elit 3.6.8 → 3.6.9

package/dist/pm.cjs

@@ -2796,6 +2796,217 @@ function watch(paths, options) {
 var import_node_http = require("http");
 var import_node_https = require("https");
 var import_node_net = require("net");
+var import_promises = require("dns/promises");
+var BLOCKED_IPV4_PREFIXES = [
+  "0.",
+  "10.",
+  "100.64.",
+  "100.65.",
+  "100.66.",
+  "100.67.",
+  "100.68.",
+  "100.69.",
+  "100.70.",
+  "100.71.",
+  "100.72.",
+  "100.73.",
+  "100.74.",
+  "100.75.",
+  "100.76.",
+  "100.77.",
+  "100.78.",
+  "100.79.",
+  "100.80.",
+  "100.81.",
+  "100.82.",
+  "100.83.",
+  "100.84.",
+  "100.85.",
+  "100.86.",
+  "100.87.",
+  "100.88.",
+  "100.89.",
+  "100.90.",
+  "100.91.",
+  "100.92.",
+  "100.93.",
+  "100.94.",
+  "100.95.",
+  "100.96.",
+  "100.97.",
+  "100.98.",
+  "100.99.",
+  "100.100.",
+  "100.101.",
+  "100.102.",
+  "100.103.",
+  "100.104.",
+  "100.105.",
+  "100.106.",
+  "100.107.",
+  "100.108.",
+  "100.109.",
+  "100.110.",
+  "100.111.",
+  "100.112.",
+  "100.113.",
+  "100.114.",
+  "100.115.",
+  "100.116.",
+  "100.117.",
+  "100.118.",
+  "100.119.",
+  "100.120.",
+  "100.121.",
+  "100.122.",
+  "100.123.",
+  "100.124.",
+  "100.125.",
+  "100.126.",
+  "100.127.",
+  "127.",
+  "169.254.",
+  "172.16.",
+  "172.17.",
+  "172.18.",
+  "172.19.",
+  "172.20.",
+  "172.21.",
+  "172.22.",
+  "172.23.",
+  "172.24.",
+  "172.25.",
+  "172.26.",
+  "172.27.",
+  "172.28.",
+  "172.29.",
+  "172.30.",
+  "172.31.",
+  "192.0.2.",
+  "192.88.99.",
+  "192.168.",
+  "198.18.",
+  "198.19.",
+  "198.51.100.",
+  "203.0.113.",
+  "224.",
+  "225.",
+  "226.",
+  "227.",
+  "228.",
+  "229.",
+  "230.",
+  "231.",
+  "232.",
+  "233.",
+  "234.",
+  "235.",
+  "236.",
+  "237.",
+  "238.",
+  "239.",
+  "240.",
+  "241.",
+  "242.",
+  "243.",
+  "244.",
+  "245.",
+  "246.",
+  "247.",
+  "248.",
+  "249.",
+  "250.",
+  "251.",
+  "252.",
+  "253.",
+  "254.",
+  "255."
+];
+var ALLOWED_PROXY_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]);
+function isBlockedIpv4(hostname) {
+  const octets = hostname.split(".");
+  if (octets.length !== 4) return false;
+  const joined = hostname;
+  return BLOCKED_IPV4_PREFIXES.some((prefix) => joined.startsWith(prefix));
+}
+function isBlockedIpv6(hostname) {
+  const lower = hostname.toLowerCase();
+  if (lower === "::1" || lower === "::" || lower === "0:0:0:0:0:0:0:1" || lower === "0:0:0:0:0:0:0:0") {
+    return true;
+  }
+  const ffffMatch = lower.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
+  if (ffffMatch) {
+    return isBlockedIpv4(ffffMatch[1]);
+  }
+  const compatMatch = lower.match(/^::(\d+\.\d+\.\d+\.\d+)$/);
+  if (compatMatch) {
+    return isBlockedIpv4(compatMatch[1]);
+  }
+  return false;
+}
+function isSafeHostname(hostname) {
+  if (!hostname) return false;
+  if (/^\d{1,3}(\.\d{1,3}){3}$/.test(hostname)) return !isBlockedIpv4(hostname);
+  if (/^\[.*\]$/.test(hostname)) return !isBlockedIpv6(hostname.slice(1, -1));
+  if (hostname.includes(":")) return !isBlockedIpv6(hostname);
+  return true;
+}
+async function safeResolveHostname(hostname) {
+  try {
+    const result = await (0, import_promises.lookup)(hostname);
+    const ip = result.address;
+    if (isBlockedIpv4(ip) || isBlockedIpv6(ip)) {
+      throw new Error(`PM proxy target resolved to a blocked address: ${ip}`);
+    }
+    return ip;
+  } catch (error) {
+    if (error instanceof Error && error.message.includes("blocked address")) {
+      throw error;
+    }
+    throw new Error(`PM proxy failed to resolve target hostname "${hostname}": ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+async function validateProxyTargetUrl(target) {
+  if (!ALLOWED_PROXY_PROTOCOLS.has(target.protocol)) {
+    throw new Error(`PM proxy target protocol "${target.protocol}" is not allowed. Only http: and https: are permitted.`);
+  }
+  const hostname = target.hostname;
+  if (!isSafeHostname(hostname)) {
+    throw new Error(`PM proxy target "${hostname}" resolves to a blocked address and is not allowed.`);
+  }
+  if (!/^\d{1,3}(\.\d{1,3}){3}$/.test(hostname) && !/^\[.*\]$/.test(hostname)) {
+    await safeResolveHostname(hostname);
+  }
+}
+function sanitizeProxyRequestPath(requestUrl) {
+  if (!requestUrl || requestUrl === "/") return "/";
+  try {
+    const normalizedInput = requestUrl.replace(/\\/g, "/");
+    const parsed = new URL(normalizedInput, "http://placeholder");
+    if (parsed.username || parsed.password || parsed.hostname !== "placeholder" || parsed.port) {
+      return "/";
+    }
+    const pathname = parsed.pathname || "/";
+    let decodedPathname = pathname;
+    try {
+      decodedPathname = decodeURIComponent(pathname);
+    } catch {
+      return "/";
+    }
+    const lowerPath = pathname.toLowerCase();
+    if (lowerPath.includes("%2f") || lowerPath.includes("%5c") || lowerPath.includes("%40") || lowerPath.includes("%00")) {
+      return "/";
+    }
+    const segments = decodedPathname.split("/");
+    if (segments.some((segment) => segment === "." || segment === "..")) {
+      return "/";
+    }
+    const sanitized = pathname + parsed.search;
+    return sanitized.startsWith("/") ? sanitized || "/" : `/${sanitized}`;
+  } catch {
+    return "/";
+  }
+}
 function resolvePmProxyHost(proxy) {
   return proxy.host?.trim() || "0.0.0.0";
 }
@@ -2885,6 +3096,9 @@ async function createPmProxyController(proxy) {
     nextTargetIndex = (nextTargetIndex + 1) % targets.length;
     return target;
   };
+  const validateTarget = async (target) => {
+    await validateProxyTargetUrl(target);
+  };
   const server = (0, import_node_http.createServer)((req, res) => {
     const target = pickTarget();
     if (!target) {
@@ -2892,29 +3106,45 @@ async function createPmProxyController(proxy) {
       res.end("PM proxy target is not ready.");
       return;
     }
+    const sanitizedPath = sanitizeProxyRequestPath(req.url || "/");
     const requestLib = target.protocol === "https:" ? import_node_https.request : import_node_http.request;
-    const targetUrl = new URL(req.url || "/", target);
     const headers = buildPmProxyHeaders(req.headers, target.host);
-    const proxyReq = requestLib(targetUrl, {
-      method: req.method,
-      headers
-    }, (proxyRes) => {
-      const outgoingHeaders = {};
-      for (const [key, value] of Object.entries(proxyRes.headers)) {
-        if (value !== void 0) {
-          outgoingHeaders[key] = value;
+    if (!ALLOWED_PROXY_PROTOCOLS.has(target.protocol)) {
+      res.statusCode = 400;
+      res.end("PM proxy rejected unsafe target protocol.");
+      return;
+    }
+    validateTarget(target).then(() => {
+      const proxyReq = requestLib({
+        protocol: target.protocol,
+        hostname: target.hostname,
+        port: target.port || void 0,
+        path: sanitizedPath,
+        method: req.method,
+        headers
+      }, (proxyRes) => {
+        const outgoingHeaders = {};
+        for (const [key, value] of Object.entries(proxyRes.headers)) {
+          if (value !== void 0) {
+            outgoingHeaders[key] = value;
+          }
         }
-      }
-      res.writeHead(proxyRes.statusCode || 200, outgoingHeaders);
-      proxyRes.pipe(res);
-    });
-    proxyReq.on("error", (error) => {
+        res.writeHead(proxyRes.statusCode || 200, outgoingHeaders);
+        proxyRes.pipe(res);
+      });
+      proxyReq.on("error", (error) => {
+        if (!res.headersSent) {
+          res.statusCode = 502;
+        }
+        res.end(`PM proxy error: ${error.message}`);
+      });
+      req.pipe(proxyReq);
+    }).catch((error) => {
       if (!res.headersSent) {
-        res.statusCode = 502;
+        res.statusCode = 403;
       }
-      res.end(`PM proxy error: ${error.message}`);
+      res.end(`PM proxy blocked target: ${error instanceof Error ? error.message : String(error)}`);
     });
-    req.pipe(proxyReq);
   });
   server.on("upgrade", (req, socket, head) => {
     const target = pickTarget();
@@ -2926,38 +3156,56 @@ async function createPmProxyController(proxy) {
       socket.destroy();
       return;
     }
+    const sanitizedPath = sanitizeProxyRequestPath(req.url || "/");
     const requestLib = target.protocol === "https:" ? import_node_https.request : import_node_http.request;
-    const targetUrl = new URL(req.url || "/", target);
-    const proxyReq = requestLib(targetUrl, {
-      method: req.method,
-      headers: buildPmProxyHeaders(req.headers, target.host)
-    });
-    proxyReq.on("upgrade", (proxyRes, proxySocket, proxyHead) => {
-      writeRawHttpResponse(socket, proxyRes.statusCode || 101, proxyRes.statusMessage || "Switching Protocols", proxyRes.headers);
-      if (head.length > 0) {
-        proxySocket.write(head);
-      }
-      if (proxyHead.length > 0) {
-        socket.write(proxyHead);
-      }
-      socket.on("error", () => proxySocket.destroy());
-      proxySocket.on("error", () => socket.destroy());
-      proxySocket.pipe(socket);
-      socket.pipe(proxySocket);
-    });
-    proxyReq.on("response", (proxyRes) => {
-      writeRawHttpResponse(socket, proxyRes.statusCode || 502, proxyRes.statusMessage || "Bad Gateway", proxyRes.headers);
-      proxyRes.pipe(socket);
-    });
-    proxyReq.on("error", (error) => {
-      writeRawHttpResponse(socket, 502, "Bad Gateway", {
+    const targetUrl = new URL(sanitizedPath, target);
+    if (targetUrl.hostname !== target.hostname || targetUrl.port !== target.port || !ALLOWED_PROXY_PROTOCOLS.has(targetUrl.protocol)) {
+      writeRawHttpResponse(socket, 400, "Bad Request", {
+        connection: "close",
+        "content-length": 0
+      });
+      socket.destroy();
+      return;
+    }
+    validateTarget(target).then(() => {
+      const proxyReq = requestLib(targetUrl, {
+        method: req.method,
+        headers: buildPmProxyHeaders(req.headers, target.host)
+      });
+      proxyReq.on("upgrade", (proxyRes, proxySocket, proxyHead) => {
+        writeRawHttpResponse(socket, proxyRes.statusCode || 101, proxyRes.statusMessage || "Switching Protocols", proxyRes.headers);
+        if (head.length > 0) {
+          proxySocket.write(head);
+        }
+        if (proxyHead.length > 0) {
+          socket.write(proxyHead);
+        }
+        socket.on("error", () => proxySocket.destroy());
+        proxySocket.on("error", () => socket.destroy());
+        proxySocket.pipe(socket);
+        socket.pipe(proxySocket);
+      });
+      proxyReq.on("response", (proxyRes) => {
+        writeRawHttpResponse(socket, proxyRes.statusCode || 502, proxyRes.statusMessage || "Bad Gateway", proxyRes.headers);
+        proxyRes.pipe(socket);
+      });
+      proxyReq.on("error", (error) => {
+        writeRawHttpResponse(socket, 502, "Bad Gateway", {
+          connection: "close",
+          "content-type": "text/plain; charset=utf-8",
+          "content-length": Buffer.byteLength(`PM proxy error: ${error.message}`)
+        });
+        socket.end(`PM proxy error: ${error.message}`);
+      });
+      proxyReq.end();
+    }).catch((error) => {
+      writeRawHttpResponse(socket, 403, "Forbidden", {
         connection: "close",
         "content-type": "text/plain; charset=utf-8",
-        "content-length": Buffer.byteLength(`PM proxy error: ${error.message}`)
+        "content-length": Buffer.byteLength(`PM proxy blocked target: ${error instanceof Error ? error.message : String(error)}`)
       });
-      socket.end(`PM proxy error: ${error.message}`);
+      socket.end(`PM proxy blocked target: ${error instanceof Error ? error.message : String(error)}`);
     });
-    proxyReq.end();
   });
   await new Promise((resolve7, reject) => {
     server.once("error", reject);
@@ -2965,10 +3213,25 @@ async function createPmProxyController(proxy) {
   });
   return {
     setTarget(targetUrl) {
-      setResolvedTargets(targetUrl ? [new URL(targetUrl)] : []);
+      if (targetUrl) {
+        const parsed = new URL(targetUrl);
+        validateProxyTargetUrl(parsed).then(() => {
+          setResolvedTargets([parsed]);
+        }).catch((error) => {
+          console.error(`[PM proxy] Blocked setTarget: ${error instanceof Error ? error.message : String(error)}`);
+          setResolvedTargets([]);
+        });
+      } else {
+        setResolvedTargets([]);
+      }
     },
     setTargets(targetUrls) {
-      setResolvedTargets(targetUrls.map((targetUrl) => new URL(targetUrl)));
+      Promise.all(targetUrls.map((url) => validateProxyTargetUrl(new URL(url)))).then(() => {
+        setResolvedTargets(targetUrls.map((targetUrl) => new URL(targetUrl)));
+      }).catch((error) => {
+        console.error(`[PM proxy] Blocked setTargets: ${error instanceof Error ? error.message : String(error)}`);
+        setResolvedTargets([]);
+      });
     },
     close() {
       return new Promise((resolve7, reject) => {