@nocobase/utils 2.2.0-alpha.4 → 2.2.0-alpha.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/server-request.js +93 -3
- package/package.json +2 -2
package/lib/server-request.js
CHANGED
|
@@ -44,7 +44,12 @@ __export(server_request_exports, {
|
|
|
44
44
|
module.exports = __toCommonJS(server_request_exports);
|
|
45
45
|
var import_ipaddr = __toESM(require("ipaddr.js"));
|
|
46
46
|
var import_axios = __toESM(require("axios"));
|
|
47
|
+
var import_promises = require("dns/promises");
|
|
47
48
|
const ALLOWED_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]);
|
|
49
|
+
const SSRF_RISK_IP_RANGES = /* @__PURE__ */ new Set(["loopback", "private", "linkLocal", "uniqueLocal", "unspecified"]);
|
|
50
|
+
const SSRF_RISK_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "metadata.google.internal"]);
|
|
51
|
+
const DNS_LOOKUP_WARNING_TIMEOUT = 1e3;
|
|
52
|
+
const warnedSsrfRiskTargets = /* @__PURE__ */ new Set();
|
|
48
53
|
function matchesIpEntry(hostname, entry) {
|
|
49
54
|
try {
|
|
50
55
|
let addr = import_ipaddr.default.parse(hostname);
|
|
@@ -87,6 +92,88 @@ function matchesEntry(hostname, entry) {
|
|
|
87
92
|
return import_ipaddr.default.isValid(hostname) ? matchesIpEntry(hostname, e) : matchesDomainPattern(hostname, e);
|
|
88
93
|
}
|
|
89
94
|
__name(matchesEntry, "matchesEntry");
|
|
95
|
+
function getNormalizedHost(url) {
|
|
96
|
+
const { hostname } = url;
|
|
97
|
+
return hostname.startsWith("[") && hostname.endsWith("]") ? hostname.slice(1, -1) : hostname;
|
|
98
|
+
}
|
|
99
|
+
__name(getNormalizedHost, "getNormalizedHost");
|
|
100
|
+
function getSsrfRiskReason(hostname) {
|
|
101
|
+
const host = hostname.toLowerCase();
|
|
102
|
+
if (SSRF_RISK_HOSTNAMES.has(host)) {
|
|
103
|
+
return "known local or metadata hostname";
|
|
104
|
+
}
|
|
105
|
+
if (!import_ipaddr.default.isValid(host)) {
|
|
106
|
+
return;
|
|
107
|
+
}
|
|
108
|
+
try {
|
|
109
|
+
let addr = import_ipaddr.default.parse(host);
|
|
110
|
+
if (addr.kind() === "ipv6" && addr.isIPv4MappedAddress()) {
|
|
111
|
+
addr = addr.toIPv4Address();
|
|
112
|
+
}
|
|
113
|
+
const range = addr.range();
|
|
114
|
+
return SSRF_RISK_IP_RANGES.has(range) ? range : void 0;
|
|
115
|
+
} catch {
|
|
116
|
+
return;
|
|
117
|
+
}
|
|
118
|
+
}
|
|
119
|
+
__name(getSsrfRiskReason, "getSsrfRiskReason");
|
|
120
|
+
function warnSsrfRiskTarget(host, reason, key = `${host}:${reason}`) {
|
|
121
|
+
if (warnedSsrfRiskTargets.has(key)) return;
|
|
122
|
+
warnedSsrfRiskTargets.add(key);
|
|
123
|
+
console.warn(
|
|
124
|
+
[
|
|
125
|
+
`Outbound request to "${host}" targets a potential SSRF risk target (${reason}) and is allowed because SERVER_REQUEST_WHITELIST is not configured.`,
|
|
126
|
+
"Configure SERVER_REQUEST_WHITELIST to explicitly allow required outbound targets.",
|
|
127
|
+
"A future version may block private, loopback, link-local, and metadata targets by default."
|
|
128
|
+
].join(" ")
|
|
129
|
+
);
|
|
130
|
+
}
|
|
131
|
+
__name(warnSsrfRiskTarget, "warnSsrfRiskTarget");
|
|
132
|
+
function warnIfSsrfRiskTarget(host) {
|
|
133
|
+
const reason = getSsrfRiskReason(host);
|
|
134
|
+
if (!reason) return;
|
|
135
|
+
warnSsrfRiskTarget(host, reason);
|
|
136
|
+
}
|
|
137
|
+
__name(warnIfSsrfRiskTarget, "warnIfSsrfRiskTarget");
|
|
138
|
+
function hasServerRequestWhitelist() {
|
|
139
|
+
const whitelist = process.env.SERVER_REQUEST_WHITELIST;
|
|
140
|
+
return Boolean(whitelist && whitelist.trim());
|
|
141
|
+
}
|
|
142
|
+
__name(hasServerRequestWhitelist, "hasServerRequestWhitelist");
|
|
143
|
+
async function resolveHostAddresses(host) {
|
|
144
|
+
try {
|
|
145
|
+
return await Promise.race([
|
|
146
|
+
(0, import_promises.lookup)(host, { all: true, verbatim: true }),
|
|
147
|
+
new Promise((resolve) => {
|
|
148
|
+
setTimeout(() => resolve([]), DNS_LOOKUP_WARNING_TIMEOUT);
|
|
149
|
+
})
|
|
150
|
+
]);
|
|
151
|
+
} catch {
|
|
152
|
+
return [];
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
__name(resolveHostAddresses, "resolveHostAddresses");
|
|
156
|
+
async function warnIfResolvedSsrfRiskTarget(url) {
|
|
157
|
+
if (!url || !url.includes("://") || hasServerRequestWhitelist()) return;
|
|
158
|
+
let parsed;
|
|
159
|
+
try {
|
|
160
|
+
parsed = new URL(url);
|
|
161
|
+
} catch {
|
|
162
|
+
return;
|
|
163
|
+
}
|
|
164
|
+
if (!ALLOWED_PROTOCOLS.has(parsed.protocol)) return;
|
|
165
|
+
const host = getNormalizedHost(parsed);
|
|
166
|
+
if (getSsrfRiskReason(host) || import_ipaddr.default.isValid(host)) return;
|
|
167
|
+
const addresses = await resolveHostAddresses(host);
|
|
168
|
+
for (const address of addresses) {
|
|
169
|
+
const reason = getSsrfRiskReason(address.address);
|
|
170
|
+
if (reason) {
|
|
171
|
+
warnSsrfRiskTarget(host, `resolves to ${address.address} (${reason})`, `${host}:resolved-risk`);
|
|
172
|
+
return;
|
|
173
|
+
}
|
|
174
|
+
}
|
|
175
|
+
}
|
|
176
|
+
__name(warnIfResolvedSsrfRiskTarget, "warnIfResolvedSsrfRiskTarget");
|
|
90
177
|
function checkUrlAgainstWhitelist(url) {
|
|
91
178
|
if (!url) return;
|
|
92
179
|
if (!url.includes("://")) return;
|
|
@@ -101,12 +188,14 @@ function checkUrlAgainstWhitelist(url) {
|
|
|
101
188
|
`URL scheme "${parsed.protocol.replace(":", "")}" is not allowed. Only http and https are permitted.`
|
|
102
189
|
);
|
|
103
190
|
}
|
|
191
|
+
const host = getNormalizedHost(parsed);
|
|
104
192
|
const whitelist = process.env.SERVER_REQUEST_WHITELIST;
|
|
105
|
-
if (!whitelist || !whitelist.trim())
|
|
193
|
+
if (!whitelist || !whitelist.trim()) {
|
|
194
|
+
warnIfSsrfRiskTarget(host);
|
|
195
|
+
return;
|
|
196
|
+
}
|
|
106
197
|
const entries = whitelist.split(",").map((e) => e.trim()).filter(Boolean);
|
|
107
198
|
if (entries.length === 0) return;
|
|
108
|
-
const { hostname } = parsed;
|
|
109
|
-
const host = hostname.startsWith("[") && hostname.endsWith("]") ? hostname.slice(1, -1) : hostname;
|
|
110
199
|
for (const entry of entries) {
|
|
111
200
|
if (matchesEntry(host, entry)) return;
|
|
112
201
|
}
|
|
@@ -117,6 +206,7 @@ function checkUrlAgainstWhitelist(url) {
|
|
|
117
206
|
__name(checkUrlAgainstWhitelist, "checkUrlAgainstWhitelist");
|
|
118
207
|
async function serverRequest(config) {
|
|
119
208
|
checkUrlAgainstWhitelist(config.url);
|
|
209
|
+
await warnIfResolvedSsrfRiskTarget(config.url);
|
|
120
210
|
return import_axios.default.request(config);
|
|
121
211
|
}
|
|
122
212
|
__name(serverRequest, "serverRequest");
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nocobase/utils",
|
|
3
|
-
"version": "2.2.0-alpha.
|
|
3
|
+
"version": "2.2.0-alpha.6",
|
|
4
4
|
"main": "lib/index.js",
|
|
5
5
|
"types": "./lib/index.d.ts",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -21,5 +21,5 @@
|
|
|
21
21
|
"object-path": "^0.11.8",
|
|
22
22
|
"ses": "^1.14.0"
|
|
23
23
|
},
|
|
24
|
-
"gitHead": "
|
|
24
|
+
"gitHead": "f55b252811f6af01d08cd3814171867b70c8ef7a"
|
|
25
25
|
}
|