npm - browserclaw - Versions diffs - 0.3.7 → 0.3.9 - Mend

browserclaw 0.3.7 → 0.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-<h2 align="center">🦞 BrowserClaw — Standalone OpenClaw browser module</h1>
+<h2 align="center">🦞 BrowserClaw — Standalone OpenClaw browser module</h2>
 <p align="center">
   <a href="https://www.npmjs.com/package/browserclaw"><img src="https://img.shields.io/npm/v/browserclaw.svg" alt="npm version" /></a>
@@ -217,13 +217,13 @@ await page.press('Meta+Shift+p');
 // Fill multiple form fields at once
 await page.fill([
-  { ref: 'e2', type: 'text', value: 'Jane Doe' },
-  { ref: 'e4', type: 'text', value: 'jane@example.com' },
+  { ref: 'e2', value: 'Jane Doe' },
+  { ref: 'e4', value: 'jane@example.com' },
   { ref: 'e6', type: 'checkbox', value: true },
 ]);
 ```
-`fill()` field types: `'text'` calls Playwright `fill()` with the string value. `'checkbox'` and `'radio'` call `setChecked()` — truthy values are `true`, `1`, `'1'`, `'true'`. Empty ref or type throws.
+`fill()` field types: `'text'` (default) calls Playwright `fill()` with the string value. `'checkbox'` and `'radio'` call `setChecked()` — truthy values are `true`, `1`, `'1'`, `'true'`. Type can be omitted and defaults to `'text'`. Empty ref throws.
 #### Highlight

package/dist/index.cjs CHANGED Viewed

@@ -1232,7 +1232,8 @@ async function assertBrowserNavigationAllowed(opts) {
     const hostname = parsed.hostname.toLowerCase();
     if (allowedHostnames.some((h) => h.toLowerCase() === hostname)) return;
   }
-  if (await isInternalUrlResolved(rawUrl, opts.lookupFn)) {
+  const ipOpts = { allowRfc2544BenchmarkRange: policy?.allowRfc2544BenchmarkRange };
+  if (await isInternalUrlResolved(rawUrl, opts.lookupFn, ipOpts)) {
     throw new InvalidBrowserNavigationUrlError(
       `Navigation to internal/loopback address blocked: "${rawUrl}". ssrfPolicy.dangerouslyAllowPrivateNetwork is false (strict mode).`
     );
@@ -1347,7 +1348,7 @@ function isUnsupportedIPv4Literal(ip) {
   if (!parts.every(isStrictDecimalOctet)) return true;
   return false;
 }
-function isInternalIP(ip) {
+function isInternalIP(ip, opts) {
   if (!ip.includes(":") && isUnsupportedIPv4Literal(ip)) return true;
   if (/^127\./.test(ip)) return true;
   if (/^10\./.test(ip)) return true;
@@ -1356,6 +1357,7 @@ function isInternalIP(ip) {
   if (/^169\.254\./.test(ip)) return true;
   if (/^100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\./.test(ip)) return true;
   if (ip === "0.0.0.0") return true;
+  if (!opts?.allowRfc2544BenchmarkRange && /^198\.1[89]\./.test(ip)) return true;
   const lower = ip.toLowerCase();
   if (lower === "::1") return true;
   if (lower.startsWith("fe80:")) return true;
@@ -1364,11 +1366,11 @@ function isInternalIP(ip) {
   const embedded = extractEmbeddedIPv4(lower);
   if (embedded !== null) {
     if (embedded === "") return true;
-    return isInternalIP(embedded);
+    return isInternalIP(embedded, opts);
   }
   return false;
 }
-function isInternalUrl(url) {
+function isInternalUrl(url, opts) {
   let parsed;
   try {
     parsed = new URL(url);
@@ -1377,7 +1379,7 @@ function isInternalUrl(url) {
   }
   const hostname = parsed.hostname.toLowerCase();
   if (hostname === "localhost") return true;
-  if (isInternalIP(hostname)) return true;
+  if (isInternalIP(hostname, opts)) return true;
   if (hostname.endsWith(".local") || hostname.endsWith(".internal") || hostname.endsWith(".localhost")) {
     return true;
   }
@@ -1399,8 +1401,8 @@ async function assertSafeUploadPaths(paths) {
     }
   }
 }
-async function isInternalUrlResolved(url, lookupFn = promises.lookup) {
-  if (isInternalUrl(url)) return true;
+async function isInternalUrlResolved(url, lookupFn = promises.lookup, opts) {
+  if (isInternalUrl(url, opts)) return true;
   let parsed;
   try {
     parsed = new URL(url);
@@ -1409,12 +1411,25 @@ async function isInternalUrlResolved(url, lookupFn = promises.lookup) {
   }
   try {
     const { address } = await lookupFn(parsed.hostname);
-    if (isInternalIP(address)) return true;
+    if (isInternalIP(address, opts)) return true;
   } catch {
     return true;
   }
   return false;
 }
+async function assertBrowserNavigationResultAllowed(opts) {
+  const rawUrl = String(opts.url ?? "").trim();
+  if (!rawUrl) return;
+  let parsed;
+  try {
+    parsed = new URL(rawUrl);
+  } catch {
+    return;
+  }
+  if (NETWORK_NAVIGATION_PROTOCOLS.has(parsed.protocol) || SAFE_NON_NETWORK_URLS.has(parsed.href)) {
+    await assertBrowserNavigationAllowed(opts);
+  }
+}
 // src/actions/interaction.ts
 async function clickViaPlaywright(opts) {
@@ -1497,11 +1512,10 @@ async function fillFormViaPlaywright(opts) {
   for (let i = 0; i < opts.fields.length; i++) {
     const field = opts.fields[i];
     const ref = field.ref.trim();
-    const type = field.type.trim();
+    const type = (typeof field.type === "string" ? field.type.trim() : "") || "text";
     const rawValue = field.value;
     const value = rawValue == null ? "" : String(rawValue);
     if (!ref) throw new Error(`fill(): field at index ${i} has empty ref`);
-    if (!type) throw new Error(`fill(): field "${ref}" has empty type`);
     const locator = refLocator(page, ref);
     if (type === "checkbox" || type === "radio") {
       const checked = rawValue === true || rawValue === 1 || rawValue === "1" || rawValue === "true";
@@ -1621,7 +1635,9 @@ async function navigateViaPlaywright(opts) {
   const page = await getPageForTargetId({ cdpUrl: opts.cdpUrl, targetId: opts.targetId });
   ensurePageState(page);
   await page.goto(url, { timeout: normalizeTimeoutMs(opts.timeoutMs, 2e4) });
-  return { url: page.url() };
+  const finalUrl = page.url();
+  await assertBrowserNavigationResultAllowed({ url: finalUrl, ssrfPolicy: policy });
+  return { url: finalUrl };
 }
 async function listPagesViaPlaywright(opts) {
   const { browser } = await connectBrowser(opts.cdpUrl);
@@ -1640,8 +1656,8 @@ async function listPagesViaPlaywright(opts) {
 }
 async function createPageViaPlaywright(opts) {
   const targetUrl = (opts.url ?? "").trim() || "about:blank";
+  const policy = opts.allowInternal ? { ...opts.ssrfPolicy, dangerouslyAllowPrivateNetwork: true } : opts.ssrfPolicy;
   if (targetUrl !== "about:blank") {
-    const policy = opts.allowInternal ? { ...opts.ssrfPolicy, dangerouslyAllowPrivateNetwork: true } : opts.ssrfPolicy;
     await assertBrowserNavigationAllowed({ url: targetUrl, ssrfPolicy: policy });
   }
   const { browser } = await connectBrowser(opts.cdpUrl);
@@ -1650,6 +1666,7 @@ async function createPageViaPlaywright(opts) {
   ensurePageState(page);
   if (targetUrl !== "about:blank") {
     await page.goto(targetUrl, { timeout: normalizeTimeoutMs(void 0, 2e4) });
+    await assertBrowserNavigationResultAllowed({ url: page.url(), ssrfPolicy: policy });
   }
   const tid = await pageTargetId(page).catch(() => null);
   if (!tid) throw new Error("Failed to get targetId for new page");