browserclaw 0.5.0 → 0.5.1

package/dist/index.cjs

@@ -1524,6 +1524,22 @@ function extractEmbeddedIpv4FromIpv6(v6, opts) {
       return true;
     }
   }
+  if (parts[0] === 0 && parts[1] === 0 && parts[2] === 0 && parts[3] === 0 && parts[4] === 0 && parts[5] === 0) {
+    const ip4str = `${parts[6] >> 8 & 255}.${parts[6] & 255}.${parts[7] >> 8 & 255}.${parts[7] & 255}`;
+    try {
+      return isBlockedSpecialUseIpv4Address(ipaddr__namespace.IPv4.parse(ip4str), opts);
+    } catch {
+      return true;
+    }
+  }
+  if ((parts[4] & 65023) === 0 && parts[5] === 24318) {
+    const ip4str = `${parts[6] >> 8 & 255}.${parts[6] & 255}.${parts[7] >> 8 & 255}.${parts[7] & 255}`;
+    try {
+      return isBlockedSpecialUseIpv4Address(ipaddr__namespace.IPv4.parse(ip4str), opts);
+    } catch {
+      return true;
+    }
+  }
   return null;
 }
 function isPrivateIpAddress(address, opts) {
@@ -1546,6 +1562,30 @@ function isPrivateIpAddress(address, opts) {
   if (normalized.includes(":")) return true;
   return false;
 }
+function normalizeHostnameSet(values) {
+  if (!values || values.length === 0) return /* @__PURE__ */ new Set();
+  return new Set(values.map((v) => normalizeHostname(v)).filter(Boolean));
+}
+function normalizeHostnameAllowlist(values) {
+  if (!values || values.length === 0) return [];
+  return Array.from(
+    new Set(
+      values.map((v) => normalizeHostname(v)).filter((v) => v !== "*" && v !== "*." && v.length > 0)
+    )
+  );
+}
+function isHostnameAllowedByPattern(hostname, pattern) {
+  if (pattern.startsWith("*.")) {
+    const suffix = pattern.slice(2);
+    if (!suffix || hostname === suffix) return false;
+    return hostname.endsWith(`.${suffix}`);
+  }
+  return hostname === pattern;
+}
+function matchesHostnameAllowlist(hostname, allowlist) {
+  if (allowlist.length === 0) return true;
+  return allowlist.some((pattern) => isHostnameAllowedByPattern(hostname, pattern));
+}
 function dedupeAndPreferIpv4(results) {
   const seen = /* @__PURE__ */ new Set();
   const ipv4 = [];
@@ -1591,12 +1631,15 @@ async function resolvePinnedHostnameWithPolicy(hostname, params = {}) {
   const normalized = normalizeHostname(hostname);
   if (!normalized) throw new InvalidBrowserNavigationUrlError(`Invalid hostname: "${hostname}"`);
   const allowPrivateNetwork = isPrivateNetworkAllowedByPolicy(params.policy);
-  const allowedHostnames = [
-    ...params.policy?.allowedHostnames ?? [],
-    ...params.policy?.hostnameAllowlist ?? []
-  ].map((h) => normalizeHostname(h));
-  const isExplicitlyAllowed = allowedHostnames.some((h) => h === normalized);
+  const allowedHostnames = normalizeHostnameSet(params.policy?.allowedHostnames);
+  const hostnameAllowlist = normalizeHostnameAllowlist(params.policy?.hostnameAllowlist);
+  const isExplicitlyAllowed = allowedHostnames.has(normalized);
   const skipPrivateNetworkChecks = allowPrivateNetwork || isExplicitlyAllowed;
+  if (!matchesHostnameAllowlist(normalized, hostnameAllowlist)) {
+    throw new InvalidBrowserNavigationUrlError(
+      `Navigation blocked: hostname "${hostname}" is not in the allowlist.`
+    );
+  }
   if (!skipPrivateNetworkChecks) {
     if (isBlockedHostnameNormalized(normalized)) {
       throw new InvalidBrowserNavigationUrlError(
@@ -1663,11 +1706,9 @@ async function assertBrowserNavigationAllowed(opts) {
       "Navigation blocked: strict browser SSRF policy cannot be enforced while env proxy variables are set"
     );
   }
-  const policy = opts.ssrfPolicy;
-  if (policy?.dangerouslyAllowPrivateNetwork ?? policy?.allowPrivateNetwork ?? true) return;
   await resolvePinnedHostnameWithPolicy(parsed.hostname, {
     lookupFn: opts.lookupFn,
-    policy
+    policy: opts.ssrfPolicy
   });
 }
 async function assertSafeOutputPath(path2, allowedRoots) {