@workglow/tasks 0.2.3 → 0.2.5

package/dist/browser.js

@@ -725,6 +725,7 @@ Workflow10.prototype.sum = CreateAdaptiveWorkflow(ScalarSumTask, VectorSumTask);
 import { PermanentJobError } from "@workglow/job-queue";
 
 // src/util/UrlClassifier.ts
+import { resourcePatternMatches } from "@workglow/task-graph";
 import ipaddr from "ipaddr.js";
 var PRIVATE_EXACT_HOSTS = new Set([
   "localhost",
@@ -938,27 +939,43 @@ function urlResourcePattern(urlStr) {
   const origin = parsed.port.length > 0 ? `${parsed.protocol}//${parsed.host}` : `${parsed.protocol}//${parsed.hostname}`;
   return `${origin}/*`;
 }
+function urlMatchesScope(url, patterns) {
+  let canonical;
+  try {
+    const parsed = new URL(url);
+    parsed.hostname = normalizeHost(parsed.hostname);
+    canonical = parsed.toString();
+  } catch {
+    return false;
+  }
+  return patterns.some((pat) => resourcePatternMatches(pat, canonical));
+}
 
 // src/util/SafeFetch.ts
 var MAX_REDIRECT_HOPS = 20;
-function assertAllowedUrl(url, allowPrivate) {
+function assertAllowedUrl(url, allowPrivate, privateResourceScopes) {
   const classification = classifyUrl(url);
   if (classification.kind === "invalid") {
     throw new PermanentJobError(`Refusing to fetch invalid URL: ${classification.reason}`);
   }
-  if (classification.kind === "private" && !allowPrivate) {
+  if (classification.kind !== "private")
+    return;
+  if (!allowPrivate) {
     throw new PermanentJobError(`Refusing to fetch private/internal URL ${url}: ${classification.reason}. ` + `Grant the 'network:private' entitlement to allow this request.`);
   }
+  if (privateResourceScopes !== undefined && !urlMatchesScope(url, privateResourceScopes)) {
+    throw new PermanentJobError(`Refusing to fetch private/internal URL ${url}: outside granted network:private scope ` + `[${privateResourceScopes.join(", ")}]. A compromised upstream may be attempting ` + `to escape the task's authorized private-host origin.`);
+  }
 }
 function isRedirectStatus(status) {
   return status === 301 || status === 302 || status === 303 || status === 307 || status === 308;
 }
 async function defaultSafeFetch(url, options) {
   const requestedRedirectMode = options.redirect ?? "follow";
-  const { allowPrivate, redirect: _redirect, ...fetchOptions } = options;
+  const { allowPrivate, privateResourceScopes, redirect: _redirect, ...fetchOptions } = options;
   let currentUrl = url;
   for (let hops = 0;hops <= MAX_REDIRECT_HOPS; hops += 1) {
-    assertAllowedUrl(currentUrl, allowPrivate);
+    assertAllowedUrl(currentUrl, allowPrivate, privateResourceScopes);
     const response = await globalThis.fetch(currentUrl, {
       ...fetchOptions,
       redirect: "manual"
@@ -2338,12 +2355,14 @@ class FetchUrlJob extends Job {
     if (classification.kind === "invalid") {
       throw new PermanentJobError2(`Refusing to fetch invalid URL ${input.url}: ${classification.reason ?? "malformed"}`);
     }
+    const isPrivate = classification.kind === "private";
     const response = await fetchWithProgress(input.url, {
       method: input.method,
       headers: input.headers,
       body: input.body,
       signal: context.signal,
-      allowPrivate: classification.kind === "private"
+      allowPrivate: isPrivate,
+      privateResourceScopes: isPrivate ? [urlResourcePattern(input.url)] : undefined
     }, async (progress) => await context.updateProgress(progress));
     if (response.ok) {
       const contentType = response.headers.get("content-type") ?? "";
@@ -12262,6 +12281,7 @@ var registerCommonTasks2 = () => {
 };
 export {
   urlResourcePattern,
+  urlMatchesScope,
   tryNormalizeIPv4,
   split,
   setGlobalMcpServerRepository,
@@ -12411,4 +12431,4 @@ export {
   ArrayTask
 };
 
-//# debugId=D1A8BE957A811A1A64756E2164756E21
+//# debugId=F4110230C527F84264756E2164756E21