figranium 0.11.3 → 0.12.1

package/dist/index.html

@@ -16,8 +16,8 @@
     <link
         href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:opsz,wght,FILL,GRAD@20..48,100..700,0..1,-50..200"
         rel="stylesheet" />
-  <script type="module" crossorigin src="/assets/index-CGxJAXB1.js"></script>
-  <link rel="stylesheet" crossorigin href="/assets/index-CTQxB0fw.css">
+  <script type="module" crossorigin src="/assets/index-CvaIUcTv.js"></script>
+  <link rel="stylesheet" crossorigin href="/assets/index-C2rVEs3q.css">
 </head>
 
 <body class="bg-[#020202] text-gray-100 font-sans h-full overflow-hidden selection:bg-white selection:text-black">

package/extraction-worker.js

@@ -153,16 +153,19 @@ const runExtraction = async (data) => {
             return { shadowQueryAll, shadowText };
         })();
 
+        const proxiedData = createSafeProxy({
+            html: () => html || '',
+            url: () => url || '',
+            window,
+            document: window.document,
+            shadowQueryAll: includeShadowDom ? shadowHelpers.shadowQueryAll : undefined,
+            shadowText: includeShadowDom ? shadowHelpers.shadowText : undefined
+        });
+
         const sandbox = Object.create(null);
         Object.assign(sandbox, {
-            $$data: createSafeProxy({
-                html: () => html || '',
-                url: () => url || '',
-                window,
-                document: window.document,
-                shadowQueryAll: includeShadowDom ? shadowHelpers.shadowQueryAll : undefined,
-                shadowText: includeShadowDom ? shadowHelpers.shadowText : undefined
-            }),
+            data: proxiedData,
+            $$data: proxiedData,
             window: createSafeProxy(window),
             document: createSafeProxy(window.document),
             DOMParser: createSafeProxy(window.DOMParser),
@@ -175,8 +178,8 @@ const runExtraction = async (data) => {
             "use strict";
             (async () => {
                 const AsyncFunction = Object.getPrototypeOf(async function(){}).constructor;
-                const fn = new AsyncFunction('$$data', 'window', 'document', 'DOMParser', 'console', $$userScript);
-                return fn($$data, window, document, DOMParser, console);
+                const fn = new AsyncFunction('data', '$$data', 'window', 'document', 'DOMParser', 'console', $$userScript);
+                return fn(data, $$data, window, document, DOMParser, console);
             })();
         `;
 

package/headful.js

@@ -3,7 +3,7 @@ const fs = require('fs');
 const path = require('path');
 const { getProxySelection } = require('./proxy-rotation');
 const { selectUserAgent } = require('./user-agent-settings');
-const { validateUrl } = require('./url-utils');
+const { validateUrl, setupNavigationProtection } = require('./url-utils');
 const { parseBooleanFlag } = require('./common-utils');
 const { Mutex } = require('./src/server/utils');
 
@@ -432,6 +432,7 @@ async function runHeadful(data, options = {}) {
             });
         };
 
+        await setupNavigationProtection(context);
         await context.addInitScript(inspectInitFn);
 
         await context.exposeBinding('__figraniumIsInspectEnabled', () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "figranium",
-  "version": "0.11.3",
+  "version": "0.12.1",
   "main": "index.js",
   "bin": {
     "figranium": "bin/cli.js"
@@ -77,6 +77,6 @@
     "postcss": "^8.5.6",
     "tailwindcss": "^3.4.19",
     "typescript": "^5.9.3",
-    "vite": "^7.3.0"
+    "vite": "7.3.2"
   }
 }

package/scrape.js

@@ -5,7 +5,7 @@ const { spawn } = require('child_process');
 const { getProxySelection } = require('./proxy-rotation');
 const { selectUserAgent } = require('./user-agent-settings');
 const { formatHTML } = require('./html-utils');
-const { validateUrl } = require('./url-utils');
+const { validateUrl, setupNavigationProtection } = require('./url-utils');
 const { parseBooleanFlag, sanitizeRunId, toCsvString } = require('./common-utils');
 const { installMouseHelper } = require('./src/agent/dom-utils');
 
@@ -124,6 +124,7 @@ async function runScrape(data) {
             await injectHeadfulCookies(context);
         }
 
+        await setupNavigationProtection(context);
         await context.addInitScript(installMouseHelper);
 
         if (includeShadowDom) {

package/server.js

@@ -45,7 +45,7 @@ const {
     proxyWebsockify,
     isPortAvailable
 } = require('./src/server/utils');
-const { isValidWebSocketOrigin } = require('./url-utils');
+const { isValidWebSocketOrigin, fetchWithRedirectValidation } = require('./url-utils');
 
 // Middleware
 const {
@@ -139,6 +139,23 @@ app.use((req, res, next) => {
     res.setHeader('X-Frame-Options', 'SAMEORIGIN');
     res.setHeader('X-XSS-Protection', '1; mode=block');
     res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+
+    // Content Security Policy
+    const csp = [
+        "default-src 'self'",
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+        "font-src 'self' https://fonts.gstatic.com",
+        "img-src 'self' data: blob: https://www.google.com https://*.gstatic.com https://cdn.jsdelivr.net https://raw.githubusercontent.com",
+        "connect-src 'self' https://api.github.com https://generativelanguage.googleapis.com https://api.openai.com https://api.anthropic.com https://api.baserow.io",
+        "media-src 'self' blob:",
+        "frame-src 'self'"
+    ].join('; ');
+    res.setHeader('Content-Security-Policy', csp);
+
+    if (SESSION_COOKIE_SECURE) {
+        res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+    }
     next();
 });
 
@@ -167,6 +184,7 @@ app.use(session({
     rolling: true,
     saveUninitialized: false,
     cookie: {
+        httpOnly: true,
         secure: SESSION_COOKIE_SECURE,
         sameSite: 'strict',
         maxAge: SESSION_TTL_SECONDS * 1000
@@ -180,6 +198,7 @@ app.use('/api/auth', authRoutes);
 app.use('/api/settings', settingsRoutes);
 app.use('/api/tasks', taskRoutes);
 app.use('/api/executions', executionRoutes);
+app.use('/api', dataRoutes);
 app.use('/api/data', dataRoutes);
 app.use('/api/schedules', scheduleRoutes);
 app.use('/api/credentials', credentialRoutes);
@@ -245,7 +264,7 @@ const registerExecution = (req, res, baseMeta = {}) => {
                 durationMs: entry.durationMs,
                 result: entry.result
             });
-            fetch(webhookUrl, {
+            fetchWithRedirectValidation(webhookUrl, {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
                 body: payload,
@@ -443,7 +462,7 @@ app.use('/screenshots', requireAuthOrApiKey, express.static(capturesDir));
 app.use(express.static(DIST_DIR));
 
 // Headful Status Endpoint
-app.get('/api/headful/status', async (req, res) => {
+app.get('/api/headful/status', requireAuth, async (req, res) => {
     if (!novncEnabled) {
         return res.json({ useNovnc: false });
     }

package/src/server/scheduler.js

@@ -265,7 +265,6 @@ async function executeScheduledTask(taskId) {
 async function startScheduler() {
     if (running) return;
     running = true;
-    console.log('[SCHEDULER] Starting scheduler...');
 
     try {
         await loadSchedules();
@@ -305,7 +304,6 @@ function stopScheduler() {
         schedulerTimer = null;
     }
     scheduledTasks.clear();
-    console.log('[SCHEDULER] Stopped.');
 }
 
 /**

package/url-utils.js

@@ -4,6 +4,30 @@ const { ALLOW_PRIVATE_NETWORKS } = require('./src/server/constants');
 
 /**
  * Checks if an IP address is private.
+ *
+ * Qualifies as a private network/blocked destination:
+ *
+ * IPv4 Ranges:
+ * - 0.0.0.0/8 (Current network)
+ * - 10.0.0.0/8 (Private-Use Networks - RFC 1918)
+ * - 100.64.0.0/10 (Shared Address Space - RFC 6598)
+ * - 127.0.0.0/8 (Loopback)
+ * - 169.254.0.0/16 (Link-Local)
+ * - 172.16.0.0/12 (Private-Use Networks - RFC 1918)
+ * - 192.168.0.0/16 (Private-Use Networks - RFC 1918)
+ *
+ * IPv6 Ranges:
+ * - ::/128 (Unspecified)
+ * - ::1/128 (Loopback)
+ * - fc00::/7 (Unique Local Address)
+ * - fe80::/10 (Link-Local Unicast)
+ * - IPv4-mapped/compatible addresses pointing to the above IPv4 ranges
+ *
+ * Hostnames:
+ * - localhost
+ * - *.localhost
+ * - host.docker.internal
+ *
  * @param {string} ip The IP address to check.
  * @returns {boolean} True if the IP is private.
  */
@@ -71,13 +95,19 @@ function isPrivateIP(ip) {
     return false;
 }
 
+const VALID_HOSTNAME_CACHE = new Set();
+const INVALID_HOSTNAME_CACHE = new Set();
+const CACHE_TTL = 30000; // 30 seconds
+let lastCacheClear = Date.now();
+
 /**
  * Validates a URL to prevent SSRF by blocking private IP ranges.
  * @param {string} urlStr The URL to validate.
+ * @returns {string} The validated URL string.
  * @throws {Error} If the URL is invalid or points to a private network.
  */
 async function validateUrl(urlStr) {
-    if (!urlStr) return;
+    if (!urlStr) return '';
 
     let url;
     try {
@@ -90,7 +120,7 @@ async function validateUrl(urlStr) {
         throw new Error('Only HTTP and HTTPS protocols are allowed');
     }
 
-    if (ALLOW_PRIVATE_NETWORKS) return;
+    if (ALLOW_PRIVATE_NETWORKS) return url.href;
 
     let hostname = url.hostname;
     // Strip brackets from IPv6 hostnames
@@ -98,41 +128,180 @@ async function validateUrl(urlStr) {
         hostname = hostname.substring(1, hostname.length - 1);
     }
 
-    // Direct check for common private hostnames
     const lowerHost = hostname.toLowerCase();
-    if (lowerHost === 'localhost' || lowerHost.endsWith('.localhost')) {
+
+    // Cache management
+    if (Date.now() - lastCacheClear > CACHE_TTL) {
+        VALID_HOSTNAME_CACHE.clear();
+        INVALID_HOSTNAME_CACHE.clear();
+        lastCacheClear = Date.now();
+    }
+
+    if (VALID_HOSTNAME_CACHE.has(lowerHost)) return url.href;
+    if (INVALID_HOSTNAME_CACHE.has(lowerHost)) {
+        throw new Error('Access to private network is restricted');
+    }
+
+    // Direct check for common private hostnames
+    if (
+        lowerHost === 'localhost' ||
+        lowerHost.endsWith('.localhost') ||
+        lowerHost === 'host.docker.internal'
+    ) {
+        INVALID_HOSTNAME_CACHE.add(lowerHost);
         throw new Error('Access to private network is restricted');
     }
 
     // Resolve hostname to IP
     try {
+        // If it's already an IP address, check it directly
+        if (net.isIP(hostname)) {
+            if (isPrivateIP(hostname)) {
+                INVALID_HOSTNAME_CACHE.add(lowerHost);
+                throw new Error('Access to private network is restricted');
+            }
+            return url.href;
+        }
+
         // dns.lookup follows /etc/hosts and is what's typically used for connecting
         const addresses = await dns.lookup(hostname, { all: true });
         for (const addr of addresses) {
             if (isPrivateIP(addr.address)) {
+                INVALID_HOSTNAME_CACHE.add(lowerHost);
                 throw new Error('Access to private network is restricted');
             }
         }
+        VALID_HOSTNAME_CACHE.add(lowerHost);
     } catch (e) {
         if (e.message === 'Access to private network is restricted') {
             throw e;
         }
 
-        // If it's already an IP address, check it directly
-        if (net.isIP(hostname)) {
-            if (isPrivateIP(hostname)) {
-                throw new Error('Access to private network is restricted');
-            }
+        // If we can't resolve it and it's not an IP, we allow it to proceed
+        // to the browser where it will likely fail normally.
+    }
+
+    return url.href;
+}
+
+/**
+ * Perform a fetch with manual redirect following and validation at each hop.
+ * Ensures sensitive headers (Authorization, Token) are stripped on cross-origin redirects.
+ * @param {string} urlStr Initial URL.
+ * @param {object} options Fetch options.
+ * @param {number} maxRedirects Maximum number of redirects to follow.
+ */
+async function fetchWithRedirectValidation(urlStr, options = {}, maxRedirects = 5) {
+    let currentUrl;
+    try {
+        currentUrl = new URL(urlStr);
+    } catch (e) {
+        throw new Error('Invalid URL');
+    }
+
+    let currentOptions = { ...options };
+    let redirectCount = 0;
+
+    while (redirectCount <= maxRedirects) {
+        // validateUrl respects ALLOW_PRIVATE_NETWORKS internally
+        const validatedHref = await validateUrl(currentUrl.href);
+
+        // Explicitly reconstruct URL from validated href to ensure taint is cleared
+        const safeUrl = new URL(validatedHref);
+
+        // CodeQL mitigation: strictly verify protocol and pass URL object to fetch
+        if (safeUrl.protocol !== 'http:' && safeUrl.protocol !== 'https:') {
+            throw new Error('Only HTTP and HTTPS protocols are allowed');
         }
 
-        // Rethrow if it's the specific restricted error
-        if (e.message === 'Access to private network is restricted') {
-            throw e;
+        const response = await fetch(safeUrl, {
+            ...currentOptions,
+            redirect: 'manual'
+        });
+
+        // Handle redirects (301, 302, 303, 307, 308)
+        if (response.status >= 300 && response.status < 400) {
+            const location = response.headers.get('location');
+            if (!location) return response;
+
+            const nextUrl = new URL(location, safeUrl.href);
+            const isCrossOrigin = nextUrl.origin !== currentUrl.origin;
+
+            // Update options for the next request (shallow copy)
+            const nextOptions = { ...currentOptions };
+            if (nextOptions.headers) {
+                nextOptions.headers = { ...nextOptions.headers };
+            }
+
+            // Strip sensitive headers on cross-origin redirects
+            if (isCrossOrigin && nextOptions.headers) {
+                const sensitiveHeaders = ['authorization', 'x-api-key', 'token', 'cookie', 'proxy-authorization'];
+                for (const h of Object.keys(nextOptions.headers)) {
+                    if (sensitiveHeaders.includes(h.toLowerCase())) {
+                        delete nextOptions.headers[h];
+                    }
+                }
+            }
+
+            // Standards compliance: 301, 302, 303 redirects switch to GET and drop body
+            if ([301, 302, 303].includes(response.status)) {
+                nextOptions.method = 'GET';
+                delete nextOptions.body;
+                if (nextOptions.headers) {
+                    for (const h of Object.keys(nextOptions.headers)) {
+                        if (['content-type', 'content-length'].includes(h.toLowerCase())) {
+                            delete nextOptions.headers[h];
+                        }
+                    }
+                }
+            }
+
+            currentUrl = nextUrl;
+            currentOptions = nextOptions;
+            redirectCount++;
+            continue;
         }
 
-        // If we can't resolve it and it's not an IP, we allow it to proceed
-        // to the browser where it will likely fail normally.
+        return response;
     }
+
+    throw new Error('Too many redirects');
+}
+
+/**
+ * Sets up navigation protection for a Playwright context.
+ * Intercepts requests and validates destination URLs.
+ * @param {object} context Playwright context.
+ */
+async function setupNavigationProtection(context) {
+    if (ALLOW_PRIVATE_NETWORKS) return;
+
+    await context.route('**/*', async (route) => {
+        const request = route.request();
+        // Only validate main frame navigations for performance and to avoid breaking sub-resources
+        if (request.isNavigationRequest() && request.frame() === request.frame().page().mainFrame()) {
+            const url = request.url();
+            const currentUrl = request.frame().url();
+
+            try {
+                // If it's a same-origin navigation, skip validation for speed
+                if (currentUrl && currentUrl !== 'about:blank') {
+                    const u1 = new URL(url);
+                    const u2 = new URL(currentUrl);
+                    if (u1.origin === u2.origin) {
+                        return route.continue();
+                    }
+                }
+
+                await validateUrl(url);
+                return route.continue();
+            } catch (err) {
+                console.error(`[SECURITY] Navigation to ${url} blocked: ${err.message}`);
+                return route.abort('blockedbyclient');
+            }
+        }
+        return route.continue();
+    });
 }
 
 /**
@@ -151,4 +320,4 @@ function isValidWebSocketOrigin(origin, host) {
     }
 }
 
-module.exports = { validateUrl, isPrivateIP, isValidWebSocketOrigin };
+module.exports = { validateUrl, isPrivateIP, isValidWebSocketOrigin, fetchWithRedirectValidation, setupNavigationProtection };