npm - browserclaw - Versions diffs - 0.11.0 → 0.11.2 - Mend

browserclaw 0.11.0 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js CHANGED Viewed

@@ -1207,11 +1207,14 @@ function safeWriteJson(filePath, data) {
 function setDeep(obj, keys, value) {
   let node = obj;
   for (const key of keys.slice(0, -1)) {
+    if (key === "__proto__" || key === "constructor" || key === "prototype") return;
     const next = node[key];
     if (typeof next !== "object" || next === null || Array.isArray(next)) node[key] = {};
     node = node[key];
   }
-  node[keys[keys.length - 1]] = value;
+  const lastKey = keys[keys.length - 1];
+  if (lastKey === "__proto__" || lastKey === "constructor" || lastKey === "prototype") return;
+  node[lastKey] = value;
 }
 function parseHexRgbToSignedArgbInt(hex) {
   const cleaned = hex.trim().replace(/^#/, "");
@@ -1265,7 +1268,8 @@ function isWebSocketUrl(url) {
   }
 }
 function isLoopbackHost(hostname) {
-  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+  const h = hostname.replace(/\.+$/, "");
+  return h === "localhost" || h === "127.0.0.1" || h === "::1" || h === "[::1]";
 }
 var PROXY_ENV_KEYS = ["HTTP_PROXY", "HTTPS_PROXY", "ALL_PROXY", "http_proxy", "https_proxy", "all_proxy"];
 function hasProxyEnvConfigured(env = process.env) {
@@ -1917,6 +1921,56 @@ function bumpDownloadArmId() {
   nextDownloadArmId += 1;
   return nextDownloadArmId;
 }
+var BlockedBrowserTargetError = class extends Error {
+  constructor() {
+    super("Browser target is unavailable after SSRF policy blocked its navigation.");
+    this.name = "BlockedBrowserTargetError";
+  }
+};
+var blockedTargetsByCdpUrl = /* @__PURE__ */ new Set();
+var blockedPageRefsByCdpUrl = /* @__PURE__ */ new Map();
+function blockedTargetKey(cdpUrl, targetId) {
+  return `${normalizeCdpUrl(cdpUrl)}::${targetId}`;
+}
+function isBlockedTarget(cdpUrl, targetId) {
+  const normalized = targetId?.trim() ?? "";
+  if (normalized === "") return false;
+  return blockedTargetsByCdpUrl.has(blockedTargetKey(cdpUrl, normalized));
+}
+function markTargetBlocked(cdpUrl, targetId) {
+  const normalized = targetId?.trim() ?? "";
+  if (normalized === "") return;
+  blockedTargetsByCdpUrl.add(blockedTargetKey(cdpUrl, normalized));
+}
+function clearBlockedTarget(cdpUrl, targetId) {
+  const normalized = targetId?.trim() ?? "";
+  if (normalized === "") return;
+  blockedTargetsByCdpUrl.delete(blockedTargetKey(cdpUrl, normalized));
+}
+function hasBlockedTargetsForCdpUrl(cdpUrl) {
+  const prefix = `${normalizeCdpUrl(cdpUrl)}::`;
+  for (const key of blockedTargetsByCdpUrl) {
+    if (key.startsWith(prefix)) return true;
+  }
+  return false;
+}
+function blockedPageRefsForCdpUrl(cdpUrl) {
+  const normalized = normalizeCdpUrl(cdpUrl);
+  const existing = blockedPageRefsByCdpUrl.get(normalized);
+  if (existing) return existing;
+  const created = /* @__PURE__ */ new WeakSet();
+  blockedPageRefsByCdpUrl.set(normalized, created);
+  return created;
+}
+function isBlockedPageRef(cdpUrl, page) {
+  return blockedPageRefsByCdpUrl.get(normalizeCdpUrl(cdpUrl))?.has(page) ?? false;
+}
+function markPageRefBlocked(cdpUrl, page) {
+  blockedPageRefsForCdpUrl(cdpUrl).add(page);
+}
+function clearBlockedPageRef(cdpUrl, page) {
+  blockedPageRefsByCdpUrl.get(normalizeCdpUrl(cdpUrl))?.delete(page);
+}
 function ensureContextState(context) {
   const existing = contextStates.get(context);
   if (existing) return existing;
@@ -2357,11 +2411,43 @@ async function findPageByTargetId(browser, targetId, cdpUrl) {
   if (!resolvedViaCdp && pages.length === 1) return pages[0] ?? null;
   return null;
 }
+async function partitionAccessiblePages(opts) {
+  const accessible = [];
+  let blockedCount = 0;
+  for (const page of opts.pages) {
+    if (isBlockedPageRef(opts.cdpUrl, page)) {
+      blockedCount += 1;
+      continue;
+    }
+    const targetId = await pageTargetId(page).catch(() => null);
+    if (targetId === null || targetId === "") {
+      if (hasBlockedTargetsForCdpUrl(opts.cdpUrl)) {
+        blockedCount += 1;
+        continue;
+      }
+      accessible.push(page);
+      continue;
+    }
+    if (isBlockedTarget(opts.cdpUrl, targetId)) {
+      blockedCount += 1;
+      continue;
+    }
+    accessible.push(page);
+  }
+  return { accessible, blockedCount };
+}
 async function getPageForTargetId(opts) {
+  if (opts.targetId !== void 0 && opts.targetId !== "" && isBlockedTarget(opts.cdpUrl, opts.targetId))
+    throw new BlockedBrowserTargetError();
   const { browser } = await connectBrowser(opts.cdpUrl);
   const pages = getAllPages(browser);
   if (!pages.length) throw new Error("No pages available in the connected browser.");
-  const first = pages[0];
+  const { accessible, blockedCount } = await partitionAccessiblePages({ cdpUrl: opts.cdpUrl, pages });
+  if (!accessible.length) {
+    if (blockedCount > 0) throw new BlockedBrowserTargetError();
+    throw new Error("No pages available in the connected browser.");
+  }
+  const first = accessible[0];
   if (opts.targetId === void 0 || opts.targetId === "") return first;
   const found = await findPageByTargetId(browser, opts.targetId, opts.cdpUrl);
   if (!found) {
@@ -2370,6 +2456,10 @@ async function getPageForTargetId(opts) {
       `Tab not found (targetId: ${opts.targetId}). Call browser.tabs() to list open tabs.`
     );
   }
+  if (isBlockedPageRef(opts.cdpUrl, found)) throw new BlockedBrowserTargetError();
+  const foundTargetId = await pageTargetId(found).catch(() => null);
+  if (foundTargetId !== null && foundTargetId !== "" && isBlockedTarget(opts.cdpUrl, foundTargetId))
+    throw new BlockedBrowserTargetError();
   return found;
 }
 async function resolvePageByTargetIdOrThrow(opts) {
@@ -3497,6 +3587,82 @@ function isRetryableNavigateError(err) {
   const msg = typeof err === "string" ? err.toLowerCase() : err instanceof Error ? err.message.toLowerCase() : "";
   return msg.includes("frame has been detached") || msg.includes("target page, context or browser has been closed");
 }
+function isPolicyDenyNavigationError(err) {
+  return err instanceof InvalidBrowserNavigationUrlError;
+}
+function isTopLevelNavigationRequest(page, request) {
+  if (!request.isNavigationRequest()) return false;
+  try {
+    return request.frame() === page.mainFrame();
+  } catch {
+    return true;
+  }
+}
+async function closeBlockedNavigationTarget(opts) {
+  markPageRefBlocked(opts.cdpUrl, opts.page);
+  const resolvedTargetId = await pageTargetId(opts.page).catch(() => null);
+  const fallbackTargetId = opts.targetId?.trim() ?? "";
+  const targetIdToBlock = resolvedTargetId ?? fallbackTargetId;
+  if (targetIdToBlock) markTargetBlocked(opts.cdpUrl, targetIdToBlock);
+  await opts.page.close().catch((e) => {
+    console.warn("[browserclaw] failed to close blocked page", e);
+  });
+}
+async function assertPageNavigationCompletedSafely(opts) {
+  const navigationPolicy = withBrowserNavigationPolicy(opts.ssrfPolicy);
+  try {
+    await assertBrowserNavigationRedirectChainAllowed({ request: opts.response?.request(), ...navigationPolicy });
+    await assertBrowserNavigationResultAllowed({ url: opts.page.url(), ...navigationPolicy });
+  } catch (err) {
+    if (isPolicyDenyNavigationError(err))
+      await closeBlockedNavigationTarget({ cdpUrl: opts.cdpUrl, page: opts.page, targetId: opts.targetId });
+    throw err;
+  }
+}
+async function gotoPageWithNavigationGuard(opts) {
+  const navigationPolicy = withBrowserNavigationPolicy(opts.ssrfPolicy);
+  const state = { blocked: null };
+  const handler = async (route, request) => {
+    if (state.blocked !== null) {
+      await route.abort().catch((e) => {
+        console.warn("[browserclaw] route abort failed", e);
+      });
+      return;
+    }
+    if (!isTopLevelNavigationRequest(opts.page, request)) {
+      await route.continue();
+      return;
+    }
+    try {
+      await assertBrowserNavigationAllowed({ url: request.url(), ...navigationPolicy });
+    } catch (err) {
+      if (isPolicyDenyNavigationError(err)) {
+        state.blocked = err;
+        await route.abort().catch((e) => {
+          console.warn("[browserclaw] route abort failed", e);
+        });
+        return;
+      }
+      throw err;
+    }
+    await route.continue();
+  };
+  await opts.page.route("**", handler);
+  try {
+    const response = await opts.page.goto(opts.url, { timeout: opts.timeoutMs });
+    if (state.blocked !== null) throw state.blocked;
+    return response;
+  } catch (err) {
+    if (state.blocked !== null) throw state.blocked;
+    throw err;
+  } finally {
+    await opts.page.unroute("**", handler).catch((e) => {
+      console.warn("[browserclaw] route unroute failed", e);
+    });
+    if (state.blocked !== null)
+      await closeBlockedNavigationTarget({ cdpUrl: opts.cdpUrl, page: opts.page, targetId: opts.targetId });
+  }
+}
 async function navigateViaPlaywright(opts) {
   const url = opts.url.trim();
   if (!url) throw new Error("url is required");
@@ -3505,7 +3671,14 @@ async function navigateViaPlaywright(opts) {
   const timeout = Math.max(1e3, Math.min(12e4, opts.timeoutMs ?? 2e4));
   let page = await getPageForTargetId({ cdpUrl: opts.cdpUrl, targetId: opts.targetId });
   ensurePageState(page);
-  const navigate = async () => await page.goto(url, { timeout });
+  const navigate = async () => await gotoPageWithNavigationGuard({
+    cdpUrl: opts.cdpUrl,
+    page,
+    url,
+    timeoutMs: timeout,
+    ssrfPolicy: policy,
+    targetId: opts.targetId
+  });
   let response;
   try {
     response = await navigate();
@@ -3519,21 +3692,23 @@ async function navigateViaPlaywright(opts) {
     ensurePageState(page);
     response = await navigate();
   }
-  await assertBrowserNavigationRedirectChainAllowed({
-    request: response?.request(),
-    ...withBrowserNavigationPolicy(policy)
+  await assertPageNavigationCompletedSafely({
+    cdpUrl: opts.cdpUrl,
+    page,
+    response,
+    ssrfPolicy: policy,
+    targetId: opts.targetId
   });
-  const finalUrl = page.url();
-  await assertBrowserNavigationResultAllowed({ url: finalUrl, ...withBrowserNavigationPolicy(policy) });
-  return { url: finalUrl };
+  return { url: page.url() };
 }
 async function listPagesViaPlaywright(opts) {
   const { browser } = await connectBrowser(opts.cdpUrl);
   const pages = getAllPages(browser);
   const results = [];
   for (const page of pages) {
+    if (isBlockedPageRef(opts.cdpUrl, page)) continue;
     const tid = await pageTargetId(page).catch(() => null);
-    if (tid !== null && tid !== "")
+    if (tid !== null && tid !== "" && !isBlockedTarget(opts.cdpUrl, tid))
       results.push({
         targetId: tid,
         title: await page.title().catch(() => ""),
@@ -3549,18 +3724,35 @@ async function createPageViaPlaywright(opts) {
   ensureContextState(context);
   const page = await context.newPage();
   ensurePageState(page);
+  clearBlockedPageRef(opts.cdpUrl, page);
+  const createdTargetId = await pageTargetId(page).catch(() => null);
+  clearBlockedTarget(opts.cdpUrl, createdTargetId ?? void 0);
   const targetUrl = (opts.url ?? "").trim() || "about:blank";
   const policy = opts.allowInternal === true ? { ...opts.ssrfPolicy, dangerouslyAllowPrivateNetwork: true } : opts.ssrfPolicy;
   if (targetUrl !== "about:blank") {
-    const navigationPolicy = withBrowserNavigationPolicy(policy);
-    await assertBrowserNavigationAllowed({ url: targetUrl, ...navigationPolicy });
-    await assertBrowserNavigationRedirectChainAllowed({
-      request: (await page.goto(targetUrl, { timeout: 3e4 }).catch(() => null))?.request(),
-      ...navigationPolicy
+    await assertBrowserNavigationAllowed({ url: targetUrl, ...withBrowserNavigationPolicy(policy) });
+    let response = null;
+    try {
+      response = await gotoPageWithNavigationGuard({
+        cdpUrl: opts.cdpUrl,
+        page,
+        url: targetUrl,
+        timeoutMs: 3e4,
+        ssrfPolicy: policy,
+        targetId: createdTargetId ?? void 0
+      });
+    } catch (err) {
+      if (isPolicyDenyNavigationError(err) || err instanceof BlockedBrowserTargetError) throw err;
+    }
+    await assertPageNavigationCompletedSafely({
+      cdpUrl: opts.cdpUrl,
+      page,
+      response,
+      ssrfPolicy: policy,
+      targetId: createdTargetId ?? void 0
     });
-    await assertBrowserNavigationResultAllowed({ url: page.url(), ...navigationPolicy });
   }
-  const tid = await pageTargetId(page).catch(() => null);
+  const tid = createdTargetId ?? await pageTargetId(page).catch(() => null);
   if (tid === null || tid === "") throw new Error("Failed to get targetId for new page");
   return {
     targetId: tid,