npm - astro - Versions diffs - 5.17.1 → 5.17.2 - Mend

astro 5.17.1 → 5.17.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/cli/infra/build-time-astro-version-provider.js +1 -1
package/dist/content/content-layer.js +3 -3
package/dist/core/app/node.js +10 -7
package/dist/core/app/validate-headers.d.ts +17 -0
package/dist/core/app/validate-headers.js +80 -0
package/dist/core/constants.js +1 -1
package/dist/core/dev/dev.js +1 -1
package/dist/core/messages.js +2 -2
package/package.json +4 -4

package/dist/cli/infra/build-time-astro-version-provider.js CHANGED Viewed

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "5.17.1";
+  version = "5.17.2";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/content/content-layer.js CHANGED Viewed

@@ -164,7 +164,7 @@ ${contentConfig.error.message}`);
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "5.17.1") {
+    if (previousAstroVersion && previousAstroVersion !== "5.17.2") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -172,8 +172,8 @@ ${contentConfig.error.message}`);
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("5.17.1") {
-      await this.#store.metaStore().set("astro-version", "5.17.1");
+    if ("5.17.2") {
+      await this.#store.metaStore().set("astro-version", "5.17.2");
     }
     if (currentConfigDigest) {
       await this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/core/app/node.js CHANGED Viewed

@@ -4,6 +4,7 @@ import { clientAddressSymbol, nodeRequestAbortControllerCleanupSymbol } from "..
 import { deserializeManifest } from "./common.js";
 import { createOutgoingHttpHeaders } from "./createOutgoingHttpHeaders.js";
 import { App } from "./index.js";
+import { validateForwardedHeaders, validateHost } from "./validate-headers.js";
 import { apply } from "../polyfill.js";
 class NodeApp extends App {
   headersMap = void 0;
@@ -50,26 +51,28 @@ class NodeApp extends App {
       return multiValueHeader?.toString()?.split(",").map((e) => e.trim())?.[0];
     };
     const providedProtocol = isEncrypted ? "https" : "http";
-    const providedHostname = req.headers.host ?? req.headers[":authority"];
-    const validated = App.validateForwardedHeaders(
+    const untrustedHostname = req.headers.host ?? req.headers[":authority"];
+    const validated = validateForwardedHeaders(
       getFirstForwardedValue(req.headers["x-forwarded-proto"]),
       getFirstForwardedValue(req.headers["x-forwarded-host"]),
       getFirstForwardedValue(req.headers["x-forwarded-port"]),
       allowedDomains
     );
     const protocol = validated.protocol ?? providedProtocol;
-    const sanitizedProvidedHostname = App.sanitizeHost(
-      typeof providedHostname === "string" ? providedHostname : void 0
+    const validatedHostname = validateHost(
+      typeof untrustedHostname === "string" ? untrustedHostname : void 0,
+      protocol,
+      allowedDomains
     );
-    const hostname = validated.host ?? sanitizedProvidedHostname;
+    const hostname = validated.host ?? validatedHostname ?? "localhost";
     const port = validated.port;
     let url;
     try {
       const hostnamePort = getHostnamePort(hostname, port);
       url = new URL(`${protocol}://${hostnamePort}${req.url}`);
     } catch {
-      const hostnamePort = getHostnamePort(providedHostname, port);
-      url = new URL(`${providedProtocol}://${hostnamePort}`);
+      const hostnamePort = getHostnamePort(hostname, port);
+      url = new URL(`${protocol}://${hostnamePort}`);
     }
     const options = {
       method: req.method || "GET",

package/dist/core/app/validate-headers.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { type RemotePattern } from '@astrojs/internal-helpers/remote';
+/**
+ * Validate a host against allowedDomains.
+ * Returns the host only if it matches an allowed pattern, otherwise undefined.
+ * This prevents SSRF attacks by ensuring the Host header is trusted.
+ */
+export declare function validateHost(host: string | undefined, protocol: string, allowedDomains?: Partial<RemotePattern>[]): string | undefined;
+/**
+ * Validate forwarded headers (proto, host, port) against allowedDomains.
+ * Returns validated values or undefined for rejected headers.
+ * Uses strict defaults: http/https only for proto, rejects port if not in allowedDomains.
+ */
+export declare function validateForwardedHeaders(forwardedProtocol?: string, forwardedHost?: string, forwardedPort?: string, allowedDomains?: Partial<RemotePattern>[]): {
+    protocol?: string;
+    host?: string;
+    port?: string;
+};

package/dist/core/app/validate-headers.js ADDED Viewed

@@ -0,0 +1,80 @@
+import { matchPattern } from "@astrojs/internal-helpers/remote";
+function sanitizeHost(hostname) {
+  if (!hostname) return void 0;
+  if (/[/\\]/.test(hostname)) return void 0;
+  return hostname;
+}
+function parseHost(host) {
+  const parts = host.split(":");
+  return {
+    hostname: parts[0],
+    port: parts[1]
+  };
+}
+function matchesAllowedDomains(hostname, protocol, port, allowedDomains) {
+  const hostWithPort = port ? `${hostname}:${port}` : hostname;
+  const urlString = `${protocol}://${hostWithPort}`;
+  if (!URL.canParse(urlString)) {
+    return false;
+  }
+  const testUrl = new URL(urlString);
+  return allowedDomains.some((pattern) => matchPattern(testUrl, pattern));
+}
+function validateHost(host, protocol, allowedDomains) {
+  if (!host || host.length === 0) return void 0;
+  if (!allowedDomains || allowedDomains.length === 0) return void 0;
+  const sanitized = sanitizeHost(host);
+  if (!sanitized) return void 0;
+  const { hostname, port } = parseHost(sanitized);
+  if (matchesAllowedDomains(hostname, protocol, port, allowedDomains)) {
+    return sanitized;
+  }
+  return void 0;
+}
+function validateForwardedHeaders(forwardedProtocol, forwardedHost, forwardedPort, allowedDomains) {
+  const result = {};
+  if (forwardedProtocol) {
+    if (allowedDomains && allowedDomains.length > 0) {
+      const hasProtocolPatterns = allowedDomains.some((pattern) => pattern.protocol !== void 0);
+      if (hasProtocolPatterns) {
+        try {
+          const testUrl = new URL(`${forwardedProtocol}://example.com`);
+          const isAllowed = allowedDomains.some((pattern) => matchPattern(testUrl, pattern));
+          if (isAllowed) {
+            result.protocol = forwardedProtocol;
+          }
+        } catch {
+        }
+      } else if (/^https?$/.test(forwardedProtocol)) {
+        result.protocol = forwardedProtocol;
+      }
+    } else if (/^https?$/.test(forwardedProtocol)) {
+      result.protocol = forwardedProtocol;
+    }
+  }
+  if (forwardedPort && allowedDomains && allowedDomains.length > 0) {
+    const hasPortPatterns = allowedDomains.some((pattern) => pattern.port !== void 0);
+    if (hasPortPatterns) {
+      const isAllowed = allowedDomains.some((pattern) => pattern.port === forwardedPort);
+      if (isAllowed) {
+        result.port = forwardedPort;
+      }
+    }
+  }
+  if (forwardedHost && forwardedHost.length > 0 && allowedDomains && allowedDomains.length > 0) {
+    const protoForValidation = result.protocol || "https";
+    const sanitized = sanitizeHost(forwardedHost);
+    if (sanitized) {
+      const { hostname, port: portFromHost } = parseHost(sanitized);
+      const portForValidation = result.port || portFromHost;
+      if (matchesAllowedDomains(hostname, protoForValidation, portForValidation, allowedDomains)) {
+        result.host = sanitized;
+      }
+    }
+  }
+  return result;
+}
+export {
+  validateForwardedHeaders,
+  validateHost
+};

package/dist/core/constants.js CHANGED Viewed

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "5.17.1";
+const ASTRO_VERSION = "5.17.2";
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";
 const REWRITE_DIRECTIVE_HEADER_VALUE = "yes";

package/dist/core/dev/dev.js CHANGED Viewed

@@ -22,7 +22,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "5.17.1";
+  const currentVersion = "5.17.2";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/messages.js CHANGED Viewed

@@ -38,7 +38,7 @@ function serverStart({
   host,
   base
 }) {
-  const version = "5.17.1";
+  const version = "5.17.2";
   const localPrefix = `${dim("\u2503")} Local    `;
   const networkPrefix = `${dim("\u2503")} Network  `;
   const emptyPrefix = " ".repeat(11);
@@ -275,7 +275,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"5.17.1"}`
+        `v${"5.17.2"}`
       )} ${headline}`
     );
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "5.17.1",
+  "version": "5.17.2",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -113,7 +113,7 @@
     "dlv": "^1.1.3",
     "dset": "^3.1.4",
     "es-module-lexer": "^1.7.0",
-    "esbuild": "^0.25.0",
+    "esbuild": "^0.27.0",
     "estree-walker": "^3.0.3",
     "flattie": "^1.1.1",
     "fontace": "~0.4.0",
@@ -154,8 +154,8 @@
     "zod-to-json-schema": "^3.25.1",
     "zod-to-ts": "^1.2.0",
     "@astrojs/internal-helpers": "0.7.5",
-    "@astrojs/telemetry": "3.3.0",
-    "@astrojs/markdown-remark": "6.3.10"
+    "@astrojs/markdown-remark": "6.3.10",
+    "@astrojs/telemetry": "3.3.0"
   },
   "optionalDependencies": {
     "sharp": "^0.34.0"