@solongate/proxy 0.2.7 → 0.2.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +12 -1
- package/dist/init.js +12 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -451,6 +451,17 @@ const SSRF = [
|
|
|
451
451
|
/^https?:\\/\\/192\\.168\\./, /^https?:\\/\\/169\\.254\\./,
|
|
452
452
|
/metadata\\.google\\.internal/i,
|
|
453
453
|
];
|
|
454
|
+
const SSRF_IN_CMD = [
|
|
455
|
+
/https?:\\/\\/localhost\\b/i, /https?:\\/\\/127\\./, /https?:\\/\\/0\\.0\\.0\\.0/,
|
|
456
|
+
/https?:\\/\\/10\\./, /https?:\\/\\/172\\.(1[6-9]|2\\d|3[01])\\./,
|
|
457
|
+
/https?:\\/\\/192\\.168\\./, /https?:\\/\\/169\\.254\\./,
|
|
458
|
+
/metadata\\.google\\.internal/i,
|
|
459
|
+
/\\b127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/, /\\b0\\.0\\.0\\.0\\b/,
|
|
460
|
+
/\\b10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/,
|
|
461
|
+
/\\b172\\.(1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}\\b/,
|
|
462
|
+
/\\b192\\.168\\.\\d{1,3}\\.\\d{1,3}\\b/,
|
|
463
|
+
/\\b169\\.254\\.\\d{1,3}\\.\\d{1,3}\\b/,
|
|
464
|
+
];
|
|
454
465
|
const SQL_INJECTION = [
|
|
455
466
|
/'\\s{0,20}(OR|AND)\\s{0,20}'.{0,200}'/i,
|
|
456
467
|
/'\\s{0,10};\\s{0,10}(DROP|DELETE|UPDATE|INSERT|ALTER|CREATE|EXEC)/i,
|
|
@@ -493,7 +504,7 @@ const PATH_ARGS = ['file_path', 'path', 'pattern', 'directory', 'url', 'uri', 'n
|
|
|
493
504
|
function checkBashCommand(cmd) {
|
|
494
505
|
if (typeof cmd !== 'string') return null;
|
|
495
506
|
for (const p of DANGEROUS_COMMANDS) if (p.test(cmd)) return 'Dangerous command blocked: ' + cmd.slice(0, 80);
|
|
496
|
-
for (const p of
|
|
507
|
+
for (const p of SSRF_IN_CMD) if (p.test(cmd)) return 'SSRF attempt blocked in command: ' + cmd.slice(0, 80);
|
|
497
508
|
return null;
|
|
498
509
|
}
|
|
499
510
|
|
package/dist/init.js
CHANGED
|
@@ -170,6 +170,17 @@ const SSRF = [
|
|
|
170
170
|
/^https?:\\/\\/192\\.168\\./, /^https?:\\/\\/169\\.254\\./,
|
|
171
171
|
/metadata\\.google\\.internal/i,
|
|
172
172
|
];
|
|
173
|
+
const SSRF_IN_CMD = [
|
|
174
|
+
/https?:\\/\\/localhost\\b/i, /https?:\\/\\/127\\./, /https?:\\/\\/0\\.0\\.0\\.0/,
|
|
175
|
+
/https?:\\/\\/10\\./, /https?:\\/\\/172\\.(1[6-9]|2\\d|3[01])\\./,
|
|
176
|
+
/https?:\\/\\/192\\.168\\./, /https?:\\/\\/169\\.254\\./,
|
|
177
|
+
/metadata\\.google\\.internal/i,
|
|
178
|
+
/\\b127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/, /\\b0\\.0\\.0\\.0\\b/,
|
|
179
|
+
/\\b10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/,
|
|
180
|
+
/\\b172\\.(1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}\\b/,
|
|
181
|
+
/\\b192\\.168\\.\\d{1,3}\\.\\d{1,3}\\b/,
|
|
182
|
+
/\\b169\\.254\\.\\d{1,3}\\.\\d{1,3}\\b/,
|
|
183
|
+
];
|
|
173
184
|
const SQL_INJECTION = [
|
|
174
185
|
/'\\s{0,20}(OR|AND)\\s{0,20}'.{0,200}'/i,
|
|
175
186
|
/'\\s{0,10};\\s{0,10}(DROP|DELETE|UPDATE|INSERT|ALTER|CREATE|EXEC)/i,
|
|
@@ -212,7 +223,7 @@ const PATH_ARGS = ['file_path', 'path', 'pattern', 'directory', 'url', 'uri', 'n
|
|
|
212
223
|
function checkBashCommand(cmd) {
|
|
213
224
|
if (typeof cmd !== 'string') return null;
|
|
214
225
|
for (const p of DANGEROUS_COMMANDS) if (p.test(cmd)) return 'Dangerous command blocked: ' + cmd.slice(0, 80);
|
|
215
|
-
for (const p of
|
|
226
|
+
for (const p of SSRF_IN_CMD) if (p.test(cmd)) return 'SSRF attempt blocked in command: ' + cmd.slice(0, 80);
|
|
216
227
|
return null;
|
|
217
228
|
}
|
|
218
229
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@solongate/proxy",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.9",
|
|
4
4
|
"description": "MCP security proxy \u00e2\u20ac\u201d protect any MCP server with policies, input validation, rate limiting, and audit logging. Zero code changes required.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|