npm - discord-message-transcript-base - Versions diffs - 1.3.1-dev.2.34 → 1.3.1-dev.3.35 - Mend

discord-message-transcript-base 1.3.1-dev.2.34 → 1.3.1-dev.3.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/core/sanitizer.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { hexColor, JsonAttachment, TranscriptOptionsBase } from "../types/types.js";
+import { hexColor, JsonAttachment, LookupResult, TranscriptOptionsBase } from "../types/types.js";
 export declare const FALLBACK_PIXEL = "data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7";
 export declare function sanitize(text: string): string;
 export declare function isValidHexColor(colorInput: string, canReturnNull: false): hexColor;
@@ -6,3 +6,4 @@ export declare function isValidHexColor(colorInput: string | null, canReturnNull
 export declare function resolveImageURL(url: string, options: TranscriptOptionsBase, canReturnNull: false, attachments?: JsonAttachment[]): Promise<string>;
 export declare function resolveImageURL(url: string | null, options: TranscriptOptionsBase, canReturnNull: true, attachments?: JsonAttachment[]): Promise<string | null>;
 export declare function isSafeForHTML(url: string, options: TranscriptOptionsBase): Promise<boolean>;
+export declare function resolveAllIps(host: string): Promise<LookupResult[]>;

package/dist/core/sanitizer.js CHANGED Viewed

@@ -1,8 +1,10 @@
-import dns from "node:dns/promises";
 import net from "node:net";
 import { CustomWarn } from "./customMessages.js";
+import { Resolver } from "dns/promises";
 export const FALLBACK_PIXEL = "data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7";
+const DNS_SERVERS = ["1.1.1.1", "8.8.8.8"];
 const DNS_LOOKUP_TIMEOUT = 5000;
+const TRUSTED_DISCORD_HOSTS = ["discordapp.com", "discordapp.net"];
 export function sanitize(text) {
     return text
         .replace(/&/g, "&amp;")
@@ -56,6 +58,10 @@ export async function isSafeForHTML(url, options) {
         CustomWarn(`Unsafe URL rejected: Invalid URL format\nURL: ${url}`, disableWarnings);
         return false;
     }
+    const host = u.hostname.toLowerCase();
+    // If is from discord accept
+    if (isTrustedDiscordHost(host))
+        return true;
     // Don't accept if isn't https or http
     if (!["http:", "https:"].includes(u.protocol)) {
         CustomWarn(`Unsafe URL rejected: Invalid protocol "${u.protocol}"\nURL: ${url}`, disableWarnings);
@@ -69,7 +75,6 @@ export async function isSafeForHTML(url, options) {
         CustomWarn(`Unsafe URL rejected: Invalid port "${u.port}"\nURL: ${url}`, disableWarnings);
         return false;
     }
-    const host = u.hostname.toLowerCase();
     // Block localhost and loopback addresses (SSRF protection)
     if (host === "localhost" ||
         host === "127.0.0.1" ||
@@ -77,21 +82,12 @@ export async function isSafeForHTML(url, options) {
         CustomWarn(`Unsafe URL rejected: Blacklisted host "${host}"\nURL: ${url}`, disableWarnings);
         return false;
     }
-    async function lookupWithTimeout(host) {
-        return await Promise.race([
-            dns.lookup(host, { all: true }),
-            new Promise((_, reject) => setTimeout(() => {
-                CustomWarn(`DNS lookup timeout for ${host}`, disableWarnings);
-                reject(new Error());
-            }, DNS_LOOKUP_TIMEOUT))
-        ]);
-    }
     let ips;
     try {
-        ips = await lookupWithTimeout(host);
+        ips = await resolveAllIps(host);
     }
-    catch {
-        CustomWarn(`Unsafe URL rejected: DNS lookup failed or timed out for host "${host}"\nURL: ${url}`, disableWarnings);
+    catch (e) {
+        CustomWarn(`Unsafe URL rejected: DNS lookup failed or timed out for host "${host}". Error: ${e.message}\nURL: ${url}`, disableWarnings);
         return false;
     }
     // Block private/internal network IPs (SSRF protection)
@@ -104,13 +100,38 @@ export async function isSafeForHTML(url, options) {
     const path = u.pathname.toLowerCase();
     // External SVGs can execute scripts → allow only from Discord CDN
     if (path.endsWith(".svg")) {
-        if (!(host.endsWith("discordapp.com") || host.endsWith("discordapp.net"))) {
-            CustomWarn(`Unsafe URL rejected: External SVG not from Discord CDN\nURL: ${url}`, disableWarnings);
-            return false;
-        }
+        CustomWarn(`Unsafe URL rejected: External SVG not from Discord CDN\nURL: ${url}`, disableWarnings);
+        return false;
     }
     return true;
 }
+export async function resolveAllIps(host) {
+    const resolver = new Resolver();
+    resolver.setServers(DNS_SERVERS);
+    const lookupPromise = (async () => {
+        const results = [];
+        const [v4, v6] = await Promise.allSettled([
+            resolver.resolve4(host),
+            resolver.resolve6(host)
+        ]);
+        if (v4.status === "fulfilled") {
+            for (const ip of v4.value) {
+                results.push({ address: ip, family: 4 });
+            }
+        }
+        if (v6.status === "fulfilled") {
+            for (const ip of v6.value) {
+                results.push({ address: ip, family: 6 });
+            }
+        }
+        if (results.length === 0) {
+            throw new Error(`No DNS records found for ${host}`);
+        }
+        return results;
+    })();
+    const timeoutPromise = new Promise((_, reject) => setTimeout(() => reject(new Error(`DNS timeout for ${host}`)), DNS_LOOKUP_TIMEOUT));
+    return Promise.race([lookupPromise, timeoutPromise]);
+}
 function isPrivateIp(ip) {
     if (!net.isIP(ip))
         return true;
@@ -129,3 +150,9 @@ function isPrivateIp(ip) {
         (parts[0] === 169 && parts[1] === 254) ||
         (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31));
 }
+function isTrustedDiscordHost(host) {
+    host = host.toLowerCase();
+    return TRUSTED_DISCORD_HOSTS.some(trusted => {
+        return host === trusted || host.endsWith("." + trusted);
+    });
+}

package/dist/types/types.d.ts CHANGED Viewed

@@ -24,7 +24,7 @@ export type hexColor = `#${string}`;
  */
 export type LookupResult = {
     address: string;
-    family: number;
+    family: 4 | 6;
 };
 /**
  * A union of all possible timestamp styles for formatting dates and times in Discord.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "discord-message-transcript-base",
-  "version": "1.3.1-dev.2.34",
+  "version": "1.3.1-dev.3.35",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",