npm - browserclaw - Versions diffs - 0.3.8 → 0.3.9 - Mend

browserclaw 0.3.8 → 0.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -1232,7 +1232,8 @@ async function assertBrowserNavigationAllowed(opts) {
     const hostname = parsed.hostname.toLowerCase();
     if (allowedHostnames.some((h) => h.toLowerCase() === hostname)) return;
   }
-  if (await isInternalUrlResolved(rawUrl, opts.lookupFn)) {
+  const ipOpts = { allowRfc2544BenchmarkRange: policy?.allowRfc2544BenchmarkRange };
+  if (await isInternalUrlResolved(rawUrl, opts.lookupFn, ipOpts)) {
     throw new InvalidBrowserNavigationUrlError(
       `Navigation to internal/loopback address blocked: "${rawUrl}". ssrfPolicy.dangerouslyAllowPrivateNetwork is false (strict mode).`
     );
@@ -1347,7 +1348,7 @@ function isUnsupportedIPv4Literal(ip) {
   if (!parts.every(isStrictDecimalOctet)) return true;
   return false;
 }
-function isInternalIP(ip) {
+function isInternalIP(ip, opts) {
   if (!ip.includes(":") && isUnsupportedIPv4Literal(ip)) return true;
   if (/^127\./.test(ip)) return true;
   if (/^10\./.test(ip)) return true;
@@ -1356,6 +1357,7 @@ function isInternalIP(ip) {
   if (/^169\.254\./.test(ip)) return true;
   if (/^100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\./.test(ip)) return true;
   if (ip === "0.0.0.0") return true;
+  if (!opts?.allowRfc2544BenchmarkRange && /^198\.1[89]\./.test(ip)) return true;
   const lower = ip.toLowerCase();
   if (lower === "::1") return true;
   if (lower.startsWith("fe80:")) return true;
@@ -1364,11 +1366,11 @@ function isInternalIP(ip) {
   const embedded = extractEmbeddedIPv4(lower);
   if (embedded !== null) {
     if (embedded === "") return true;
-    return isInternalIP(embedded);
+    return isInternalIP(embedded, opts);
   }
   return false;
 }
-function isInternalUrl(url) {
+function isInternalUrl(url, opts) {
   let parsed;
   try {
     parsed = new URL(url);
@@ -1377,7 +1379,7 @@ function isInternalUrl(url) {
   }
   const hostname = parsed.hostname.toLowerCase();
   if (hostname === "localhost") return true;
-  if (isInternalIP(hostname)) return true;
+  if (isInternalIP(hostname, opts)) return true;
   if (hostname.endsWith(".local") || hostname.endsWith(".internal") || hostname.endsWith(".localhost")) {
     return true;
   }
@@ -1399,8 +1401,8 @@ async function assertSafeUploadPaths(paths) {
     }
   }
 }
-async function isInternalUrlResolved(url, lookupFn = promises.lookup) {
-  if (isInternalUrl(url)) return true;
+async function isInternalUrlResolved(url, lookupFn = promises.lookup, opts) {
+  if (isInternalUrl(url, opts)) return true;
   let parsed;
   try {
     parsed = new URL(url);
@@ -1409,12 +1411,25 @@ async function isInternalUrlResolved(url, lookupFn = promises.lookup) {
   }
   try {
     const { address } = await lookupFn(parsed.hostname);
-    if (isInternalIP(address)) return true;
+    if (isInternalIP(address, opts)) return true;
   } catch {
     return true;
   }
   return false;
 }
+async function assertBrowserNavigationResultAllowed(opts) {
+  const rawUrl = String(opts.url ?? "").trim();
+  if (!rawUrl) return;
+  let parsed;
+  try {
+    parsed = new URL(rawUrl);
+  } catch {
+    return;
+  }
+  if (NETWORK_NAVIGATION_PROTOCOLS.has(parsed.protocol) || SAFE_NON_NETWORK_URLS.has(parsed.href)) {
+    await assertBrowserNavigationAllowed(opts);
+  }
+}
 // src/actions/interaction.ts
 async function clickViaPlaywright(opts) {
@@ -1620,7 +1635,9 @@ async function navigateViaPlaywright(opts) {
   const page = await getPageForTargetId({ cdpUrl: opts.cdpUrl, targetId: opts.targetId });
   ensurePageState(page);
   await page.goto(url, { timeout: normalizeTimeoutMs(opts.timeoutMs, 2e4) });
-  return { url: page.url() };
+  const finalUrl = page.url();
+  await assertBrowserNavigationResultAllowed({ url: finalUrl, ssrfPolicy: policy });
+  return { url: finalUrl };
 }
 async function listPagesViaPlaywright(opts) {
   const { browser } = await connectBrowser(opts.cdpUrl);
@@ -1639,8 +1656,8 @@ async function listPagesViaPlaywright(opts) {
 }
 async function createPageViaPlaywright(opts) {
   const targetUrl = (opts.url ?? "").trim() || "about:blank";
+  const policy = opts.allowInternal ? { ...opts.ssrfPolicy, dangerouslyAllowPrivateNetwork: true } : opts.ssrfPolicy;
   if (targetUrl !== "about:blank") {
-    const policy = opts.allowInternal ? { ...opts.ssrfPolicy, dangerouslyAllowPrivateNetwork: true } : opts.ssrfPolicy;
     await assertBrowserNavigationAllowed({ url: targetUrl, ssrfPolicy: policy });
   }
   const { browser } = await connectBrowser(opts.cdpUrl);
@@ -1649,6 +1666,7 @@ async function createPageViaPlaywright(opts) {
   ensurePageState(page);
   if (targetUrl !== "about:blank") {
     await page.goto(targetUrl, { timeout: normalizeTimeoutMs(void 0, 2e4) });
+    await assertBrowserNavigationResultAllowed({ url: page.url(), ssrfPolicy: policy });
   }
   const tid = await pageTargetId(page).catch(() => null);
   if (!tid) throw new Error("Failed to get targetId for new page");