npm - @skyramp/skyramp - Versions diffs - 1.3.10 → 1.3.11 - Mend

@skyramp/skyramp 1.3.10 → 1.3.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/package.json +5 -3
package/scripts/build-pdf-bundle.js +141 -0
package/scripts/pdf-execution-helpers.js +340 -0
package/src/classes/MockV2.d.ts +9 -17
package/src/classes/MockV2.js +20 -22
package/src/classes/SmartPlaywright.js +328 -2
package/src/pdfViewer/bundle.d.ts +11 -0
package/src/pdfViewer/bundle.js +1349 -0
package/src/pdfViewer/index.d.ts +8 -0
package/src/pdfViewer/index.js +14 -0
package/src/pdfViewer/validator.d.ts +25 -0
package/src/pdfViewer/validator.js +119 -0

package/src/pdfViewer/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * Copyright (c) Skyramp Corporation.
+ *
+ * PDF Viewer module for execution-time injection
+ */
+export { PdfUrlValidator, ValidationResult } from './validator';
+export { PDF_VIEWER_INJECTION_SCRIPT } from './bundle';

package/src/pdfViewer/index.js ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Copyright (c) Skyramp Corporation.
+ *
+ * PDF Viewer module for execution-time injection
+ * Barrel exports for all PDF viewer components
+ */
+const { PdfUrlValidator } = require('./validator');
+const { PDF_VIEWER_INJECTION_SCRIPT } = require('./bundle');
+module.exports = {
+  PdfUrlValidator,
+  PDF_VIEWER_INJECTION_SCRIPT
+};

package/src/pdfViewer/validator.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Copyright (c) Skyramp Corporation.
+ *
+ * URL validator for PDF fetching - prevents SSRF attacks
+ */
+export interface ValidationResult {
+  valid: boolean;
+  error?: string;
+}
+export declare class PdfUrlValidator {
+  static readonly MAX_PDF_SIZE: number;
+  static readonly PRIVATE_IP_RANGES: RegExp[];
+  /**
+   * Validates a PDF URL to prevent SSRF attacks
+   */
+  static validateUrl(urlString: string): ValidationResult;
+  /**
+   * Validates a fetch response to ensure it's a valid PDF
+   */
+  static validateResponse(response: Response): Promise<ValidationResult>;
+}

package/src/pdfViewer/validator.js ADDED Viewed

@@ -0,0 +1,119 @@
+/**
+ * Copyright (c) Skyramp Corporation.
+ *
+ * URL validator for PDF fetching - prevents SSRF attacks
+ */
+class PdfUrlValidator {
+  static MAX_PDF_SIZE = 50 * 1024 * 1024; // 50MB
+  // Private IP ranges to block (RFC 1918 + loopback + link-local)
+  static PRIVATE_IP_RANGES = [
+    /^127\./,           // 127.0.0.0/8 (loopback)
+    /^10\./,            // 10.0.0.0/8 (private)
+    /^172\.(1[6-9]|2[0-9]|3[0-1])\./, // 172.16.0.0/12 (private)
+    /^192\.168\./,      // 192.168.0.0/16 (private)
+    /^169\.254\./,      // 169.254.0.0/16 (link-local)
+    /^::1$/,            // IPv6 loopback
+    /^fe80:/i,          // IPv6 link-local
+    /^fc00:/i,          // IPv6 unique local
+    /^fd00:/i,          // IPv6 unique local
+  ];
+  /**
+   * Validates a PDF URL to prevent SSRF attacks
+   * @param {string} urlString - The URL to validate
+   * @returns {{valid: boolean, error?: string}} Validation result
+   */
+  static validateUrl(urlString) {
+    // Check for empty/null
+    if (!urlString || typeof urlString !== 'string') {
+      return { valid: false, error: 'URL is empty or invalid' };
+    }
+    let url;
+    try {
+      url = new URL(urlString);
+    } catch (error) {
+      return { valid: false, error: `Invalid URL format: ${error}` };
+    }
+    // Only allow http/https protocols
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+      return {
+        valid: false,
+        error: `Protocol '${url.protocol}' not allowed. Only http: and https: are permitted`
+      };
+    }
+    // Block localhost by hostname
+    const hostname = url.hostname.toLowerCase();
+    if (hostname === 'localhost' || hostname === '0.0.0.0') {
+      return {
+        valid: false,
+        error: `Hostname '${hostname}' not allowed (localhost blocked)`
+      };
+    }
+    // Check for private IP ranges
+    for (const range of this.PRIVATE_IP_RANGES) {
+      if (range.test(hostname)) {
+        return {
+          valid: false,
+          error: `IP address '${hostname}' not allowed (private IP range blocked)`
+        };
+      }
+    }
+    // Allow http:// only for localhost in development (but we already blocked localhost above)
+    // So effectively, only https:// is allowed for remote hosts
+    if (url.protocol === 'http:' && hostname !== 'localhost') {
+      return {
+        valid: false,
+        error: 'http:// protocol only allowed for localhost. Use https:// for remote hosts'
+      };
+    }
+    return { valid: true };
+  }
+  /**
+   * Validates a fetch response to ensure it's a valid PDF
+   * @param {Response} response - The fetch response to validate
+   * @returns {Promise<{valid: boolean, error?: string}>} Validation result
+   */
+  static async validateResponse(response) {
+    // Check status code
+    if (!response.ok) {
+      return {
+        valid: false,
+        error: `HTTP ${response.status}: ${response.statusText}`
+      };
+    }
+    // Check Content-Type
+    const contentType = response.headers.get('content-type');
+    if (contentType && !contentType.includes('application/pdf')) {
+      return {
+        valid: false,
+        error: `Invalid Content-Type: ${contentType} (expected application/pdf)`
+      };
+    }
+    // Check Content-Length if available
+    const contentLength = response.headers.get('content-length');
+    if (contentLength) {
+      const size = parseInt(contentLength, 10);
+      if (size > this.MAX_PDF_SIZE) {
+        return {
+          valid: false,
+          error: `PDF too large: ${size} bytes (max ${this.MAX_PDF_SIZE} bytes)`
+        };
+      }
+    }
+    return { valid: true };
+  }
+}
+module.exports = { PdfUrlValidator };