@redocly/realm 0.131.2 → 0.131.3

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @redocly/realm
 
+## 0.131.3
+
+### Patch Changes
+
+- 4afca06580: Fixed a Realm CORS proxy security issue that could allow requests to private network addresses and unsafe direct navigation to proxied HTML or JavaScript content.
+
 ## 0.131.2
 
 ### Patch Changes

package/dist/server/config/env-config.js

@@ -1 +1 @@
-import{readEnvVariable as u}from"../utils/envs/read-env-variable.js";import{envSchema as c}from"./env-schema.js";function i(){const n=Object.fromEntries(Object.keys(process.env).map(e=>[e,u(e)]));return n.REDOCLY_PORTAL_VERSION=process.env.REDOCLY_PORTAL_VERSION,c.parse(n)}function r(){return i().REDOCLY_ENV??"development"}function o(){const n=process.env.REDOCLY_EXECUTION_MODE;return n==="build"||n==="develop"||n==="runtime"?n:"develop"}function s(){const e=i().REDOCLY_INTERNAL_DEV;return e==="true"||e==="1"}function v(n){switch(n){case"redoclyEnv":return r();case"executionMode":return o();case"isProductionEnv":return r()==="production";case"isPreviewEnv":return r()==="preview";case"isReunite":{const e=r(),t=s();return e==="production"||e==="preview"||e==="development"&&!t}case"isBuildMode":return o()==="build";case"isDevelopMode":return o()==="develop";case"isRuntimeMode":return o()==="runtime";default:return n}}const d=new Set(["redoclyEnv","executionMode","isProductionEnv","isPreviewEnv","isReunite","isBuildMode","isDevelopMode","isRuntimeMode"]),l=Object.freeze(new Proxy({},{get(n,e){if(typeof e!="string")return;const t=e;return d.has(t)?v(t):i()[e]}}));export{l as envConfig};
+import{readEnvVariable as c}from"../utils/envs/read-env-variable.js";import{envSchema as s}from"./env-schema.js";function r(){const n=Object.fromEntries(Object.keys(process.env).map(e=>[e,c(e)]));return n.REDOCLY_PORTAL_VERSION=process.env.REDOCLY_PORTAL_VERSION,s.parse(n)}function o(){return r().REDOCLY_ENV??"development"}function i(){const n=process.env.REDOCLY_EXECUTION_MODE;return n==="build"||n==="develop"||n==="runtime"?n:"develop"}function v(){const e=r().REDOCLY_INTERNAL_DEV;return e==="true"||e==="1"}function d(n){switch(n){case"redoclyEnv":return o();case"executionMode":return i();case"isProductionEnv":return o()==="production";case"isPreviewEnv":return o()==="preview";case"isReunite":{const e=o(),t=v(),u=r().REDOCLY_ORG_ID;return e==="production"||e==="preview"||e==="development"&&!t&&!!u}case"isBuildMode":return i()==="build";case"isDevelopMode":return i()==="develop";case"isRuntimeMode":return i()==="runtime";default:return n}}const a=new Set(["redoclyEnv","executionMode","isProductionEnv","isPreviewEnv","isReunite","isBuildMode","isDevelopMode","isRuntimeMode"]),p=Object.freeze(new Proxy({},{get(n,e){if(typeof e!="string")return;const t=e;return a.has(t)?d(t):r()[e]}}));export{p as envConfig};

package/dist/server/web-server/routes/cors-proxy.d.ts

@@ -1,5 +1,6 @@
 import type { Context } from 'hono';
 export declare function corsProxyHandler(proxyBasePath?: string): (ctx: Context) => Promise<Response>;
+export declare function isPrivateIp(ip: string): boolean;
 export declare function resolveCorsProxyTarget(requestUrl: string, proxyBasePath: string): URL | null;
 export declare const CORS_PROXY_STREAM_HEADER = "x-redocly-proxy-streaming";
 //# sourceMappingURL=cors-proxy.d.ts.map

package/dist/server/web-server/routes/cors-proxy.js

@@ -1,2 +1,2 @@
-import{withPathPrefix as _}from"@redocly/theme/core/utils";import{ServerRoutes as q}from"../../../constants/common.js";import{getRequestOrigin as C}from"../utils/get-request-origin.js";const P=new Set(["connection","keep-alive","proxy-authenticate","proxy-connection","proxy-authorization","te","trailer","transfer-encoding","upgrade","host"]),$=new Set(["cookie","cookie2","accept-encoding"]),T=new Set(["set-cookie","set-cookie2","content-encoding","content-length"]),g="x-redocly-proxy-streaming",H="x-http-method-override",w="x-redocly-cookie";function z(o=_(q.CORS_PROXY)){return async e=>{const n=new URL(e.req.url).pathname;if(n===o||n===`${o}/`)return e.text(`Realm CORS proxy endpoint.
-Usage: ${o}/https://api.example.com/path`);const r=I(e.req.url,o);if(!r)return e.text("Invalid proxied URL",400);const i=C(e),c=r.origin===i,h=r.pathname===o||r.pathname.startsWith(`${o}/`);if(c&&!h)return new Response("Please use a direct request",{status:308,headers:{Location:r.toString(),Vary:"origin","Cache-Control":"private"}});const s=new Headers,f=S(e.req.raw.headers);for(const[t,E]of e.req.raw.headers)f.has(t.toLowerCase())||$.has(t.toLowerCase())||s.append(t,E);const d=s.get(w);if(d){const t=e.req.raw.headers.get("cookie")||"";s.set("cookie",t?`${t}; ${d}`:d),s.delete(w)}const u=e.req.raw.headers.get("origin")||"";L(u)&&s.delete("origin");let p=e.req.method;const R=s.get(H);R&&(p=R.toUpperCase(),s.delete(H));const m={method:p,headers:s,redirect:"follow"};p!=="GET"&&p!=="HEAD"&&e.req.raw.body&&(m.body=e.req.raw.body,m.duplex="half");let a;try{a=await fetch(r,m)}catch(t){const E=t instanceof Error?t.message:"unknown error",O=t instanceof Error&&t.cause instanceof Error?`: ${t.cause.message}`:"";return e.text(`Failed to proxy request: ${E}${O}`,502)}const l=new Headers(a.headers),y=S(a.headers);for(const t of y)l.delete(t);for(const t of T)l.delete(t);return l.set(g,"1"),new Response(a.body,{status:a.status,statusText:a.statusText,headers:l})}}function k(o){try{return decodeURIComponent(o)}catch{return o}}function D(o){return o.replace(/^(https?):\/(?!\/)/i,"$1://")}function A(o,e){return e?o.includes("?")?e==="?"?o:`${o.endsWith("?")||o.endsWith("&")?o:`${o}&`}${e.slice(1)}`:`${o}${e}`:o}function S(o){const e=new Set(P),n=o.get("connection");if(!n)return e;for(const r of n.split(",")){const i=r.trim().toLowerCase();i&&e.add(i)}return e}function L(o){const e=o.toLowerCase();return e.includes(".redocly.app")||e.includes("localhost")}function I(o,e){const n=new URL(o),r=n.pathname===e,i=n.pathname.startsWith(`${e}/`);if(!r&&!i)return null;const c=n.pathname.slice(e.length).replace(/^\/+/,"");if(!c)return null;const h=[c,k(c)];for(const s of h){const f=D(s),d=A(f,n.search);try{const u=new URL(d);if(u.protocol==="http:"||u.protocol==="https:")return u}catch{continue}}return null}const U=g;export{U as CORS_PROXY_STREAM_HEADER,z as corsProxyHandler,I as resolveCorsProxyTarget};
+import _ from"node:dns";import{isIP as T}from"node:net";import{withPathPrefix as D}from"@redocly/theme/core/utils";import{ServerRoutes as $}from"../../../constants/common.js";import{envConfig as w}from"../../config/env-config.js";import{getRequestOrigin as k}from"../utils/get-request-origin.js";const I=new Set(["connection","keep-alive","proxy-authenticate","proxy-connection","proxy-authorization","te","trailer","transfer-encoding","upgrade","host"]),L=new Set(["cookie","cookie2","accept-encoding"]),A=new Set(["set-cookie","set-cookie2","content-encoding","content-length"]),E="x-redocly-proxy-streaming",H="x-http-method-override",y="x-redocly-cookie";function Q(t=D($.CORS_PROXY)){return async e=>{const o=new URL(e.req.url).pathname;if(o===t||o===`${t}/`)return e.text(`Realm CORS proxy endpoint.
+Usage: ${t}/https://api.example.com/path`);const n=F(e.req.url,t);if(!n)return e.text("Invalid proxied URL",400);const i=k(e),d=n.origin===i,f=n.pathname===t||n.pathname.startsWith(`${t}/`);if(d&&!f)return new Response("Please use a direct request",{status:308,headers:{Location:n.toString(),Vary:"origin","Cache-Control":"private"}});const u=await z(n.hostname);if((!w.isDevelopMode||w.isReunite)&&u&&N(u))return e.text("Requests to private network addresses are not allowed",403);const s=new Headers,h=S(e.req.raw.headers);for(const[r,g]of e.req.raw.headers)h.has(r.toLowerCase())||L.has(r.toLowerCase())||s.append(r,g);const a=s.get(y);if(a){const r=e.req.raw.headers.get("cookie")||"";s.set("cookie",r?`${r}; ${a}`:a),s.delete(y)}const C=e.req.raw.headers.get("origin")||"";W(C)&&s.delete("origin");let p=e.req.method;const R=s.get(H);R&&(p=R.toUpperCase(),s.delete(H));const m={method:p,headers:s,redirect:"manual"};p!=="GET"&&p!=="HEAD"&&e.req.raw.body&&(m.body=e.req.raw.body,m.duplex="half");let c;try{c=await fetch(n,m)}catch(r){const g=r instanceof Error?r.message:"unknown error",P=r instanceof Error&&r.cause instanceof Error?`: ${r.cause.message}`:"";return e.text(`Failed to proxy request: ${g}${P}`,502)}const O=c.headers.get("content-type")||"";if(Y(O)&&e.req.raw.headers.get("sec-fetch-mode")==="navigate")return e.text("Direct browser navigation to proxied HTML or JavaScript content is not allowed",403);const l=new Headers(c.headers),q=S(c.headers);for(const r of q)l.delete(r);for(const r of A)l.delete(r);return l.set(E,"1"),new Response(c.body,{status:c.status,statusText:c.statusText,headers:l})}}function x(t){try{return decodeURIComponent(t)}catch{return t}}function M(t){return t.replace(/^(https?):\/(?!\/)/i,"$1://")}function b(t,e){return e?t.includes("?")?e==="?"?t:`${t.endsWith("?")||t.endsWith("&")?t:`${t}&`}${e.slice(1)}`:`${t}${e}`:t}function S(t){const e=new Set(I),o=t.get("connection");if(!o)return e;for(const n of o.split(",")){const i=n.trim().toLowerCase();i&&e.add(i)}return e}function W(t){const e=t.toLowerCase();return e.includes(".redocly.app")||e.includes("localhost")}async function z(t){if(T(t))return t;try{const{address:e}=await _.promises.lookup(t);return e}catch{return null}}function N(t){const e=t.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i);return e?v(e[1]):t.includes(":")?U(t):v(t)}function v(t){const e=t.split(".").map(Number);if(e.length!==4||e.some(i=>isNaN(i)))return!0;const[o,n]=e;return o===0||o===10||o===127||o===172&&n>=16&&n<=31||o===192&&n===168||o===169&&n===254||o===100&&n>=64&&n<=127}function U(t){const e=t.toLowerCase();return e==="::1"||e==="::"||e.startsWith("fc")||e.startsWith("fd")||e.startsWith("fe80")}function Y(t){const e=t.toLowerCase();return e.includes("text/html")||e.includes("javascript")||e.includes("application/xhtml")||e.includes("application/xml")||e.includes("image/svg")}function F(t,e){const o=new URL(t),n=o.pathname===e,i=o.pathname.startsWith(`${e}/`);if(!n&&!i)return null;const d=o.pathname.slice(e.length).replace(/^\/+/,"");if(!d)return null;const f=[d,x(d)];for(const u of f){const s=M(u),h=b(s,o.search);try{const a=new URL(h);if(a.protocol==="http:"||a.protocol==="https:")return a}catch{continue}}return null}const Z=E;export{Z as CORS_PROXY_STREAM_HEADER,Q as corsProxyHandler,N as isPrivateIp,F as resolveCorsProxyTarget};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@redocly/realm",
-  "version": "0.131.2",
+  "version": "0.131.3",
   "description": "",
   "type": "module",
   "bin": {
@@ -91,14 +91,14 @@
     "xpath": "0.0.34",
     "yaml-ast-parser": "0.0.43",
     "zod": "^3.25.76",
-    "@redocly/config": "0.44.1",
+    "@redocly/asyncapi-docs": "1.8.1",
     "@redocly/graphql-docs": "1.8.0",
-    "@redocly/portal-legacy-ui": "0.14.0",
-    "@redocly/portal-plugin-mock-server": "0.16.1",
     "@redocly/openapi-docs": "3.19.1",
+    "@redocly/portal-legacy-ui": "0.14.0",
     "@redocly/realm-asyncapi-sdk": "0.9.0",
-    "@redocly/theme": "0.63.0",
-    "@redocly/asyncapi-docs": "1.8.1"
+    "@redocly/portal-plugin-mock-server": "0.16.1",
+    "@redocly/config": "0.44.1",
+    "@redocly/theme": "0.63.0"
   },
   "peerDependencies": {
     "react": "^19.2.4",

package/dist/client/runtime/generated/browser-plugins.js

@@ -1,12 +0,0 @@
-
-    
-
-    export const onRouteChange = (context, themeConfig) => {
-      
-
-      // Hooks registered during browser runtime
-      for (const hookCallback of __onRouteChangeHooks) {
-        typeof hookCallback === 'function' && hookCallback(context, themeConfig)
-      }
-    }
-  

package/dist/client/runtime/generated/package.json

@@ -1 +0,0 @@
-{"name":"@redocly/portal/ssr-entry"}

package/dist/client/runtime/generated/routes.js

@@ -1,7 +0,0 @@
-
-  export const clientRoutes = [
-      "/openapi-files/redocly-museum",
-  "/scout/agent-api/openapi",
-  "/scout/api/openapi",
-  "/customization/search-api/openapi",
-  ]

package/dist/client/runtime/generated/templates.js

@@ -1,27 +0,0 @@
-export const templates = {
-  "scorecardClassic": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/server/plugins/scorecard-classic/template/index.js"),
-
-  "openapi_docs": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/client/templates/openapi-docs/template.js"),
-
-  "markdown": () => import("@redocly/theme/core/templates/Markdown"),
-
-  "invite": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/client/app/pages/Invite/Invite.js"),
-
-  "graphql_docs": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/server/plugins/graphql-docs/template/GraphQLDocs.js"),
-
-  "error": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/client/app/Error/ErrorDetails.js"),
-
-  "compilation-error": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/client/app/pages/CompilationError/CompilationError.js"),
-
-  "changelog.page.tsx": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/docs/realm/changelog.page.tsx"),
-
-  "catalogClassic": () => import("@redocly/theme/components/CatalogClassic/CatalogClassic"),
-
-  "asyncapi_docs": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/client/templates/asyncapi-docs/template.js"),
-
-  "404": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/client/app/pages/404/404.js"),
-
-  "403OIDC": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/client/app/pages/403/403OIDC.js"),
-
-  "403": () => import("/Users/volodymyrrutskyi/repos/redocly/what-about-second-redocly/packages/portal/products/realm/dist/client/app/pages/403/403.js"),
-}