheckSkips++;
+           if (forceDebug) console.log(formatLogMessage('debug', `DNS pre-check failed: ${taskDomain} — ${errCode}`));
+           return { url: task.url, rules: [], success: false, error: `DNS: ${errCode}`, skipped: true };
+         }
+       }
      } catch {}
      // Per-URL timeout so a single hung processUrl can't block the batch
@@ -4896,6 +5031,9 @@ function setupFrameHandling(page, forceDebug) {
      if (cloudflareScanStats.errorPages > 0) {
        console.log(formatLogMessage('debug', `Cloudflare 5xx origin-error pages: ${cloudflareScanStats.errorPages} (no bypass possible — origin unreachable)`));
      }
+     if (dnsPrecheckEnabled && dnsPrecheckSkips > 0) {
+       console.log(formatLogMessage('debug', `DNS pre-check skipped: ${dnsPrecheckSkips} URL(s) via ${dnsNegativeCache.size} unresolvable host(s)`));
+     }
      // Log smart cache statistics (if cache is enabled)
      // Adblock statistics
      if (adblockEnabled) {
@@ -5113,6 +5251,7 @@ function setupFrameHandling(page, forceDebug) {
   try { wgDisconnectAll(forceDebug); } catch (_) {}
   try { ovpnDisconnectAll(forceDebug); } catch (_) {}
   try { purgeStaleTrackers(); } catch (_) {}
+  try { await closeAllSocksRelays(forceDebug); } catch (_) {}
   // Clean process termination
   if (forceDebug) console.log(formatLogMessage('debug', `About to exit process...`));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fanboynz/network-scanner",
-  "version": "2.0.65",
+  "version": "2.0.66",
   "description": "A Puppeteer-based network scanner for analyzing web traffic, generating adblock filter rules, and identifying third-party requests. Features include fingerprint spoofing, Cloudflare bypass, content analysis with curl/grep, and multiple output formats.",
   "main": "nwss.js",
   "scripts": {
@@ -14,11 +14,12 @@
     "lru-cache": "^11.3.5",
     "p-limit": "^7.3.0",
     "psl": "^1.15.0",
-    "puppeteer": ">=20.0.0"
+    "puppeteer": ">=20.0.0",
+    "socks": "^2.8.9"
   },
   "overrides": {
     "tar-fs": "3.1.1",
-    "ws": "8.18.3",
+    "ws": ">=8.20.1",
     "yauzl": ">=3.2.1"
   },
   "keywords": [