@nocobase/utils 2.2.0-beta.8 → 2.2.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -44,7 +44,12 @@ __export(server_request_exports, {
44
44
  module.exports = __toCommonJS(server_request_exports);
45
45
  var import_ipaddr = __toESM(require("ipaddr.js"));
46
46
  var import_axios = __toESM(require("axios"));
47
+ var import_promises = require("dns/promises");
47
48
  const ALLOWED_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]);
49
+ const SSRF_RISK_IP_RANGES = /* @__PURE__ */ new Set(["loopback", "private", "linkLocal", "uniqueLocal", "unspecified"]);
50
+ const SSRF_RISK_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "metadata.google.internal"]);
51
+ const DNS_LOOKUP_WARNING_TIMEOUT = 1e3;
52
+ const warnedSsrfRiskTargets = /* @__PURE__ */ new Set();
48
53
  function matchesIpEntry(hostname, entry) {
49
54
  try {
50
55
  let addr = import_ipaddr.default.parse(hostname);
@@ -87,6 +92,88 @@ function matchesEntry(hostname, entry) {
87
92
  return import_ipaddr.default.isValid(hostname) ? matchesIpEntry(hostname, e) : matchesDomainPattern(hostname, e);
88
93
  }
89
94
  __name(matchesEntry, "matchesEntry");
95
+ function getNormalizedHost(url) {
96
+ const { hostname } = url;
97
+ return hostname.startsWith("[") && hostname.endsWith("]") ? hostname.slice(1, -1) : hostname;
98
+ }
99
+ __name(getNormalizedHost, "getNormalizedHost");
100
+ function getSsrfRiskReason(hostname) {
101
+ const host = hostname.toLowerCase();
102
+ if (SSRF_RISK_HOSTNAMES.has(host)) {
103
+ return "known local or metadata hostname";
104
+ }
105
+ if (!import_ipaddr.default.isValid(host)) {
106
+ return;
107
+ }
108
+ try {
109
+ let addr = import_ipaddr.default.parse(host);
110
+ if (addr.kind() === "ipv6" && addr.isIPv4MappedAddress()) {
111
+ addr = addr.toIPv4Address();
112
+ }
113
+ const range = addr.range();
114
+ return SSRF_RISK_IP_RANGES.has(range) ? range : void 0;
115
+ } catch {
116
+ return;
117
+ }
118
+ }
119
+ __name(getSsrfRiskReason, "getSsrfRiskReason");
120
+ function warnSsrfRiskTarget(host, reason, key = `${host}:${reason}`) {
121
+ if (warnedSsrfRiskTargets.has(key)) return;
122
+ warnedSsrfRiskTargets.add(key);
123
+ console.warn(
124
+ [
125
+ `Outbound request to "${host}" targets a potential SSRF risk target (${reason}) and is allowed because SERVER_REQUEST_WHITELIST is not configured.`,
126
+ "Configure SERVER_REQUEST_WHITELIST to explicitly allow required outbound targets.",
127
+ "A future version may block private, loopback, link-local, and metadata targets by default."
128
+ ].join(" ")
129
+ );
130
+ }
131
+ __name(warnSsrfRiskTarget, "warnSsrfRiskTarget");
132
+ function warnIfSsrfRiskTarget(host) {
133
+ const reason = getSsrfRiskReason(host);
134
+ if (!reason) return;
135
+ warnSsrfRiskTarget(host, reason);
136
+ }
137
+ __name(warnIfSsrfRiskTarget, "warnIfSsrfRiskTarget");
138
+ function hasServerRequestWhitelist() {
139
+ const whitelist = process.env.SERVER_REQUEST_WHITELIST;
140
+ return Boolean(whitelist && whitelist.trim());
141
+ }
142
+ __name(hasServerRequestWhitelist, "hasServerRequestWhitelist");
143
+ async function resolveHostAddresses(host) {
144
+ try {
145
+ return await Promise.race([
146
+ (0, import_promises.lookup)(host, { all: true, verbatim: true }),
147
+ new Promise((resolve) => {
148
+ setTimeout(() => resolve([]), DNS_LOOKUP_WARNING_TIMEOUT);
149
+ })
150
+ ]);
151
+ } catch {
152
+ return [];
153
+ }
154
+ }
155
+ __name(resolveHostAddresses, "resolveHostAddresses");
156
+ async function warnIfResolvedSsrfRiskTarget(url) {
157
+ if (!url || !url.includes("://") || hasServerRequestWhitelist()) return;
158
+ let parsed;
159
+ try {
160
+ parsed = new URL(url);
161
+ } catch {
162
+ return;
163
+ }
164
+ if (!ALLOWED_PROTOCOLS.has(parsed.protocol)) return;
165
+ const host = getNormalizedHost(parsed);
166
+ if (getSsrfRiskReason(host) || import_ipaddr.default.isValid(host)) return;
167
+ const addresses = await resolveHostAddresses(host);
168
+ for (const address of addresses) {
169
+ const reason = getSsrfRiskReason(address.address);
170
+ if (reason) {
171
+ warnSsrfRiskTarget(host, `resolves to ${address.address} (${reason})`, `${host}:resolved-risk`);
172
+ return;
173
+ }
174
+ }
175
+ }
176
+ __name(warnIfResolvedSsrfRiskTarget, "warnIfResolvedSsrfRiskTarget");
90
177
  function checkUrlAgainstWhitelist(url) {
91
178
  if (!url) return;
92
179
  if (!url.includes("://")) return;
@@ -101,12 +188,14 @@ function checkUrlAgainstWhitelist(url) {
101
188
  `URL scheme "${parsed.protocol.replace(":", "")}" is not allowed. Only http and https are permitted.`
102
189
  );
103
190
  }
191
+ const host = getNormalizedHost(parsed);
104
192
  const whitelist = process.env.SERVER_REQUEST_WHITELIST;
105
- if (!whitelist || !whitelist.trim()) return;
193
+ if (!whitelist || !whitelist.trim()) {
194
+ warnIfSsrfRiskTarget(host);
195
+ return;
196
+ }
106
197
  const entries = whitelist.split(",").map((e) => e.trim()).filter(Boolean);
107
198
  if (entries.length === 0) return;
108
- const { hostname } = parsed;
109
- const host = hostname.startsWith("[") && hostname.endsWith("]") ? hostname.slice(1, -1) : hostname;
110
199
  for (const entry of entries) {
111
200
  if (matchesEntry(host, entry)) return;
112
201
  }
@@ -117,6 +206,7 @@ function checkUrlAgainstWhitelist(url) {
117
206
  __name(checkUrlAgainstWhitelist, "checkUrlAgainstWhitelist");
118
207
  async function serverRequest(config) {
119
208
  checkUrlAgainstWhitelist(config.url);
209
+ await warnIfResolvedSsrfRiskTarget(config.url);
120
210
  return import_axios.default.request(config);
121
211
  }
122
212
  __name(serverRequest, "serverRequest");
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@nocobase/utils",
3
- "version": "2.2.0-beta.8",
3
+ "version": "2.2.0-beta.9",
4
4
  "main": "lib/index.js",
5
5
  "types": "./lib/index.d.ts",
6
6
  "license": "Apache-2.0",
@@ -21,5 +21,5 @@
21
21
  "object-path": "^0.11.8",
22
22
  "ses": "^1.14.0"
23
23
  },
24
- "gitHead": "fa2502c1e9faf6d74b3f51b42dbc6546638d46af"
24
+ "gitHead": "60e3d7abbaa0c7cead76f71a4f3d5eedb6b8acdb"
25
25
  }