@socketsecurity/lib 6.0.7 → 6.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +42 -0
- package/README.md +1 -1
- package/dist/ai/agent-context.d.mts +103 -0
- package/dist/ai/agent-context.js +157 -0
- package/dist/ai/backends.d.mts +83 -0
- package/dist/ai/backends.js +173 -0
- package/dist/ai/credentials.d.mts +49 -0
- package/dist/ai/credentials.js +82 -0
- package/dist/ai/discover.d.mts +4 -0
- package/dist/ai/discover.js +1 -1
- package/dist/ai/exec.d.mts +52 -0
- package/dist/ai/exec.js +92 -0
- package/dist/ai/http.d.mts +132 -0
- package/dist/ai/http.js +130 -0
- package/dist/ai/profiles.d.mts +41 -6
- package/dist/ai/profiles.js +52 -10
- package/dist/ai/route.d.mts +82 -0
- package/dist/ai/route.js +171 -0
- package/dist/ai/spawn.d.mts +42 -2
- package/dist/ai/spawn.js +146 -33
- package/dist/ai/subagent-status.d.mts +48 -0
- package/dist/ai/subagent-status.js +57 -0
- package/dist/ai/tier.d.mts +60 -0
- package/dist/ai/tier.js +53 -0
- package/dist/ai/types.d.mts +25 -2
- package/dist/ai/worktree.js +4 -0
- package/dist/archives/tar.js +1 -1
- package/dist/archives/zip.js +2 -2
- package/dist/argv/parse.d.ts +19 -2
- package/dist/argv/parse.js +1 -1
- package/dist/arrays/join.js +4 -0
- package/dist/bin/find.js +4 -4
- package/dist/bin/prim.cjs +23322 -18018
- package/dist/bin/resolve.js +2 -2
- package/dist/cache/ttl/store.js +2 -2
- package/dist/cli/check-primordials.d.ts +8 -3
- package/dist/cli/check-primordials.js +4 -4
- package/dist/compression/_internal.js +1 -1
- package/dist/compression/brotli.d.ts +1 -2
- package/dist/compression/brotli.js +5 -1
- package/dist/compression/gzip.js +5 -1
- package/dist/config/layers.d.ts +53 -0
- package/dist/config/layers.js +83 -0
- package/dist/constants/packages.d.ts +3 -0
- package/dist/constants/packages.js +2 -1
- package/dist/constants/socket.d.ts +2 -6
- package/dist/constants/socket.js +12 -14
- package/dist/cover/code.js +2 -2
- package/dist/crypto/hash.d.ts +4 -1
- package/dist/crypto/hash.js +4 -1
- package/dist/dlx/arborist.js +13 -3
- package/dist/dlx/binary-cache.js +1 -1
- package/dist/dlx/binary-resolution.js +1 -1
- package/dist/dlx/detect.d.ts +8 -0
- package/dist/dlx/firewall.d.ts +8 -0
- package/dist/dlx/lockfile.js +5 -2
- package/dist/dlx/manifest.js +1 -1
- package/dist/dlx/package.js +4 -0
- package/dist/eco/cargo/parse-lockfile.d.ts +1 -2
- package/dist/eco/cargo/parse-lockfile.js +3 -3
- package/dist/eco/manifest/detect-format.js +1 -1
- package/dist/eco/npm/npm/parse-lockfile.d.ts +3 -4
- package/dist/eco/npm/npm/parse-lockfile.js +2 -2
- package/dist/eco/npm/parse-package-json.d.ts +11 -0
- package/dist/eco/npm/parse-package-json.js +1 -1
- package/dist/eco/npm/pnpm/parse-lockfile.d.ts +5 -3
- package/dist/eco/npm/pnpm/parse-lockfile.js +3 -3
- package/dist/eco/npm/yarnpkg/yarn/exec.js +1 -1
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.d.ts +1 -2
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +2 -2
- package/dist/env/proxy.js +1 -1
- package/dist/env/rewire.d.ts +6 -3
- package/dist/env/rewire.js +7 -8
- package/dist/env/socket.d.ts +7 -0
- package/dist/env/socket.js +10 -0
- package/dist/env/xdg.d.ts +17 -0
- package/dist/env/xdg.js +21 -1
- package/dist/errors/predicates.js +1 -1
- package/dist/errors/stack.js +1 -2
- package/dist/external/@npmcli/package-json.js +3455 -4881
- package/dist/external/@npmcli/promise-spawn.js +3 -1
- package/dist/external/@yarnpkg/extensions.js +1 -1
- package/dist/external/external-pack.js +1 -1
- package/dist/external/npm-pack.js +29164 -31799
- package/dist/external/pico-pack.js +4 -2
- package/dist/external/tar-fs.js +63 -16
- package/dist/external/which.js +3 -1
- package/dist/external-tools/bazel/asset-names.d.ts +1 -1
- package/dist/external-tools/bazel/asset-names.js +5 -2
- package/dist/external-tools/bazel/from-download.d.ts +1 -1
- package/dist/external-tools/bazel/from-download.js +5 -2
- package/dist/external-tools/bazel/resolve-bazel-version.js +4 -0
- package/dist/external-tools/bazel/resolve.d.ts +3 -3
- package/dist/external-tools/bazel/resolve.js +16 -8
- package/dist/external-tools/cdxgen/asset-names.d.ts +1 -1
- package/dist/external-tools/cdxgen/asset-names.js +5 -2
- package/dist/external-tools/cdxgen/from-download.d.ts +1 -1
- package/dist/external-tools/cdxgen/from-download.js +7 -4
- package/dist/external-tools/cdxgen/resolve.d.ts +3 -3
- package/dist/external-tools/cdxgen/resolve.js +16 -8
- package/dist/external-tools/from-download.d.ts +2 -2
- package/dist/external-tools/from-download.js +11 -5
- package/dist/external-tools/from-pip-venv.d.ts +1 -1
- package/dist/external-tools/from-pip-venv.js +12 -5
- package/dist/external-tools/janus/asset-names.d.ts +1 -1
- package/dist/external-tools/janus/asset-names.js +5 -2
- package/dist/external-tools/janus/from-download.d.ts +1 -1
- package/dist/external-tools/janus/from-download.js +5 -2
- package/dist/external-tools/janus/resolve.d.ts +3 -3
- package/dist/external-tools/janus/resolve.js +16 -8
- package/dist/external-tools/jre/asset-names.d.ts +1 -1
- package/dist/external-tools/jre/asset-names.js +5 -2
- package/dist/external-tools/jre/detect-platform-arch.js +1 -1
- package/dist/external-tools/jre/from-download.d.ts +1 -1
- package/dist/external-tools/jre/from-download.js +7 -4
- package/dist/external-tools/jre/from-java-home.js +2 -2
- package/dist/external-tools/jre/from-vfs.js +2 -2
- package/dist/external-tools/jre/resolve.d.ts +3 -3
- package/dist/external-tools/jre/resolve.js +16 -8
- package/dist/external-tools/manifest.d.ts +18 -0
- package/dist/external-tools/manifest.js +2 -2
- package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
- package/dist/external-tools/opengrep/asset-names.js +5 -2
- package/dist/external-tools/opengrep/from-download.d.ts +1 -1
- package/dist/external-tools/opengrep/from-download.js +5 -2
- package/dist/external-tools/opengrep/resolve.d.ts +3 -3
- package/dist/external-tools/opengrep/resolve.js +16 -8
- package/dist/external-tools/python/asset-names.d.ts +1 -1
- package/dist/external-tools/python/asset-names.js +11 -4
- package/dist/external-tools/python/dlx.d.ts +3 -3
- package/dist/external-tools/python/dlx.js +20 -9
- package/dist/external-tools/python/from-download.d.ts +1 -1
- package/dist/external-tools/python/from-download.js +12 -5
- package/dist/external-tools/python/pin.js +6 -3
- package/dist/external-tools/python/pip-install.js +6 -3
- package/dist/external-tools/python/resolve.d.ts +3 -3
- package/dist/external-tools/python/resolve.js +19 -11
- package/dist/external-tools/python/uv-install.d.ts +89 -0
- package/dist/external-tools/python/uv-install.js +165 -0
- package/dist/external-tools/sbt/asset-names.d.ts +1 -1
- package/dist/external-tools/sbt/asset-names.js +5 -2
- package/dist/external-tools/sbt/from-download.d.ts +1 -1
- package/dist/external-tools/sbt/from-download.js +5 -2
- package/dist/external-tools/sbt/resolve.d.ts +3 -3
- package/dist/external-tools/sbt/resolve.js +16 -8
- package/dist/external-tools/skillspector/from-dlx.d.ts +1 -1
- package/dist/external-tools/skillspector/from-dlx.js +10 -3
- package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
- package/dist/external-tools/skillspector/from-uv.js +56 -0
- package/dist/external-tools/skillspector/resolve.d.ts +20 -5
- package/dist/external-tools/skillspector/resolve.js +27 -6
- package/dist/external-tools/skillspector/types.d.ts +3 -1
- package/dist/external-tools/synp/asset-names.d.ts +1 -1
- package/dist/external-tools/synp/asset-names.js +6 -2
- package/dist/external-tools/synp/from-download.d.ts +1 -1
- package/dist/external-tools/synp/from-download.js +5 -2
- package/dist/external-tools/synp/resolve.d.ts +3 -3
- package/dist/external-tools/synp/resolve.js +16 -8
- package/dist/external-tools/trivy/asset-names.d.ts +1 -1
- package/dist/external-tools/trivy/asset-names.js +5 -2
- package/dist/external-tools/trivy/from-download.d.ts +1 -1
- package/dist/external-tools/trivy/from-download.js +7 -4
- package/dist/external-tools/trivy/resolve.d.ts +3 -3
- package/dist/external-tools/trivy/resolve.js +16 -8
- package/dist/external-tools/trufflehog/asset-names.d.ts +1 -1
- package/dist/external-tools/trufflehog/asset-names.js +5 -2
- package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
- package/dist/external-tools/trufflehog/from-download.js +7 -4
- package/dist/external-tools/trufflehog/resolve.d.ts +3 -3
- package/dist/external-tools/trufflehog/resolve.js +16 -8
- package/dist/external-tools/uv/asset-names.d.ts +36 -0
- package/dist/external-tools/uv/asset-names.js +73 -0
- package/dist/external-tools/uv/from-download.d.ts +17 -0
- package/dist/external-tools/uv/from-download.js +50 -0
- package/dist/external-tools/uv/from-path.d.ts +5 -0
- package/dist/external-tools/uv/from-path.js +22 -0
- package/dist/external-tools/uv/from-vfs.d.ts +7 -0
- package/dist/external-tools/uv/from-vfs.js +26 -0
- package/dist/external-tools/uv/resolve.d.ts +25 -0
- package/dist/external-tools/uv/resolve.js +61 -0
- package/dist/external-tools/uv/types.d.ts +24 -0
- package/dist/external-tools/uv/types.js +2 -0
- package/dist/fleet/repo-config.d.ts +53 -0
- package/dist/fleet/repo-config.js +79 -0
- package/dist/fs/allowed-dirs-cache.d.ts +27 -1
- package/dist/fs/allowed-dirs-cache.js +39 -6
- package/dist/fs/copy.d.ts +88 -0
- package/dist/fs/copy.js +89 -0
- package/dist/fs/find.js +1 -1
- package/dist/fs/read-json-cache.d.ts +7 -0
- package/dist/fs/resolve-module.js +6 -2
- package/dist/fs/safe.js +1 -1
- package/dist/git/_internal.js +3 -3
- package/dist/git/repo.js +2 -4
- package/dist/git/staged.js +8 -0
- package/dist/git/tracked.d.ts +84 -0
- package/dist/git/tracked.js +163 -0
- package/dist/git/unstaged.js +8 -0
- package/dist/github/refs-graphql.js +4 -0
- package/dist/github/refs-rest.js +4 -0
- package/dist/globs/_internal.js +1 -1
- package/dist/globs/match.js +9 -1
- package/dist/globs/matcher.js +5 -1
- package/dist/http-request/browser.js +7 -3
- package/dist/http-request/checksum-file.js +1 -1
- package/dist/http-request/{browser-fetch.d.ts → fetch/browser.d.ts} +2 -2
- package/dist/http-request/{browser-fetch.js → fetch/browser.js} +4 -4
- package/dist/http-request/headers.js +1 -1
- package/dist/http-request/request-attempt.js +2 -2
- package/dist/http-request/user-agent.js +1 -1
- package/dist/integrity.d.ts +124 -71
- package/dist/integrity.js +168 -78
- package/dist/json/edit.js +38 -30
- package/dist/json/format.js +1 -1
- package/dist/logger/colors.d.ts +1 -2
- package/dist/logger/colors.js +2 -2
- package/dist/logger/symbols-builder.js +7 -8
- package/dist/logger/symbols.js +8 -8
- package/dist/native-messaging/install.d.ts +1 -1
- package/dist/native-messaging/install.js +7 -4
- package/dist/native-messaging/rate-limit.d.ts +7 -0
- package/dist/native-messaging/rate-limit.js +4 -0
- package/dist/node/async-hooks.js +1 -1
- package/dist/node/child-process.js +1 -1
- package/dist/node/crypto.js +1 -1
- package/dist/node/events.js +1 -1
- package/dist/node/fs-promises.js +1 -1
- package/dist/node/fs.d.ts +22 -6
- package/dist/node/fs.js +16 -3
- package/dist/node/http.js +1 -1
- package/dist/node/https.js +1 -1
- package/dist/node/module.d.ts +73 -2
- package/dist/node/module.js +97 -12
- package/dist/node/os.d.ts +10 -2
- package/dist/node/os.js +11 -4
- package/dist/node/path.d.ts +11 -2
- package/dist/node/path.js +17 -4
- package/dist/node/timers-promises.js +1 -1
- package/dist/node/url.js +1 -1
- package/dist/node/util.js +1 -1
- package/dist/objects/getters.js +1 -1
- package/dist/objects/mutate.js +2 -2
- package/dist/packages/edit-class.d.ts +2 -3
- package/dist/packages/edit-class.js +41 -35
- package/dist/packages/exports.js +4 -4
- package/dist/packages/fetch.js +1 -1
- package/dist/packages/isolation.js +2 -2
- package/dist/packages/licenses.js +2 -2
- package/dist/packages/manifest.d.ts +29 -0
- package/dist/packages/manifest.js +40 -4
- package/dist/packages/normalize.js +2 -2
- package/dist/packages/provenance.js +3 -3
- package/dist/packages/specs.js +1 -1
- package/dist/packages/tarball.js +4 -2
- package/dist/packages/types.d.ts +1 -2
- package/dist/paths/_internal.d.ts +1 -7
- package/dist/paths/_internal.js +9 -15
- package/dist/paths/conversion.js +1 -1
- package/dist/paths/dirnames.d.ts +1 -0
- package/dist/paths/dirnames.js +2 -0
- package/dist/paths/normalize.js +1 -1
- package/dist/paths/predicates.js +2 -1
- package/dist/paths/resolve.js +14 -19
- package/dist/paths/rewire.d.ts +5 -0
- package/dist/paths/socket.d.ts +137 -123
- package/dist/paths/socket.js +172 -131
- package/dist/perf/metrics.js +1 -1
- package/dist/perf/report.js +1 -1
- package/dist/primordials/process.d.ts +88 -0
- package/dist/primordials/process.js +132 -0
- package/dist/primordials/uncurry.d.ts +1 -2
- package/dist/process/spawn/child.js +8 -2
- package/dist/process/spawn/errors.js +1 -1
- package/dist/releases/github-archives.js +1 -1
- package/dist/releases/github-listing.d.ts +1 -2
- package/dist/schema/types.d.ts +3 -4
- package/dist/schema/validate.js +1 -1
- package/dist/secrets/broker.d.ts +35 -0
- package/dist/secrets/broker.js +72 -0
- package/dist/secrets/find.d.ts +8 -6
- package/dist/secrets/find.js +25 -5
- package/dist/secrets/keychain.d.ts +1 -1
- package/dist/secrets/linux.js +32 -44
- package/dist/secrets/macos.d.ts +1 -2
- package/dist/secrets/macos.js +20 -29
- package/dist/secrets/rc.d.ts +2 -2
- package/dist/secrets/rc.js +21 -13
- package/dist/secrets/socket-api-token.js +8 -0
- package/dist/secrets/windows.js +27 -33
- package/dist/shell/parse.d.ts +32 -0
- package/dist/shell/parse.js +60 -0
- package/dist/smol/detect.js +1 -1
- package/dist/smol/http.js +1 -1
- package/dist/smol/https.js +1 -1
- package/dist/smol/manifest.js +1 -1
- package/dist/smol/path.js +1 -1
- package/dist/smol/primordial.js +1 -1
- package/dist/smol/purl.js +1 -1
- package/dist/smol/versions.js +1 -1
- package/dist/smol/vfs.js +1 -1
- package/dist/sorts/_internal.d.ts +1 -2
- package/dist/sorts/_internal.js +2 -6
- package/dist/sorts/semver.js +2 -2
- package/dist/spinner/create-spinner-class.js +2 -2
- package/dist/spinner/spinner-internals.d.ts +1 -1
- package/dist/spinner/spinner-internals.js +9 -5
- package/dist/spinner/spinner.d.ts +4 -0
- package/dist/spinner/spinner.js +1 -1
- package/dist/stdio/progress.js +6 -2
- package/dist/stdio/prompts.d.ts +2 -10
- package/dist/stdio/prompts.js +11 -24
- package/dist/strings/format.js +1 -1
- package/dist/strings/search.js +1 -1
- package/dist/temporal/instant.js +2 -2
- package/dist/themes/context.d.ts +5 -3
- package/dist/themes/context.js +5 -6
- package/dist/url/assert-safe.d.ts +29 -0
- package/dist/url/assert-safe.js +54 -0
- package/dist/url/predicates.d.ts +31 -1
- package/dist/url/predicates.js +42 -1
- package/dist/url/types.d.ts +4 -0
- package/llms.txt +750 -0
- package/package.json +253 -125
package/dist/strings/format.js
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
-
const require_primordials_math = require('../primordials/math.js');
|
|
5
4
|
const require_primordials_string = require('../primordials/string.js');
|
|
5
|
+
const require_primordials_math = require('../primordials/math.js');
|
|
6
6
|
const require_ansi_strip = require('../ansi/strip.js');
|
|
7
7
|
|
|
8
8
|
//#region src/strings/format.ts
|
package/dist/strings/search.js
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
-
const require_primordials_math = require('../primordials/math.js');
|
|
5
4
|
const require_primordials_string = require('../primordials/string.js');
|
|
5
|
+
const require_primordials_math = require('../primordials/math.js');
|
|
6
6
|
|
|
7
7
|
//#region src/strings/search.ts
|
|
8
8
|
/**
|
package/dist/temporal/instant.js
CHANGED
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_error = require('../primordials/error.js');
|
|
5
|
-
const require_primordials_json = require('../primordials/json.js');
|
|
6
5
|
const require_primordials_object = require('../primordials/object.js');
|
|
6
|
+
const require_primordials_json = require('../primordials/json.js');
|
|
7
7
|
const require_primordials_globals = require('../primordials/globals.js');
|
|
8
8
|
const require_temporal_slots = require('./slots.js');
|
|
9
9
|
|
|
@@ -72,7 +72,7 @@ function describe(value) {
|
|
|
72
72
|
if (typeof value === "bigint") return `${value}n`;
|
|
73
73
|
if (typeof value === "object") {
|
|
74
74
|
const ctor = value.constructor;
|
|
75
|
-
return ctor
|
|
75
|
+
return ctor?.name ? `<${ctor.name}>` : "<object>";
|
|
76
76
|
}
|
|
77
77
|
return typeof value === "string" ? require_primordials_json.JSONStringify(value) : String(value);
|
|
78
78
|
}
|
package/dist/themes/context.d.ts
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
*/
|
|
5
5
|
import type { Theme } from './types';
|
|
6
6
|
import type { ThemeName } from './themes';
|
|
7
|
-
import
|
|
7
|
+
import { getNodeAsyncHooks } from '../node/async-hooks';
|
|
8
8
|
/**
|
|
9
9
|
* Theme change event listener signature.
|
|
10
10
|
*/
|
|
@@ -16,11 +16,13 @@ export type ThemeChangeListener = (theme: Theme) => void;
|
|
|
16
16
|
*/
|
|
17
17
|
export declare function emitThemeChange(theme: Theme): void;
|
|
18
18
|
/**
|
|
19
|
-
* Lazily load the async_hooks module
|
|
19
|
+
* Lazily load the async_hooks module. Aliases the canonical `node/async-hooks`
|
|
20
|
+
* accessor (single owner of the bundler-safe require); kept as an export so
|
|
21
|
+
* this module's surface is unchanged.
|
|
20
22
|
*
|
|
21
23
|
* @private
|
|
22
24
|
*/
|
|
23
|
-
export declare
|
|
25
|
+
export declare const getAsyncHooks: typeof getNodeAsyncHooks;
|
|
24
26
|
/**
|
|
25
27
|
* Get the active theme from context.
|
|
26
28
|
*
|
package/dist/themes/context.js
CHANGED
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_node_async_hooks = require('../node/async-hooks.js');
|
|
4
5
|
const require_primordials_map_set = require('../primordials/map-set.js');
|
|
5
6
|
const require_themes_themes = require('./themes.js');
|
|
6
7
|
|
|
7
8
|
//#region src/themes/context.ts
|
|
8
|
-
let asyncHooks;
|
|
9
9
|
/**
|
|
10
10
|
* Emit theme change event to listeners.
|
|
11
11
|
*
|
|
@@ -15,14 +15,13 @@ function emitThemeChange(theme) {
|
|
|
15
15
|
for (const listener of listeners) listener(theme);
|
|
16
16
|
}
|
|
17
17
|
/**
|
|
18
|
-
* Lazily load the async_hooks module
|
|
18
|
+
* Lazily load the async_hooks module. Aliases the canonical `node/async-hooks`
|
|
19
|
+
* accessor (single owner of the bundler-safe require); kept as an export so
|
|
20
|
+
* this module's surface is unchanged.
|
|
19
21
|
*
|
|
20
22
|
* @private
|
|
21
23
|
*/
|
|
22
|
-
|
|
23
|
-
if (asyncHooks === void 0) asyncHooks = /*@__PURE__*/ require("node:async_hooks");
|
|
24
|
-
return asyncHooks;
|
|
25
|
-
}
|
|
24
|
+
const getAsyncHooks = require_node_async_hooks.getNodeAsyncHooks;
|
|
26
25
|
/**
|
|
27
26
|
* AsyncLocalStorage for theme context isolation.
|
|
28
27
|
*/
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @file SSRF guard for operator- or issuer-supplied URLs — `assertSafeHttpUrl`
|
|
3
|
+
* parses a raw URL, rejects non-HTTP(S) schemes, and refuses hosts that
|
|
4
|
+
* resolve to loopback / private / link-local ranges (cloud metadata, redis,
|
|
5
|
+
* internal services). A server that fetches a URL it did not author (an OAuth
|
|
6
|
+
* issuer, an introspection endpoint advertised in its metadata, a webhook
|
|
7
|
+
* target) runs the candidate through this before the request leaves the box.
|
|
8
|
+
*/
|
|
9
|
+
import type { AssertSafeHttpUrlOptions } from './types';
|
|
10
|
+
/**
|
|
11
|
+
* Parse `rawUrl` and assert it is safe to fetch server-side, returning the
|
|
12
|
+
* parsed `URL`. Throws when the value does not parse, uses a scheme other than
|
|
13
|
+
* `http:` / `https:`, or resolves to a loopback / private / link-local host.
|
|
14
|
+
* Set `allowLocalhost` to permit `localhost` / `127.0.0.1` / `::1` for
|
|
15
|
+
* local-stack development. `label` names the subject in the thrown message.
|
|
16
|
+
*
|
|
17
|
+
* @example
|
|
18
|
+
* ;```typescript
|
|
19
|
+
* assertSafeHttpUrl('https://api.example.com', { label: 'OAuth issuer' })
|
|
20
|
+
* // → URL { href: 'https://api.example.com/' }
|
|
21
|
+
*
|
|
22
|
+
* assertSafeHttpUrl('http://169.254.169.254/latest/meta-data')
|
|
23
|
+
* // → throws: resolves to a private/loopback host
|
|
24
|
+
*
|
|
25
|
+
* assertSafeHttpUrl('ftp://example.com')
|
|
26
|
+
* // → throws: must use http(s)
|
|
27
|
+
* ```
|
|
28
|
+
*/
|
|
29
|
+
export declare function assertSafeHttpUrl(rawUrl: string, options?: AssertSafeHttpUrlOptions | undefined): URL;
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_url_predicates = require('./predicates.js');
|
|
5
|
+
|
|
6
|
+
//#region src/url/assert-safe.ts
|
|
7
|
+
/**
|
|
8
|
+
* @file SSRF guard for operator- or issuer-supplied URLs — `assertSafeHttpUrl`
|
|
9
|
+
* parses a raw URL, rejects non-HTTP(S) schemes, and refuses hosts that
|
|
10
|
+
* resolve to loopback / private / link-local ranges (cloud metadata, redis,
|
|
11
|
+
* internal services). A server that fetches a URL it did not author (an OAuth
|
|
12
|
+
* issuer, an introspection endpoint advertised in its metadata, a webhook
|
|
13
|
+
* target) runs the candidate through this before the request leaves the box.
|
|
14
|
+
*/
|
|
15
|
+
const UrlCtor = URL;
|
|
16
|
+
/**
|
|
17
|
+
* Parse `rawUrl` and assert it is safe to fetch server-side, returning the
|
|
18
|
+
* parsed `URL`. Throws when the value does not parse, uses a scheme other than
|
|
19
|
+
* `http:` / `https:`, or resolves to a loopback / private / link-local host.
|
|
20
|
+
* Set `allowLocalhost` to permit `localhost` / `127.0.0.1` / `::1` for
|
|
21
|
+
* local-stack development. `label` names the subject in the thrown message.
|
|
22
|
+
*
|
|
23
|
+
* @example
|
|
24
|
+
* ;```typescript
|
|
25
|
+
* assertSafeHttpUrl('https://api.example.com', { label: 'OAuth issuer' })
|
|
26
|
+
* // → URL { href: 'https://api.example.com/' }
|
|
27
|
+
*
|
|
28
|
+
* assertSafeHttpUrl('http://169.254.169.254/latest/meta-data')
|
|
29
|
+
* // → throws: resolves to a private/loopback host
|
|
30
|
+
*
|
|
31
|
+
* assertSafeHttpUrl('ftp://example.com')
|
|
32
|
+
* // → throws: must use http(s)
|
|
33
|
+
* ```
|
|
34
|
+
*/
|
|
35
|
+
function assertSafeHttpUrl(rawUrl, options) {
|
|
36
|
+
const { allowLocalhost = false, label = "URL" } = {
|
|
37
|
+
__proto__: null,
|
|
38
|
+
...options
|
|
39
|
+
};
|
|
40
|
+
let url;
|
|
41
|
+
try {
|
|
42
|
+
url = new UrlCtor(rawUrl);
|
|
43
|
+
} catch {
|
|
44
|
+
throw new Error(`${label} is not a valid URL: ${rawUrl}. Provide an absolute http(s) URL.`);
|
|
45
|
+
}
|
|
46
|
+
if (url.protocol !== "http:" && url.protocol !== "https:") throw new Error(`${label} must use http(s): ${rawUrl}. Got scheme "${url.protocol}"; use http: or https:.`);
|
|
47
|
+
const { hostname } = url;
|
|
48
|
+
if (allowLocalhost && require_url_predicates.isLoopbackHost(hostname)) return url;
|
|
49
|
+
if (require_url_predicates.isPrivateHost(hostname)) throw new Error(`${label} resolves to a private/loopback host and is refused: ${rawUrl}. Point it at a public host.`);
|
|
50
|
+
return url;
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
//#endregion
|
|
54
|
+
exports.assertSafeHttpUrl = assertSafeHttpUrl;
|
package/dist/url/predicates.d.ts
CHANGED
|
@@ -1,7 +1,37 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* @file URL type-guard predicates — `isUrl` answers whether a value parses as a
|
|
3
|
-
* valid URL via `parseUrl`.
|
|
3
|
+
* valid URL via `parseUrl`. `isLoopbackHost` / `isPrivateHost` classify a
|
|
4
|
+
* hostname for SSRF guards: a server that fetches an operator- or
|
|
5
|
+
* issuer-supplied URL uses these to refuse hosts that resolve to the local
|
|
6
|
+
* machine or an internal network (cloud metadata, redis, link-local).
|
|
4
7
|
*/
|
|
8
|
+
/**
|
|
9
|
+
* Check whether a hostname is a loopback address — `localhost`, `127.0.0.1`, or
|
|
10
|
+
* IPv6 `::1`. Compares case-insensitively; pass a bare hostname, not a URL.
|
|
11
|
+
*
|
|
12
|
+
* @example
|
|
13
|
+
* ;```typescript
|
|
14
|
+
* isLoopbackHost('localhost') // true
|
|
15
|
+
* isLoopbackHost('127.0.0.1') // true
|
|
16
|
+
* isLoopbackHost('example.com') // false
|
|
17
|
+
* ```
|
|
18
|
+
*/
|
|
19
|
+
export declare function isLoopbackHost(hostname: string): boolean;
|
|
20
|
+
/**
|
|
21
|
+
* Check whether a hostname resolves to a private / loopback / link-local
|
|
22
|
+
* address an SSRF probe would target (the local machine, RFC 1918 ranges, IPv6
|
|
23
|
+
* loopback / ULA / link-local). Loopback hosts count as private. Compares
|
|
24
|
+
* case-insensitively; pass a bare hostname, not a URL.
|
|
25
|
+
*
|
|
26
|
+
* @example
|
|
27
|
+
* ;```typescript
|
|
28
|
+
* isPrivateHost('127.0.0.1') // true
|
|
29
|
+
* isPrivateHost('10.0.0.5') // true
|
|
30
|
+
* isPrivateHost('169.254.169.254') // true
|
|
31
|
+
* isPrivateHost('example.com') // false
|
|
32
|
+
* ```
|
|
33
|
+
*/
|
|
34
|
+
export declare function isPrivateHost(hostname: string): boolean;
|
|
5
35
|
/**
|
|
6
36
|
* Check if a value is a valid URL.
|
|
7
37
|
*
|
package/dist/url/predicates.js
CHANGED
|
@@ -1,13 +1,52 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_primordials_string = require('../primordials/string.js');
|
|
5
|
+
const require_primordials_regexp = require('../primordials/regexp.js');
|
|
4
6
|
const require_url_parse = require('./parse.js');
|
|
5
7
|
|
|
6
8
|
//#region src/url/predicates.ts
|
|
7
9
|
/**
|
|
8
10
|
* @file URL type-guard predicates — `isUrl` answers whether a value parses as a
|
|
9
|
-
* valid URL via `parseUrl`.
|
|
11
|
+
* valid URL via `parseUrl`. `isLoopbackHost` / `isPrivateHost` classify a
|
|
12
|
+
* hostname for SSRF guards: a server that fetches an operator- or
|
|
13
|
+
* issuer-supplied URL uses these to refuse hosts that resolve to the local
|
|
14
|
+
* machine or an internal network (cloud metadata, redis, link-local).
|
|
10
15
|
*/
|
|
16
|
+
const PRIVATE_HOST_REGEXP = /^(?:0\.0\.0\.0$|10\.|127\.|169\.254\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.|\[?::1\]?$|\[?fc00:|\[?fd|\[?fe80:)/u;
|
|
17
|
+
/**
|
|
18
|
+
* Check whether a hostname is a loopback address — `localhost`, `127.0.0.1`, or
|
|
19
|
+
* IPv6 `::1`. Compares case-insensitively; pass a bare hostname, not a URL.
|
|
20
|
+
*
|
|
21
|
+
* @example
|
|
22
|
+
* ;```typescript
|
|
23
|
+
* isLoopbackHost('localhost') // true
|
|
24
|
+
* isLoopbackHost('127.0.0.1') // true
|
|
25
|
+
* isLoopbackHost('example.com') // false
|
|
26
|
+
* ```
|
|
27
|
+
*/
|
|
28
|
+
function isLoopbackHost(hostname) {
|
|
29
|
+
const host = require_primordials_string.StringPrototypeToLowerCase(hostname);
|
|
30
|
+
return host === "::1" || host === "127.0.0.1" || host === "localhost";
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Check whether a hostname resolves to a private / loopback / link-local
|
|
34
|
+
* address an SSRF probe would target (the local machine, RFC 1918 ranges, IPv6
|
|
35
|
+
* loopback / ULA / link-local). Loopback hosts count as private. Compares
|
|
36
|
+
* case-insensitively; pass a bare hostname, not a URL.
|
|
37
|
+
*
|
|
38
|
+
* @example
|
|
39
|
+
* ;```typescript
|
|
40
|
+
* isPrivateHost('127.0.0.1') // true
|
|
41
|
+
* isPrivateHost('10.0.0.5') // true
|
|
42
|
+
* isPrivateHost('169.254.169.254') // true
|
|
43
|
+
* isPrivateHost('example.com') // false
|
|
44
|
+
* ```
|
|
45
|
+
*/
|
|
46
|
+
function isPrivateHost(hostname) {
|
|
47
|
+
const host = require_primordials_string.StringPrototypeToLowerCase(hostname);
|
|
48
|
+
return isLoopbackHost(host) || require_primordials_regexp.RegExpPrototypeTest(PRIVATE_HOST_REGEXP, host);
|
|
49
|
+
}
|
|
11
50
|
/**
|
|
12
51
|
* Check if a value is a valid URL.
|
|
13
52
|
*
|
|
@@ -23,4 +62,6 @@ function isUrl(value) {
|
|
|
23
62
|
}
|
|
24
63
|
|
|
25
64
|
//#endregion
|
|
65
|
+
exports.isLoopbackHost = isLoopbackHost;
|
|
66
|
+
exports.isPrivateHost = isPrivateHost;
|
|
26
67
|
exports.isUrl = isUrl;
|
package/dist/url/types.d.ts
CHANGED
|
@@ -3,6 +3,10 @@
|
|
|
3
3
|
* `createRelativeUrl`, `urlSearchParamsAs*`, and `urlSearchParamsGet*`. Pure
|
|
4
4
|
* types, no runtime side effects.
|
|
5
5
|
*/
|
|
6
|
+
export interface AssertSafeHttpUrlOptions {
|
|
7
|
+
label?: string | undefined;
|
|
8
|
+
allowLocalhost?: boolean | undefined;
|
|
9
|
+
}
|
|
6
10
|
export interface CreateRelativeUrlOptions {
|
|
7
11
|
base?: string | undefined;
|
|
8
12
|
}
|