@hyperframes/engine 0.6.68 → 0.6.69

package/dist/utils/urlDownloader.d.ts

@@ -1,3 +1,9 @@
+/**
+ * Validate that a URL is safe to fetch on behalf of customer-supplied
+ * compositions. Throws if the URL is non-HTTPS or targets a private/reserved
+ * address range (SSRF guard).
+ */
+export declare function assertPublicHttpsUrl(url: string): void;
 export declare function downloadToTemp(url: string, destDir: string, timeoutMs?: number): Promise<string>;
 export declare function isHttpUrl(path: string): boolean;
 //# sourceMappingURL=urlDownloader.d.ts.map

package/dist/utils/urlDownloader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"urlDownloader.d.ts","sourceRoot":"","sources":["../../src/utils/urlDownloader.ts"],"names":[],"mappings":"AAgBA,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,MAAM,EACf,SAAS,GAAE,MAAe,GACzB,OAAO,CAAC,MAAM,CAAC,CAyDjB;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE/C"}
+{"version":3,"file":"urlDownloader.d.ts","sourceRoot":"","sources":["../../src/utils/urlDownloader.ts"],"names":[],"mappings":"AAyCA;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAiBtD;AASD,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,MAAM,EACf,SAAS,GAAE,MAAe,GACzB,OAAO,CAAC,MAAM,CAAC,CA8DjB;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE/C"}

package/dist/utils/urlDownloader.js

@@ -5,6 +5,59 @@ import { Readable } from "stream";
 import { finished } from "stream/promises";
 const downloadPathCache = new Map();
 const inFlightDownloads = new Map();
+// SSRF guard: these prefixes identify non-public address space that
+// compositions (customer-supplied) must never be able to reach via the
+// download path. Blocks AWS IMDS (169.254.169.254), loopback, RFC1918,
+// and unspecified addresses. All comparisons are on the raw hostname
+// string; DNS resolution is NOT performed here, so DNS-rebinding bypasses
+// are not closed by this check — that gap is acceptable for the risk level.
+const BLOCKED_HOST_PREFIXES = [
+    "169.254.", // link-local / AWS IMDS
+    "127.", // loopback IPv4
+    "10.", // RFC1918
+    "192.168.", // RFC1918
+    "0.", // unspecified
+    "[::1]", // loopback IPv6
+    "[fc", // RFC4193 unique-local IPv6
+    "[fd", // RFC4193 unique-local IPv6
+];
+// 172.16.0.0 – 172.31.255.255 (RFC1918)
+const BLOCKED_172_RANGE = { min: 16, max: 31 };
+function isBlockedHost(hostname) {
+    const h = hostname.toLowerCase();
+    if (h === "localhost")
+        return true;
+    if (BLOCKED_HOST_PREFIXES.some((p) => h.startsWith(p)))
+        return true;
+    // 172.16–172.31
+    const m = h.match(/^172\.(\d{1,3})\./);
+    if (m) {
+        const octet = parseInt(m[1] ?? "0", 10);
+        if (octet >= BLOCKED_172_RANGE.min && octet <= BLOCKED_172_RANGE.max)
+            return true;
+    }
+    return false;
+}
+/**
+ * Validate that a URL is safe to fetch on behalf of customer-supplied
+ * compositions. Throws if the URL is non-HTTPS or targets a private/reserved
+ * address range (SSRF guard).
+ */
+export function assertPublicHttpsUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new Error(`[URLDownloader] Invalid URL: ${url}`);
+    }
+    if (parsed.protocol !== "https:") {
+        throw new Error(`[URLDownloader] Only HTTPS URLs are permitted in compositions (got ${parsed.protocol}): ${url}`);
+    }
+    if (isBlockedHost(parsed.hostname)) {
+        throw new Error(`[URLDownloader] URL targets a private/reserved address and is not permitted: ${url}`);
+    }
+}
 function getFilenameFromUrl(url) {
     const hash = createHash("md5").update(url).digest("hex").slice(0, 12);
     const urlObj = new URL(url);
@@ -12,6 +65,10 @@ function getFilenameFromUrl(url) {
     return `download_${hash}${ext}`;
 }
 export async function downloadToTemp(url, destDir, timeoutMs = 300000) {
+    // Reject non-HTTPS URLs and private/reserved address ranges before
+    // touching the cache or filesystem — customer-supplied compositions must
+    // not be able to trigger outbound fetches to internal infrastructure.
+    assertPublicHttpsUrl(url);
     const cachedPath = downloadPathCache.get(url);
     if (cachedPath && existsSync(cachedPath)) {
         return cachedPath;

package/dist/utils/urlDownloader.js.map

@@ -1 +1 @@
-{"version":3,"file":"urlDownloader.js","sourceRoot":"","sources":["../../src/utils/urlDownloader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAClC,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE3C,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAkB,CAAC;AACpD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAA2B,CAAC;AAE7D,SAAS,kBAAkB,CAAC,GAAW;IACrC,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC;IAC/C,OAAO,YAAY,IAAI,GAAG,GAAG,EAAE,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAW,EACX,OAAe,EACf,YAAoB,MAAM;IAE1B,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9C,IAAI,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACzC,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAE1C,IAAI,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1B,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACtC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,eAAe,GAAG,CAAC,KAAK,IAAI,EAAE;QAClC,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;YAElE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACjE,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YACrE,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;YAC5C,CAAC;YAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAChD,8DAA8D;YAC9D,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAW,CAAC,CAAC;YAC9D,MAAM,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;YAEhD,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACtC,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,KAAK,CAAC,0CAA0C,SAAS,GAAG,IAAI,MAAM,GAAG,EAAE,CAAC,CAAC;YACzF,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,oCAAoC,OAAO,EAAE,CAAC,CAAC;QACjE,CAAC;gBAAS,CAAC;YACT,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IACL,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAC5C,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AACnE,CAAC"}
+{"version":3,"file":"urlDownloader.js","sourceRoot":"","sources":["../../src/utils/urlDownloader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAClC,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE3C,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAkB,CAAC;AACpD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAA2B,CAAC;AAE7D,oEAAoE;AACpE,uEAAuE;AACvE,uEAAuE;AACvE,qEAAqE;AACrE,0EAA0E;AAC1E,4EAA4E;AAC5E,MAAM,qBAAqB,GAAG;IAC5B,UAAU,EAAE,wBAAwB;IACpC,MAAM,EAAE,gBAAgB;IACxB,KAAK,EAAE,UAAU;IACjB,UAAU,EAAE,UAAU;IACtB,IAAI,EAAE,cAAc;IACpB,OAAO,EAAE,gBAAgB;IACzB,KAAK,EAAE,4BAA4B;IACnC,KAAK,EAAE,4BAA4B;CACpC,CAAC;AACF,wCAAwC;AACxC,MAAM,iBAAiB,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,CAAC;AAE/C,SAAS,aAAa,CAAC,QAAgB;IACrC,MAAM,CAAC,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,CAAC,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpE,gBAAgB;IAChB,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,IAAI,CAAC,EAAE,CAAC;QACN,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;QACxC,IAAI,KAAK,IAAI,iBAAiB,CAAC,GAAG,IAAI,KAAK,IAAI,iBAAiB,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;IACpF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,sEAAsE,MAAM,CAAC,QAAQ,MAAM,GAAG,EAAE,CACjG,CAAC;IACJ,CAAC;IACD,IAAI,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CACb,gFAAgF,GAAG,EAAE,CACtF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW;IACrC,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC;IAC/C,OAAO,YAAY,IAAI,GAAG,GAAG,EAAE,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAW,EACX,OAAe,EACf,YAAoB,MAAM;IAE1B,mEAAmE;IACnE,yEAAyE;IACzE,sEAAsE;IACtE,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAE1B,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9C,IAAI,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACzC,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAE1C,IAAI,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1B,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACtC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,eAAe,GAAG,CAAC,KAAK,IAAI,EAAE;QAClC,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;YAElE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACjE,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YACrE,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;YAC5C,CAAC;YAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAChD,8DAA8D;YAC9D,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAW,CAAC,CAAC;YAC9D,MAAM,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;YAEhD,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACtC,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,KAAK,CAAC,0CAA0C,SAAS,GAAG,IAAI,MAAM,GAAG,EAAE,CAAC,CAAC;YACzF,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,oCAAoC,OAAO,EAAE,CAAC,CAAC;QACjE,CAAC;gBAAS,CAAC;YACT,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IACL,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAC5C,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AACnE,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hyperframes/engine",
-  "version": "0.6.68",
+  "version": "0.6.69",
   "description": "Seekable web page to video rendering engine (Puppeteer + FFmpeg)",
   "repository": {
     "type": "git",
@@ -21,7 +21,7 @@
     "linkedom": "^0.18.12",
     "puppeteer": "^24.0.0",
     "puppeteer-core": "^24.39.1",
-    "@hyperframes/core": "^0.6.68"
+    "@hyperframes/core": "^0.6.69"
   },
   "devDependencies": {
     "@types/node": "^25.0.10",

package/src/utils/urlDownloader.test.ts

@@ -0,0 +1,65 @@
+import { describe, expect, it } from "vitest";
+import { assertPublicHttpsUrl } from "./urlDownloader.js";
+
+describe("assertPublicHttpsUrl — SSRF guard", () => {
+  it("accepts public HTTPS URLs", () => {
+    expect(() =>
+      assertPublicHttpsUrl("https://gen-os-static.s3.us-east-2.amazonaws.com/fonts/font.ttf"),
+    ).not.toThrow();
+    expect(() => assertPublicHttpsUrl("https://cdn.jsdelivr.net/npm/gsap.min.js")).not.toThrow();
+    expect(() => assertPublicHttpsUrl("https://fonts.gstatic.com/s/font.woff2")).not.toThrow();
+  });
+
+  it("rejects http:// (non-HTTPS)", () => {
+    expect(() => assertPublicHttpsUrl("http://example.com/font.ttf")).toThrow("Only HTTPS");
+  });
+
+  it("rejects AWS IMDS (169.254.169.254)", () => {
+    expect(() =>
+      assertPublicHttpsUrl("https://169.254.169.254/latest/meta-data/iam/security-credentials/"),
+    ).toThrow("private/reserved");
+    expect(() => assertPublicHttpsUrl("http://169.254.169.254/latest/user-data")).toThrow();
+  });
+
+  it("rejects loopback (127.x.x.x)", () => {
+    expect(() => assertPublicHttpsUrl("https://127.0.0.1/font.ttf")).toThrow("private/reserved");
+    expect(() => assertPublicHttpsUrl("https://127.1.2.3/secret")).toThrow("private/reserved");
+  });
+
+  it("rejects localhost", () => {
+    expect(() => assertPublicHttpsUrl("https://localhost/font.ttf")).toThrow("private/reserved");
+    expect(() => assertPublicHttpsUrl("http://localhost:3000/secret")).toThrow();
+  });
+
+  it("rejects RFC1918 — 10.x", () => {
+    expect(() => assertPublicHttpsUrl("https://10.0.0.1/secret")).toThrow("private/reserved");
+    expect(() => assertPublicHttpsUrl("https://10.255.255.255/secret")).toThrow("private/reserved");
+  });
+
+  it("rejects RFC1918 — 172.16–172.31", () => {
+    expect(() => assertPublicHttpsUrl("https://172.16.0.1/secret")).toThrow("private/reserved");
+    expect(() => assertPublicHttpsUrl("https://172.31.255.255/secret")).toThrow("private/reserved");
+  });
+
+  it("allows 172.0–172.15 and 172.32+ (not RFC1918)", () => {
+    expect(() => assertPublicHttpsUrl("https://172.15.0.1/font.ttf")).not.toThrow();
+    expect(() => assertPublicHttpsUrl("https://172.32.0.1/font.ttf")).not.toThrow();
+  });
+
+  it("rejects RFC1918 — 192.168.x", () => {
+    expect(() => assertPublicHttpsUrl("https://192.168.1.1/secret")).toThrow("private/reserved");
+  });
+
+  it("rejects unspecified address (0.x)", () => {
+    expect(() => assertPublicHttpsUrl("https://0.0.0.0/secret")).toThrow("private/reserved");
+  });
+
+  it("rejects loopback IPv6 ([::1])", () => {
+    expect(() => assertPublicHttpsUrl("https://[::1]/secret")).toThrow("private/reserved");
+  });
+
+  it("rejects invalid URLs", () => {
+    expect(() => assertPublicHttpsUrl("not-a-url")).toThrow("Invalid URL");
+    expect(() => assertPublicHttpsUrl("")).toThrow("Invalid URL");
+  });
+});

package/src/utils/urlDownloader.ts

@@ -7,6 +7,62 @@ import { finished } from "stream/promises";
 const downloadPathCache = new Map<string, string>();
 const inFlightDownloads = new Map<string, Promise<string>>();
 
+// SSRF guard: these prefixes identify non-public address space that
+// compositions (customer-supplied) must never be able to reach via the
+// download path. Blocks AWS IMDS (169.254.169.254), loopback, RFC1918,
+// and unspecified addresses. All comparisons are on the raw hostname
+// string; DNS resolution is NOT performed here, so DNS-rebinding bypasses
+// are not closed by this check — that gap is acceptable for the risk level.
+const BLOCKED_HOST_PREFIXES = [
+  "169.254.", // link-local / AWS IMDS
+  "127.", // loopback IPv4
+  "10.", // RFC1918
+  "192.168.", // RFC1918
+  "0.", // unspecified
+  "[::1]", // loopback IPv6
+  "[fc", // RFC4193 unique-local IPv6
+  "[fd", // RFC4193 unique-local IPv6
+];
+// 172.16.0.0 – 172.31.255.255 (RFC1918)
+const BLOCKED_172_RANGE = { min: 16, max: 31 };
+
+function isBlockedHost(hostname: string): boolean {
+  const h = hostname.toLowerCase();
+  if (h === "localhost") return true;
+  if (BLOCKED_HOST_PREFIXES.some((p) => h.startsWith(p))) return true;
+  // 172.16–172.31
+  const m = h.match(/^172\.(\d{1,3})\./);
+  if (m) {
+    const octet = parseInt(m[1] ?? "0", 10);
+    if (octet >= BLOCKED_172_RANGE.min && octet <= BLOCKED_172_RANGE.max) return true;
+  }
+  return false;
+}
+
+/**
+ * Validate that a URL is safe to fetch on behalf of customer-supplied
+ * compositions. Throws if the URL is non-HTTPS or targets a private/reserved
+ * address range (SSRF guard).
+ */
+export function assertPublicHttpsUrl(url: string): void {
+  let parsed: URL;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error(`[URLDownloader] Invalid URL: ${url}`);
+  }
+  if (parsed.protocol !== "https:") {
+    throw new Error(
+      `[URLDownloader] Only HTTPS URLs are permitted in compositions (got ${parsed.protocol}): ${url}`,
+    );
+  }
+  if (isBlockedHost(parsed.hostname)) {
+    throw new Error(
+      `[URLDownloader] URL targets a private/reserved address and is not permitted: ${url}`,
+    );
+  }
+}
+
 function getFilenameFromUrl(url: string): string {
   const hash = createHash("md5").update(url).digest("hex").slice(0, 12);
   const urlObj = new URL(url);
@@ -19,6 +75,11 @@ export async function downloadToTemp(
   destDir: string,
   timeoutMs: number = 300000,
 ): Promise<string> {
+  // Reject non-HTTPS URLs and private/reserved address ranges before
+  // touching the cache or filesystem — customer-supplied compositions must
+  // not be able to trigger outbound fetches to internal infrastructure.
+  assertPublicHttpsUrl(url);
+
   const cachedPath = downloadPathCache.get(url);
   if (cachedPath && existsSync(cachedPath)) {
     return cachedPath;