npm - figranium - Versions diffs - 0.11.3 → 0.12.0 - Mend

figranium 0.11.3 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +2 -2
package/dist/assets/index-B1CypY6C.css +1 -0
package/dist/assets/index-B295GWry.js +18 -0
package/dist/index.html +2 -2
package/headful.js +2 -1
package/package.json +1 -1
package/scrape.js +2 -1
package/server.js +21 -3
package/url-utils.js +155 -14
package/dist/assets/index-CGxJAXB1.js +0 -43
package/dist/assets/index-CTQxB0fw.css +0 -1

package/dist/index.html CHANGED Viewed

@@ -16,8 +16,8 @@
     <link
         href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:opsz,wght,FILL,GRAD@20..48,100..700,0..1,-50..200"
         rel="stylesheet" />
-  <script type="module" crossorigin src="/assets/index-CGxJAXB1.js"></script>
-  <link rel="stylesheet" crossorigin href="/assets/index-CTQxB0fw.css">
+  <script type="module" crossorigin src="/assets/index-B295GWry.js"></script>
+  <link rel="stylesheet" crossorigin href="/assets/index-B1CypY6C.css">
 </head>
 <body class="bg-[#020202] text-gray-100 font-sans h-full overflow-hidden selection:bg-white selection:text-black">

package/headful.js CHANGED Viewed

@@ -3,7 +3,7 @@ const fs = require('fs');
 const path = require('path');
 const { getProxySelection } = require('./proxy-rotation');
 const { selectUserAgent } = require('./user-agent-settings');
-const { validateUrl } = require('./url-utils');
+const { validateUrl, setupNavigationProtection } = require('./url-utils');
 const { parseBooleanFlag } = require('./common-utils');
 const { Mutex } = require('./src/server/utils');
@@ -432,6 +432,7 @@ async function runHeadful(data, options = {}) {
             });
         };
+        await setupNavigationProtection(context);
         await context.addInitScript(inspectInitFn);
         await context.exposeBinding('__figraniumIsInspectEnabled', () => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "figranium",
-  "version": "0.11.3",
+  "version": "0.12.0",
   "main": "index.js",
   "bin": {
     "figranium": "bin/cli.js"

package/scrape.js CHANGED Viewed

@@ -5,7 +5,7 @@ const { spawn } = require('child_process');
 const { getProxySelection } = require('./proxy-rotation');
 const { selectUserAgent } = require('./user-agent-settings');
 const { formatHTML } = require('./html-utils');
-const { validateUrl } = require('./url-utils');
+const { validateUrl, setupNavigationProtection } = require('./url-utils');
 const { parseBooleanFlag, sanitizeRunId, toCsvString } = require('./common-utils');
 const { installMouseHelper } = require('./src/agent/dom-utils');
@@ -124,6 +124,7 @@ async function runScrape(data) {
             await injectHeadfulCookies(context);
         }
+        await setupNavigationProtection(context);
         await context.addInitScript(installMouseHelper);
         if (includeShadowDom) {

package/server.js CHANGED Viewed

@@ -45,7 +45,7 @@ const {
     proxyWebsockify,
     isPortAvailable
 } = require('./src/server/utils');
-const { isValidWebSocketOrigin } = require('./url-utils');
+const { isValidWebSocketOrigin, fetchWithRedirectValidation } = require('./url-utils');
 // Middleware
 const {
@@ -139,6 +139,23 @@ app.use((req, res, next) => {
     res.setHeader('X-Frame-Options', 'SAMEORIGIN');
     res.setHeader('X-XSS-Protection', '1; mode=block');
     res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+    // Content Security Policy
+    const csp = [
+        "default-src 'self'",
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+        "font-src 'self' https://fonts.gstatic.com",
+        "img-src 'self' data: blob: https://www.google.com https://*.gstatic.com https://cdn.jsdelivr.net https://raw.githubusercontent.com",
+        "connect-src 'self' https://api.github.com https://generativelanguage.googleapis.com https://api.openai.com https://api.anthropic.com https://api.baserow.io",
+        "media-src 'self' blob:",
+        "frame-src 'self'"
+    ].join('; ');
+    res.setHeader('Content-Security-Policy', csp);
+    if (SESSION_COOKIE_SECURE) {
+        res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+    }
     next();
 });
@@ -167,6 +184,7 @@ app.use(session({
     rolling: true,
     saveUninitialized: false,
     cookie: {
+        httpOnly: true,
         secure: SESSION_COOKIE_SECURE,
         sameSite: 'strict',
         maxAge: SESSION_TTL_SECONDS * 1000
@@ -245,7 +263,7 @@ const registerExecution = (req, res, baseMeta = {}) => {
                 durationMs: entry.durationMs,
                 result: entry.result
             });
-            fetch(webhookUrl, {
+            fetchWithRedirectValidation(webhookUrl, {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
                 body: payload,
@@ -443,7 +461,7 @@ app.use('/screenshots', requireAuthOrApiKey, express.static(capturesDir));
 app.use(express.static(DIST_DIR));
 // Headful Status Endpoint
-app.get('/api/headful/status', async (req, res) => {
+app.get('/api/headful/status', requireAuth, async (req, res) => {
     if (!novncEnabled) {
         return res.json({ useNovnc: false });
     }

package/url-utils.js CHANGED Viewed

@@ -71,13 +71,19 @@ function isPrivateIP(ip) {
     return false;
 }
+const VALID_HOSTNAME_CACHE = new Set();
+const INVALID_HOSTNAME_CACHE = new Set();
+const CACHE_TTL = 30000; // 30 seconds
+let lastCacheClear = Date.now();
 /**
  * Validates a URL to prevent SSRF by blocking private IP ranges.
  * @param {string} urlStr The URL to validate.
+ * @returns {string} The validated URL string.
  * @throws {Error} If the URL is invalid or points to a private network.
  */
 async function validateUrl(urlStr) {
-    if (!urlStr) return;
+    if (!urlStr) return '';
     let url;
     try {
@@ -90,7 +96,7 @@ async function validateUrl(urlStr) {
         throw new Error('Only HTTP and HTTPS protocols are allowed');
     }
-    if (ALLOW_PRIVATE_NETWORKS) return;
+    if (ALLOW_PRIVATE_NETWORKS) return url.href;
     let hostname = url.hostname;
     // Strip brackets from IPv6 hostnames
@@ -98,41 +104,176 @@ async function validateUrl(urlStr) {
         hostname = hostname.substring(1, hostname.length - 1);
     }
-    // Direct check for common private hostnames
     const lowerHost = hostname.toLowerCase();
+    // Cache management
+    if (Date.now() - lastCacheClear > CACHE_TTL) {
+        VALID_HOSTNAME_CACHE.clear();
+        INVALID_HOSTNAME_CACHE.clear();
+        lastCacheClear = Date.now();
+    }
+    if (VALID_HOSTNAME_CACHE.has(lowerHost)) return url.href;
+    if (INVALID_HOSTNAME_CACHE.has(lowerHost)) {
+        throw new Error('Access to private network is restricted');
+    }
+    // Direct check for common private hostnames
     if (lowerHost === 'localhost' || lowerHost.endsWith('.localhost')) {
+        INVALID_HOSTNAME_CACHE.add(lowerHost);
         throw new Error('Access to private network is restricted');
     }
     // Resolve hostname to IP
     try {
+        // If it's already an IP address, check it directly
+        if (net.isIP(hostname)) {
+            if (isPrivateIP(hostname)) {
+                INVALID_HOSTNAME_CACHE.add(lowerHost);
+                throw new Error('Access to private network is restricted');
+            }
+            return url.href;
+        }
         // dns.lookup follows /etc/hosts and is what's typically used for connecting
         const addresses = await dns.lookup(hostname, { all: true });
         for (const addr of addresses) {
             if (isPrivateIP(addr.address)) {
+                INVALID_HOSTNAME_CACHE.add(lowerHost);
                 throw new Error('Access to private network is restricted');
             }
         }
+        VALID_HOSTNAME_CACHE.add(lowerHost);
     } catch (e) {
         if (e.message === 'Access to private network is restricted') {
             throw e;
         }
-        // If it's already an IP address, check it directly
-        if (net.isIP(hostname)) {
-            if (isPrivateIP(hostname)) {
-                throw new Error('Access to private network is restricted');
-            }
+        // If we can't resolve it and it's not an IP, we allow it to proceed
+        // to the browser where it will likely fail normally.
+    }
+    return url.href;
+}
+/**
+ * Perform a fetch with manual redirect following and validation at each hop.
+ * Ensures sensitive headers (Authorization, Token) are stripped on cross-origin redirects.
+ * @param {string} urlStr Initial URL.
+ * @param {object} options Fetch options.
+ * @param {number} maxRedirects Maximum number of redirects to follow.
+ */
+async function fetchWithRedirectValidation(urlStr, options = {}, maxRedirects = 5) {
+    let currentUrl;
+    try {
+        currentUrl = new URL(urlStr);
+    } catch (e) {
+        throw new Error('Invalid URL');
+    }
+    let currentOptions = { ...options };
+    let redirectCount = 0;
+    while (redirectCount <= maxRedirects) {
+        // validateUrl respects ALLOW_PRIVATE_NETWORKS internally
+        const validatedHref = await validateUrl(currentUrl.href);
+        // Explicitly reconstruct URL from validated href to ensure taint is cleared
+        const safeUrl = new URL(validatedHref);
+        // CodeQL mitigation: strictly verify protocol and pass URL object to fetch
+        if (safeUrl.protocol !== 'http:' && safeUrl.protocol !== 'https:') {
+            throw new Error('Only HTTP and HTTPS protocols are allowed');
         }
-        // Rethrow if it's the specific restricted error
-        if (e.message === 'Access to private network is restricted') {
-            throw e;
+        const response = await fetch(safeUrl, {
+            ...currentOptions,
+            redirect: 'manual'
+        });
+        // Handle redirects (301, 302, 303, 307, 308)
+        if (response.status >= 300 && response.status < 400) {
+            const location = response.headers.get('location');
+            if (!location) return response;
+            const nextUrl = new URL(location, safeUrl.href);
+            const isCrossOrigin = nextUrl.origin !== currentUrl.origin;
+            // Update options for the next request (shallow copy)
+            const nextOptions = { ...currentOptions };
+            if (nextOptions.headers) {
+                nextOptions.headers = { ...nextOptions.headers };
+            }
+            // Strip sensitive headers on cross-origin redirects
+            if (isCrossOrigin && nextOptions.headers) {
+                const sensitiveHeaders = ['authorization', 'x-api-key', 'token', 'cookie', 'proxy-authorization'];
+                for (const h of Object.keys(nextOptions.headers)) {
+                    if (sensitiveHeaders.includes(h.toLowerCase())) {
+                        delete nextOptions.headers[h];
+                    }
+                }
+            }
+            // Standards compliance: 301, 302, 303 redirects switch to GET and drop body
+            if ([301, 302, 303].includes(response.status)) {
+                nextOptions.method = 'GET';
+                delete nextOptions.body;
+                if (nextOptions.headers) {
+                    for (const h of Object.keys(nextOptions.headers)) {
+                        if (['content-type', 'content-length'].includes(h.toLowerCase())) {
+                            delete nextOptions.headers[h];
+                        }
+                    }
+                }
+            }
+            currentUrl = nextUrl;
+            currentOptions = nextOptions;
+            redirectCount++;
+            continue;
         }
-        // If we can't resolve it and it's not an IP, we allow it to proceed
-        // to the browser where it will likely fail normally.
+        return response;
     }
+    throw new Error('Too many redirects');
+}
+/**
+ * Sets up navigation protection for a Playwright context.
+ * Intercepts requests and validates destination URLs.
+ * @param {object} context Playwright context.
+ */
+async function setupNavigationProtection(context) {
+    if (ALLOW_PRIVATE_NETWORKS) return;
+    await context.route('**/*', async (route) => {
+        const request = route.request();
+        // Only validate main frame navigations for performance and to avoid breaking sub-resources
+        if (request.isNavigationRequest() && request.frame() === request.frame().page().mainFrame()) {
+            const url = request.url();
+            const currentUrl = request.frame().url();
+            try {
+                // If it's a same-origin navigation, skip validation for speed
+                if (currentUrl && currentUrl !== 'about:blank') {
+                    const u1 = new URL(url);
+                    const u2 = new URL(currentUrl);
+                    if (u1.origin === u2.origin) {
+                        return route.continue();
+                    }
+                }
+                await validateUrl(url);
+                return route.continue();
+            } catch (err) {
+                console.error(`[SECURITY] Navigation to ${url} blocked: ${err.message}`);
+                return route.abort('blockedbyclient');
+            }
+        }
+        return route.continue();
+    });
 }
 /**
@@ -151,4 +292,4 @@ function isValidWebSocketOrigin(origin, host) {
     }
 }
-module.exports = { validateUrl, isPrivateIP, isValidWebSocketOrigin };
+module.exports = { validateUrl, isPrivateIP, isValidWebSocketOrigin, fetchWithRedirectValidation, setupNavigationProtection };