@workglow/tasks 0.2.3 → 0.2.5

package/dist/node.js

@@ -161,6 +161,7 @@ import { lookup as dnsLookup } from "node:dns/promises";
 import { Agent, fetch as undiciFetch } from "undici";
 
 // src/util/UrlClassifier.ts
+import { resourcePatternMatches } from "@workglow/task-graph";
 import ipaddr from "ipaddr.js";
 var PRIVATE_EXACT_HOSTS = new Set([
   "localhost",
@@ -374,28 +375,44 @@ function urlResourcePattern(urlStr) {
   const origin = parsed.port.length > 0 ? `${parsed.protocol}//${parsed.host}` : `${parsed.protocol}//${parsed.hostname}`;
   return `${origin}/*`;
 }
+function urlMatchesScope(url, patterns) {
+  let canonical;
+  try {
+    const parsed = new URL(url);
+    parsed.hostname = normalizeHost(parsed.hostname);
+    canonical = parsed.toString();
+  } catch {
+    return false;
+  }
+  return patterns.some((pat) => resourcePatternMatches(pat, canonical));
+}
 
 // src/util/SafeFetch.ts
 import { PermanentJobError } from "@workglow/job-queue";
 var MAX_REDIRECT_HOPS = 20;
-function assertAllowedUrl(url, allowPrivate) {
+function assertAllowedUrl(url, allowPrivate, privateResourceScopes) {
   const classification = classifyUrl(url);
   if (classification.kind === "invalid") {
     throw new PermanentJobError(`Refusing to fetch invalid URL: ${classification.reason}`);
   }
-  if (classification.kind === "private" && !allowPrivate) {
+  if (classification.kind !== "private")
+    return;
+  if (!allowPrivate) {
     throw new PermanentJobError(`Refusing to fetch private/internal URL ${url}: ${classification.reason}. ` + `Grant the 'network:private' entitlement to allow this request.`);
   }
+  if (privateResourceScopes !== undefined && !urlMatchesScope(url, privateResourceScopes)) {
+    throw new PermanentJobError(`Refusing to fetch private/internal URL ${url}: outside granted network:private scope ` + `[${privateResourceScopes.join(", ")}]. A compromised upstream may be attempting ` + `to escape the task's authorized private-host origin.`);
+  }
 }
 function isRedirectStatus(status) {
   return status === 301 || status === 302 || status === 303 || status === 307 || status === 308;
 }
 async function defaultSafeFetch(url, options) {
   const requestedRedirectMode = options.redirect ?? "follow";
-  const { allowPrivate, redirect: _redirect, ...fetchOptions } = options;
+  const { allowPrivate, privateResourceScopes, redirect: _redirect, ...fetchOptions } = options;
   let currentUrl = url;
   for (let hops = 0;hops <= MAX_REDIRECT_HOPS; hops += 1) {
-    assertAllowedUrl(currentUrl, allowPrivate);
+    assertAllowedUrl(currentUrl, allowPrivate, privateResourceScopes);
     const response = await globalThis.fetch(currentUrl, {
       ...fetchOptions,
       redirect: "manual"
@@ -465,6 +482,9 @@ async function fetchOneHop(url, opts, fetchInit) {
   if (classification.kind === "private" && !opts.allowPrivate) {
     throw new PermanentJobError2(`Refusing to fetch private/internal URL ${url}: ${classification.reason}. ` + `Grant the 'network:private' entitlement to allow this request.`);
   }
+  if (classification.kind === "private" && opts.privateResourceScopes !== undefined && !urlMatchesScope(url, opts.privateResourceScopes)) {
+    throw new PermanentJobError2(`Refusing to fetch ${url}: outside granted network:private scope ` + `[${opts.privateResourceScopes.join(", ")}]. A compromised upstream may be attempting ` + `to escape the task's authorized private-host origin.`);
+  }
   const parsed = new URL(url);
   const host = classification.host ?? parsed.hostname.toLowerCase();
   let pinned;
@@ -510,7 +530,12 @@ async function fetchOneHop(url, opts, fetchInit) {
 var serverSafeFetch = async (url, options) => {
   const opts = options ?? {};
   const requestedRedirectMode = opts.redirect ?? "follow";
-  const { allowPrivate: _allowPrivate, redirect: _redirect, ...fetchInit } = opts;
+  const {
+    allowPrivate: _allowPrivate,
+    privateResourceScopes: _privateResourceScopes,
+    redirect: _redirect,
+    ...fetchInit
+  } = opts;
   let currentUrl = url;
   let prevDispatcher;
   for (let hops = 0;hops <= MAX_REDIRECT_HOPS2; hops += 1) {
@@ -2432,12 +2457,14 @@ class FetchUrlJob extends Job {
     if (classification.kind === "invalid") {
       throw new PermanentJobError3(`Refusing to fetch invalid URL ${input.url}: ${classification.reason ?? "malformed"}`);
     }
+    const isPrivate = classification.kind === "private";
     const response = await fetchWithProgress(input.url, {
       method: input.method,
       headers: input.headers,
       body: input.body,
       signal: context.signal,
-      allowPrivate: classification.kind === "private"
+      allowPrivate: isPrivate,
+      privateResourceScopes: isPrivate ? [urlResourcePattern(input.url)] : undefined
     }, async (progress) => await context.updateProgress(progress));
     if (response.ok) {
       const contentType = response.headers.get("content-type") ?? "";
@@ -12554,6 +12581,7 @@ var registerCommonTasks2 = () => {
 };
 export {
   urlResourcePattern,
+  urlMatchesScope,
   tryNormalizeIPv4,
   split,
   setGlobalMcpServerRepository,
@@ -12703,4 +12731,4 @@ export {
   ArrayTask
 };
 
-//# debugId=4A1D9A65F809EEAD64756E2164756E21
+//# debugId=265ADF95A5E9A9D764756E2164756E21