elit 3.6.8 → 3.6.9

package/dist/pm.js

@@ -5203,6 +5203,217 @@ error: ${text}`);
   var import_node_http = __require("http");
   var import_node_https = __require("https");
   var import_node_net = __require("net");
+  var import_promises = __require("dns/promises");
+  var BLOCKED_IPV4_PREFIXES = [
+    "0.",
+    "10.",
+    "100.64.",
+    "100.65.",
+    "100.66.",
+    "100.67.",
+    "100.68.",
+    "100.69.",
+    "100.70.",
+    "100.71.",
+    "100.72.",
+    "100.73.",
+    "100.74.",
+    "100.75.",
+    "100.76.",
+    "100.77.",
+    "100.78.",
+    "100.79.",
+    "100.80.",
+    "100.81.",
+    "100.82.",
+    "100.83.",
+    "100.84.",
+    "100.85.",
+    "100.86.",
+    "100.87.",
+    "100.88.",
+    "100.89.",
+    "100.90.",
+    "100.91.",
+    "100.92.",
+    "100.93.",
+    "100.94.",
+    "100.95.",
+    "100.96.",
+    "100.97.",
+    "100.98.",
+    "100.99.",
+    "100.100.",
+    "100.101.",
+    "100.102.",
+    "100.103.",
+    "100.104.",
+    "100.105.",
+    "100.106.",
+    "100.107.",
+    "100.108.",
+    "100.109.",
+    "100.110.",
+    "100.111.",
+    "100.112.",
+    "100.113.",
+    "100.114.",
+    "100.115.",
+    "100.116.",
+    "100.117.",
+    "100.118.",
+    "100.119.",
+    "100.120.",
+    "100.121.",
+    "100.122.",
+    "100.123.",
+    "100.124.",
+    "100.125.",
+    "100.126.",
+    "100.127.",
+    "127.",
+    "169.254.",
+    "172.16.",
+    "172.17.",
+    "172.18.",
+    "172.19.",
+    "172.20.",
+    "172.21.",
+    "172.22.",
+    "172.23.",
+    "172.24.",
+    "172.25.",
+    "172.26.",
+    "172.27.",
+    "172.28.",
+    "172.29.",
+    "172.30.",
+    "172.31.",
+    "192.0.2.",
+    "192.88.99.",
+    "192.168.",
+    "198.18.",
+    "198.19.",
+    "198.51.100.",
+    "203.0.113.",
+    "224.",
+    "225.",
+    "226.",
+    "227.",
+    "228.",
+    "229.",
+    "230.",
+    "231.",
+    "232.",
+    "233.",
+    "234.",
+    "235.",
+    "236.",
+    "237.",
+    "238.",
+    "239.",
+    "240.",
+    "241.",
+    "242.",
+    "243.",
+    "244.",
+    "245.",
+    "246.",
+    "247.",
+    "248.",
+    "249.",
+    "250.",
+    "251.",
+    "252.",
+    "253.",
+    "254.",
+    "255."
+  ];
+  var ALLOWED_PROXY_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]);
+  function isBlockedIpv4(hostname) {
+    const octets = hostname.split(".");
+    if (octets.length !== 4) return false;
+    const joined = hostname;
+    return BLOCKED_IPV4_PREFIXES.some((prefix) => joined.startsWith(prefix));
+  }
+  function isBlockedIpv6(hostname) {
+    const lower = hostname.toLowerCase();
+    if (lower === "::1" || lower === "::" || lower === "0:0:0:0:0:0:0:1" || lower === "0:0:0:0:0:0:0:0") {
+      return true;
+    }
+    const ffffMatch = lower.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
+    if (ffffMatch) {
+      return isBlockedIpv4(ffffMatch[1]);
+    }
+    const compatMatch = lower.match(/^::(\d+\.\d+\.\d+\.\d+)$/);
+    if (compatMatch) {
+      return isBlockedIpv4(compatMatch[1]);
+    }
+    return false;
+  }
+  function isSafeHostname(hostname) {
+    if (!hostname) return false;
+    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(hostname)) return !isBlockedIpv4(hostname);
+    if (/^\[.*\]$/.test(hostname)) return !isBlockedIpv6(hostname.slice(1, -1));
+    if (hostname.includes(":")) return !isBlockedIpv6(hostname);
+    return true;
+  }
+  async function safeResolveHostname(hostname) {
+    try {
+      const result = await (0, import_promises.lookup)(hostname);
+      const ip = result.address;
+      if (isBlockedIpv4(ip) || isBlockedIpv6(ip)) {
+        throw new Error(`PM proxy target resolved to a blocked address: ${ip}`);
+      }
+      return ip;
+    } catch (error) {
+      if (error instanceof Error && error.message.includes("blocked address")) {
+        throw error;
+      }
+      throw new Error(`PM proxy failed to resolve target hostname "${hostname}": ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  async function validateProxyTargetUrl(target) {
+    if (!ALLOWED_PROXY_PROTOCOLS.has(target.protocol)) {
+      throw new Error(`PM proxy target protocol "${target.protocol}" is not allowed. Only http: and https: are permitted.`);
+    }
+    const hostname = target.hostname;
+    if (!isSafeHostname(hostname)) {
+      throw new Error(`PM proxy target "${hostname}" resolves to a blocked address and is not allowed.`);
+    }
+    if (!/^\d{1,3}(\.\d{1,3}){3}$/.test(hostname) && !/^\[.*\]$/.test(hostname)) {
+      await safeResolveHostname(hostname);
+    }
+  }
+  function sanitizeProxyRequestPath(requestUrl) {
+    if (!requestUrl || requestUrl === "/") return "/";
+    try {
+      const normalizedInput = requestUrl.replace(/\\/g, "/");
+      const parsed = new URL(normalizedInput, "http://placeholder");
+      if (parsed.username || parsed.password || parsed.hostname !== "placeholder" || parsed.port) {
+        return "/";
+      }
+      const pathname = parsed.pathname || "/";
+      let decodedPathname = pathname;
+      try {
+        decodedPathname = decodeURIComponent(pathname);
+      } catch {
+        return "/";
+      }
+      const lowerPath = pathname.toLowerCase();
+      if (lowerPath.includes("%2f") || lowerPath.includes("%5c") || lowerPath.includes("%40") || lowerPath.includes("%00")) {
+        return "/";
+      }
+      const segments = decodedPathname.split("/");
+      if (segments.some((segment) => segment === "." || segment === "..")) {
+        return "/";
+      }
+      const sanitized = pathname + parsed.search;
+      return sanitized.startsWith("/") ? sanitized || "/" : `/${sanitized}`;
+    } catch {
+      return "/";
+    }
+  }
   function resolvePmProxyHost(proxy) {
     return proxy.host?.trim() || "0.0.0.0";
   }
@@ -5292,6 +5503,9 @@ error: ${text}`);
       nextTargetIndex = (nextTargetIndex + 1) % targets.length;
       return target;
     };
+    const validateTarget = async (target) => {
+      await validateProxyTargetUrl(target);
+    };
     const server = (0, import_node_http.createServer)((req, res) => {
       const target = pickTarget();
       if (!target) {
@@ -5299,29 +5513,45 @@ error: ${text}`);
         res.end("PM proxy target is not ready.");
         return;
       }
+      const sanitizedPath = sanitizeProxyRequestPath(req.url || "/");
       const requestLib = target.protocol === "https:" ? import_node_https.request : import_node_http.request;
-      const targetUrl = new URL(req.url || "/", target);
       const headers = buildPmProxyHeaders(req.headers, target.host);
-      const proxyReq = requestLib(targetUrl, {
-        method: req.method,
-        headers
-      }, (proxyRes) => {
-        const outgoingHeaders = {};
-        for (const [key, value] of Object.entries(proxyRes.headers)) {
-          if (value !== void 0) {
-            outgoingHeaders[key] = value;
+      if (!ALLOWED_PROXY_PROTOCOLS.has(target.protocol)) {
+        res.statusCode = 400;
+        res.end("PM proxy rejected unsafe target protocol.");
+        return;
+      }
+      validateTarget(target).then(() => {
+        const proxyReq = requestLib({
+          protocol: target.protocol,
+          hostname: target.hostname,
+          port: target.port || void 0,
+          path: sanitizedPath,
+          method: req.method,
+          headers
+        }, (proxyRes) => {
+          const outgoingHeaders = {};
+          for (const [key, value] of Object.entries(proxyRes.headers)) {
+            if (value !== void 0) {
+              outgoingHeaders[key] = value;
+            }
           }
-        }
-        res.writeHead(proxyRes.statusCode || 200, outgoingHeaders);
-        proxyRes.pipe(res);
-      });
-      proxyReq.on("error", (error) => {
+          res.writeHead(proxyRes.statusCode || 200, outgoingHeaders);
+          proxyRes.pipe(res);
+        });
+        proxyReq.on("error", (error) => {
+          if (!res.headersSent) {
+            res.statusCode = 502;
+          }
+          res.end(`PM proxy error: ${error.message}`);
+        });
+        req.pipe(proxyReq);
+      }).catch((error) => {
         if (!res.headersSent) {
-          res.statusCode = 502;
+          res.statusCode = 403;
         }
-        res.end(`PM proxy error: ${error.message}`);
+        res.end(`PM proxy blocked target: ${error instanceof Error ? error.message : String(error)}`);
       });
-      req.pipe(proxyReq);
     });
     server.on("upgrade", (req, socket, head) => {
       const target = pickTarget();
@@ -5333,38 +5563,56 @@ error: ${text}`);
         socket.destroy();
         return;
       }
+      const sanitizedPath = sanitizeProxyRequestPath(req.url || "/");
       const requestLib = target.protocol === "https:" ? import_node_https.request : import_node_http.request;
-      const targetUrl = new URL(req.url || "/", target);
-      const proxyReq = requestLib(targetUrl, {
-        method: req.method,
-        headers: buildPmProxyHeaders(req.headers, target.host)
-      });
-      proxyReq.on("upgrade", (proxyRes, proxySocket, proxyHead) => {
-        writeRawHttpResponse(socket, proxyRes.statusCode || 101, proxyRes.statusMessage || "Switching Protocols", proxyRes.headers);
-        if (head.length > 0) {
-          proxySocket.write(head);
-        }
-        if (proxyHead.length > 0) {
-          socket.write(proxyHead);
-        }
-        socket.on("error", () => proxySocket.destroy());
-        proxySocket.on("error", () => socket.destroy());
-        proxySocket.pipe(socket);
-        socket.pipe(proxySocket);
-      });
-      proxyReq.on("response", (proxyRes) => {
-        writeRawHttpResponse(socket, proxyRes.statusCode || 502, proxyRes.statusMessage || "Bad Gateway", proxyRes.headers);
-        proxyRes.pipe(socket);
-      });
-      proxyReq.on("error", (error) => {
-        writeRawHttpResponse(socket, 502, "Bad Gateway", {
+      const targetUrl = new URL(sanitizedPath, target);
+      if (targetUrl.hostname !== target.hostname || targetUrl.port !== target.port || !ALLOWED_PROXY_PROTOCOLS.has(targetUrl.protocol)) {
+        writeRawHttpResponse(socket, 400, "Bad Request", {
+          connection: "close",
+          "content-length": 0
+        });
+        socket.destroy();
+        return;
+      }
+      validateTarget(target).then(() => {
+        const proxyReq = requestLib(targetUrl, {
+          method: req.method,
+          headers: buildPmProxyHeaders(req.headers, target.host)
+        });
+        proxyReq.on("upgrade", (proxyRes, proxySocket, proxyHead) => {
+          writeRawHttpResponse(socket, proxyRes.statusCode || 101, proxyRes.statusMessage || "Switching Protocols", proxyRes.headers);
+          if (head.length > 0) {
+            proxySocket.write(head);
+          }
+          if (proxyHead.length > 0) {
+            socket.write(proxyHead);
+          }
+          socket.on("error", () => proxySocket.destroy());
+          proxySocket.on("error", () => socket.destroy());
+          proxySocket.pipe(socket);
+          socket.pipe(proxySocket);
+        });
+        proxyReq.on("response", (proxyRes) => {
+          writeRawHttpResponse(socket, proxyRes.statusCode || 502, proxyRes.statusMessage || "Bad Gateway", proxyRes.headers);
+          proxyRes.pipe(socket);
+        });
+        proxyReq.on("error", (error) => {
+          writeRawHttpResponse(socket, 502, "Bad Gateway", {
+            connection: "close",
+            "content-type": "text/plain; charset=utf-8",
+            "content-length": Buffer.byteLength(`PM proxy error: ${error.message}`)
+          });
+          socket.end(`PM proxy error: ${error.message}`);
+        });
+        proxyReq.end();
+      }).catch((error) => {
+        writeRawHttpResponse(socket, 403, "Forbidden", {
           connection: "close",
           "content-type": "text/plain; charset=utf-8",
-          "content-length": Buffer.byteLength(`PM proxy error: ${error.message}`)
+          "content-length": Buffer.byteLength(`PM proxy blocked target: ${error instanceof Error ? error.message : String(error)}`)
         });
-        socket.end(`PM proxy error: ${error.message}`);
+        socket.end(`PM proxy blocked target: ${error instanceof Error ? error.message : String(error)}`);
       });
-      proxyReq.end();
     });
     await new Promise((resolve7, reject) => {
       server.once("error", reject);
@@ -5372,10 +5620,25 @@ error: ${text}`);
     });
     return {
       setTarget(targetUrl) {
-        setResolvedTargets(targetUrl ? [new URL(targetUrl)] : []);
+        if (targetUrl) {
+          const parsed = new URL(targetUrl);
+          validateProxyTargetUrl(parsed).then(() => {
+            setResolvedTargets([parsed]);
+          }).catch((error) => {
+            console.error(`[PM proxy] Blocked setTarget: ${error instanceof Error ? error.message : String(error)}`);
+            setResolvedTargets([]);
+          });
+        } else {
+          setResolvedTargets([]);
+        }
       },
       setTargets(targetUrls) {
-        setResolvedTargets(targetUrls.map((targetUrl) => new URL(targetUrl)));
+        Promise.all(targetUrls.map((url) => validateProxyTargetUrl(new URL(url)))).then(() => {
+          setResolvedTargets(targetUrls.map((targetUrl) => new URL(targetUrl)));
+        }).catch((error) => {
+          console.error(`[PM proxy] Blocked setTargets: ${error instanceof Error ? error.message : String(error)}`);
+          setResolvedTargets([]);
+        });
       },
       close() {
         return new Promise((resolve7, reject) => {