@skyramp/skyramp 1.3.10 → 1.3.12

package/src/pdfViewer/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Copyright (c) Skyramp Corporation.
+ *
+ * PDF Viewer module for execution-time injection
+ */
+
+export { PdfUrlValidator, ValidationResult } from './validator';
+export { PDF_VIEWER_INJECTION_SCRIPT } from './bundle';

package/src/pdfViewer/index.js

@@ -0,0 +1,14 @@
+/**
+ * Copyright (c) Skyramp Corporation.
+ *
+ * PDF Viewer module for execution-time injection
+ * Barrel exports for all PDF viewer components
+ */
+
+const { PdfUrlValidator } = require('./validator');
+const { PDF_VIEWER_INJECTION_SCRIPT } = require('./bundle');
+
+module.exports = {
+  PdfUrlValidator,
+  PDF_VIEWER_INJECTION_SCRIPT
+};

package/src/pdfViewer/validator.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Copyright (c) Skyramp Corporation.
+ *
+ * URL validator for PDF fetching - prevents SSRF attacks
+ */
+
+export interface ValidationResult {
+  valid: boolean;
+  error?: string;
+}
+
+export declare class PdfUrlValidator {
+  static readonly MAX_PDF_SIZE: number;
+  static readonly PRIVATE_IP_RANGES: RegExp[];
+
+  /**
+   * Validates a PDF URL to prevent SSRF attacks
+   */
+  static validateUrl(urlString: string): ValidationResult;
+
+  /**
+   * Validates a fetch response to ensure it's a valid PDF
+   */
+  static validateResponse(response: Response): Promise<ValidationResult>;
+}

package/src/pdfViewer/validator.js

@@ -0,0 +1,119 @@
+/**
+ * Copyright (c) Skyramp Corporation.
+ *
+ * URL validator for PDF fetching - prevents SSRF attacks
+ */
+
+class PdfUrlValidator {
+  static MAX_PDF_SIZE = 50 * 1024 * 1024; // 50MB
+
+  // Private IP ranges to block (RFC 1918 + loopback + link-local)
+  static PRIVATE_IP_RANGES = [
+    /^127\./,           // 127.0.0.0/8 (loopback)
+    /^10\./,            // 10.0.0.0/8 (private)
+    /^172\.(1[6-9]|2[0-9]|3[0-1])\./, // 172.16.0.0/12 (private)
+    /^192\.168\./,      // 192.168.0.0/16 (private)
+    /^169\.254\./,      // 169.254.0.0/16 (link-local)
+    /^::1$/,            // IPv6 loopback
+    /^fe80:/i,          // IPv6 link-local
+    /^fc00:/i,          // IPv6 unique local
+    /^fd00:/i,          // IPv6 unique local
+  ];
+
+  /**
+   * Validates a PDF URL to prevent SSRF attacks
+   * @param {string} urlString - The URL to validate
+   * @returns {{valid: boolean, error?: string}} Validation result
+   */
+  static validateUrl(urlString) {
+    // Check for empty/null
+    if (!urlString || typeof urlString !== 'string') {
+      return { valid: false, error: 'URL is empty or invalid' };
+    }
+
+    let url;
+    try {
+      url = new URL(urlString);
+    } catch (error) {
+      return { valid: false, error: `Invalid URL format: ${error}` };
+    }
+
+    // Only allow http/https protocols
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+      return {
+        valid: false,
+        error: `Protocol '${url.protocol}' not allowed. Only http: and https: are permitted`
+      };
+    }
+
+    // Block localhost by hostname
+    const hostname = url.hostname.toLowerCase();
+    if (hostname === 'localhost' || hostname === '0.0.0.0') {
+      return {
+        valid: false,
+        error: `Hostname '${hostname}' not allowed (localhost blocked)`
+      };
+    }
+
+    // Check for private IP ranges
+    for (const range of this.PRIVATE_IP_RANGES) {
+      if (range.test(hostname)) {
+        return {
+          valid: false,
+          error: `IP address '${hostname}' not allowed (private IP range blocked)`
+        };
+      }
+    }
+
+    // Allow http:// only for localhost in development (but we already blocked localhost above)
+    // So effectively, only https:// is allowed for remote hosts
+    if (url.protocol === 'http:' && hostname !== 'localhost') {
+      return {
+        valid: false,
+        error: 'http:// protocol only allowed for localhost. Use https:// for remote hosts'
+      };
+    }
+
+    return { valid: true };
+  }
+
+  /**
+   * Validates a fetch response to ensure it's a valid PDF
+   * @param {Response} response - The fetch response to validate
+   * @returns {Promise<{valid: boolean, error?: string}>} Validation result
+   */
+  static async validateResponse(response) {
+    // Check status code
+    if (!response.ok) {
+      return {
+        valid: false,
+        error: `HTTP ${response.status}: ${response.statusText}`
+      };
+    }
+
+    // Check Content-Type
+    const contentType = response.headers.get('content-type');
+    if (contentType && !contentType.includes('application/pdf')) {
+      return {
+        valid: false,
+        error: `Invalid Content-Type: ${contentType} (expected application/pdf)`
+      };
+    }
+
+    // Check Content-Length if available
+    const contentLength = response.headers.get('content-length');
+    if (contentLength) {
+      const size = parseInt(contentLength, 10);
+      if (size > this.MAX_PDF_SIZE) {
+        return {
+          valid: false,
+          error: `PDF too large: ${size} bytes (max ${this.MAX_PDF_SIZE} bytes)`
+        };
+      }
+    }
+
+    return { valid: true };
+  }
+}
+
+module.exports = { PdfUrlValidator };

package/src/utils.d.ts

@@ -104,3 +104,11 @@ export function checkForUpdate(component: string): Promise<void>;
  * The Skyramp YAML version constant.
  */
 export const SKYRAMP_YAML_VERSION: string;
+
+/**
+ * Returns the base URL from an environment variable, with a fallback default.
+ * @param envVar - The environment variable name
+ * @param defaultUrl - The default URL if the env var is not set
+ * @returns The resolved base URL
+ */
+export function getBaseUrl(envVar: string, defaultUrl: string): string;

package/src/utils.js

@@ -257,6 +257,10 @@ function checkForUpdate(component) {
     });
 }
 
+function getBaseUrl(envVar, defaultUrl) {
+    return process.env[envVar] ?? defaultUrl;
+}
+
 module.exports = {
   createTestDescriptionFromScenario,
   getYamlBytes,
@@ -267,5 +271,6 @@ module.exports = {
   iterate,
   pushToolEvent,
   checkForUpdate,
+  getBaseUrl,
   SKYRAMP_YAML_VERSION
 }