npm - @pylonsync/functions - Versions diffs - 0.3.256 → 0.3.257 - Mend

@pylonsync/functions 0.3.256 → 0.3.257

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pylonsync/functions",
-  "version": "0.3.256",
+  "version": "0.3.257",
   "description": "TypeScript function runtime for pylon — defines server-side queries, mutations, and actions.",
   "type": "module",
   "main": "src/index.ts",

package/src/ssr-runtime.test.ts CHANGED Viewed

@@ -10,8 +10,48 @@ import {
   renderMetadata,
   buildHydrationTail,
   errorDigest,
+  resolveOrigin,
 } from "./ssr-runtime";
+describe("resolveOrigin — Host-header allowlist (cache-poisoning fence)", () => {
+  const publicUrl = "https://www.notbehind.com";
+  test("trusts the Host only when it's the configured public origin", () => {
+    expect(resolveOrigin({ host: "www.notbehind.com", publicUrl })).toBe(
+      "https://www.notbehind.com",
+    );
+  });
+  test("an attacker Host falls back to the public origin (no poisoning)", () => {
+    // The crux: Host: evil.com must NOT produce https://evil.com (which would
+    // be baked into og:image + teed into the shared ISR/CDN cache).
+    expect(resolveOrigin({ host: "evil.com", publicUrl })).toBe(
+      "https://www.notbehind.com",
+    );
+  });
+  test("explicit PYLON_TRUSTED_HOSTS + canonical host are honored", () => {
+    expect(
+      resolveOrigin({ host: "cdn.notbehind.com", publicUrl, trustedHostsCsv: "cdn.notbehind.com, x.com" }),
+    ).toBe("https://cdn.notbehind.com");
+    expect(resolveOrigin({ host: "notbehind.com", publicUrl, canonicalHost: "notbehind.com" })).toBe(
+      "https://notbehind.com",
+    );
+  });
+  test("loopback is trusted for dev; X-Forwarded-Proto honored only there", () => {
+    expect(resolveOrigin({ host: "localhost:4321" })).toBe("http://localhost:4321");
+    // Attacker downgrade attempt on an untrusted host is ignored (falls back).
+    expect(
+      resolveOrigin({ host: "evil.com", forwardedProto: "http", publicUrl }),
+    ).toBe("https://www.notbehind.com");
+  });
+  test("no public origin + untrusted host → empty (relative, never poisoned)", () => {
+    expect(resolveOrigin({ host: "evil.com" })).toBe("");
+  });
+});
 // Pull the JSON out of the `__PYLON_DATA__` <script> a hydration tail emits.
 function extractPylonData(tail: string): any {
   const m = tail.match(
@@ -78,11 +118,17 @@ describe("opengraph-image file convention", () => {
       pngHeader(1200, 630),
     );
-    const md = applyAutoSocialImages(
-      "app/blog/page",
-      { host: "example.com" },
-      undefined,
-    );
+    // Host must be allowlisted to be trusted for the absolute OG origin
+    // (the cache-poisoning fence). Configure it as the public origin.
+    const prevPub = process.env.PYLON_PUBLIC_URL;
+    process.env.PYLON_PUBLIC_URL = "https://example.com";
+    let md;
+    try {
+      md = applyAutoSocialImages("app/blog/page", { host: "example.com" }, undefined);
+    } finally {
+      if (prevPub === undefined) delete process.env.PYLON_PUBLIC_URL;
+      else process.env.PYLON_PUBLIC_URL = prevPub;
+    }
     expect(md?.openGraph?.image).toContain(
       "https://example.com/_pylon/og?src=app%2Fblog%2Fopengraph-image.png",

package/src/ssr-runtime.ts CHANGED Viewed

@@ -594,21 +594,76 @@ function readSocialImageMeta(relPath: string): {
   return { type, width, height, v };
 }
-/** Absolute origin for OG URLs (crawlers require absolute). Prefers the
- *  request Host (works for any custom domain the app serves), falling
- *  back to PYLON_PUBLIC_URL. Empty string → relative (dev last resort). */
-function resolveRequestOrigin(headers: Record<string, string> | undefined): string {
-  const host = headers?.["host"];
+const LOOPBACK_HOST = /^(localhost|127\.|\[?::1|0\.0\.0\.0)/;
+/** Normalize a bare host or a full URL down to a lowercase `host` (host:port).
+ *  Returns "" for unparseable input. */
+function hostOf(value: string): string {
+  const t = (value || "").trim();
+  if (!t) return "";
+  try {
+    return (t.includes("://") ? new URL(t).host : t.replace(/^\/+|\/+$/g, "")).toLowerCase();
+  } catch {
+    return "";
+  }
+}
+/** Pure origin resolution (exported for tests).
+ *
+ *  SECURITY: the request `Host` (and `X-Forwarded-Proto`) is attacker-
+ *  controlled. It's only trusted to build the absolute origin baked into
+ *  `og:image` / canonical URLs when it's in the allowlist — the configured
+ *  public/canonical host, an explicit `PYLON_TRUSTED_HOSTS` entry, or
+ *  loopback. An untrusted (or absent) Host falls back to the configured
+ *  public origin. Without this, `Host: evil.com` on a cacheable
+ *  (force-static / `revalidate`) render bakes `https://evil.com/_pylon/og…`
+ *  into the HTML, which is then teed into the shared ISR/CDN cache and
+ *  served to every subsequent visitor (cache poisoning). */
+export function resolveOrigin(opts: {
+  host?: string;
+  forwardedProto?: string;
+  publicUrl?: string;
+  canonicalHost?: string;
+  trustedHostsCsv?: string;
+}): string {
+  const publicUrl = (opts.publicUrl || "").trim().replace(/\/+$/, "");
+  const host = opts.host?.trim().toLowerCase();
   if (host) {
-    const proto =
-      headers?.["x-forwarded-proto"] ||
-      (/^(localhost|127\.|\[?::1|0\.0\.0\.0)/.test(host) ? "http" : "https");
-    return `${proto}://${host}`;
+    const allow = new Set<string>();
+    const add = (v: string) => {
+      const h = hostOf(v);
+      if (h) allow.add(h);
+    };
+    add(opts.publicUrl || "");
+    add(opts.canonicalHost || "");
+    for (const x of (opts.trustedHostsCsv || "").split(",")) add(x);
+    const isLoopback = LOOPBACK_HOST.test(host);
+    if (isLoopback || allow.has(host)) {
+      // Only honor a forwarded proto for a TRUSTED host — else an attacker
+      // could downgrade the cached URL to http://. Default https off-loopback.
+      const proto = opts.forwardedProto || (isLoopback ? "http" : "https");
+      return `${proto}://${host}`;
+    }
   }
-  const env = ((globalThis as any).process?.env?.PYLON_PUBLIC_URL || "")
-    .trim()
-    .replace(/\/+$/, "");
-  return env;
+  // Untrusted / absent Host → the configured canonical origin. (Prefer the
+  // full public URL; fall back to the canonical host as https.)
+  if (publicUrl) return publicUrl;
+  const canon = hostOf(opts.canonicalHost || "");
+  return canon ? `https://${canon}` : "";
+}
+/** Absolute origin for OG URLs (crawlers require absolute). Trusts the
+ *  request Host only when it's allowlisted; otherwise uses PYLON_PUBLIC_URL.
+ *  See `resolveOrigin` for the security rationale. */
+function resolveRequestOrigin(headers: Record<string, string> | undefined): string {
+  const env = (globalThis as any).process?.env ?? {};
+  return resolveOrigin({
+    host: headers?.["host"],
+    forwardedProto: headers?.["x-forwarded-proto"],
+    publicUrl: env.PYLON_PUBLIC_URL,
+    canonicalHost: env.PYLON_CANONICAL_HOST,
+    trustedHostsCsv: env.PYLON_TRUSTED_HOSTS,
+  });
 }
 /** Merge auto-discovered social-card images into a page's metadata. An