figranium 0.12.1 → 0.12.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/LICENSE +674 -674
  2. package/README.md +336 -336
  3. package/agent.js +1 -1
  4. package/bin/cli.js +149 -149
  5. package/common-utils.js +211 -211
  6. package/dist/assets/{favicon-DmUMR1rm.svg → favicon-DXDXzv5K.svg} +290 -290
  7. package/dist/assets/index-BaVlGc48.js +18 -0
  8. package/dist/assets/index-T2xxnq_A.css +1 -0
  9. package/dist/favicon.svg +290 -290
  10. package/dist/figranium_icon.svg +290 -290
  11. package/dist/figranium_logo.svg +60 -60
  12. package/dist/index.html +26 -26
  13. package/dist/novnc.html +108 -108
  14. package/dist/styles.css +86 -86
  15. package/extraction-worker.js +211 -207
  16. package/headful.js +584 -569
  17. package/html-utils.js +24 -24
  18. package/package.json +82 -82
  19. package/proxy-rotation.js +261 -261
  20. package/proxy-utils.js +84 -84
  21. package/public/favicon.svg +290 -290
  22. package/public/figranium_icon.svg +290 -290
  23. package/public/figranium_logo.svg +60 -60
  24. package/public/novnc.html +108 -108
  25. package/public/styles.css +86 -86
  26. package/scrape.js +389 -389
  27. package/scripts/postinstall.js +21 -21
  28. package/server.js +626 -626
  29. package/src/server/cron-parser.js +325 -316
  30. package/src/server/routes/schedules.js +171 -171
  31. package/src/server/scheduler.js +379 -379
  32. package/url-utils.js +339 -323
  33. package/user-agent-settings.js +76 -76
  34. package/dist/assets/index-C2rVEs3q.css +0 -1
  35. package/dist/assets/index-CvaIUcTv.js +0 -18
package/url-utils.js CHANGED
@@ -1,323 +1,339 @@
1
- const dns = require('dns').promises;
2
- const net = require('net');
3
- const { ALLOW_PRIVATE_NETWORKS } = require('./src/server/constants');
4
-
5
- /**
6
- * Checks if an IP address is private.
7
- *
8
- * Qualifies as a private network/blocked destination:
9
- *
10
- * IPv4 Ranges:
11
- * - 0.0.0.0/8 (Current network)
12
- * - 10.0.0.0/8 (Private-Use Networks - RFC 1918)
13
- * - 100.64.0.0/10 (Shared Address Space - RFC 6598)
14
- * - 127.0.0.0/8 (Loopback)
15
- * - 169.254.0.0/16 (Link-Local)
16
- * - 172.16.0.0/12 (Private-Use Networks - RFC 1918)
17
- * - 192.168.0.0/16 (Private-Use Networks - RFC 1918)
18
- *
19
- * IPv6 Ranges:
20
- * - ::/128 (Unspecified)
21
- * - ::1/128 (Loopback)
22
- * - fc00::/7 (Unique Local Address)
23
- * - fe80::/10 (Link-Local Unicast)
24
- * - IPv4-mapped/compatible addresses pointing to the above IPv4 ranges
25
- *
26
- * Hostnames:
27
- * - localhost
28
- * - *.localhost
29
- * - host.docker.internal
30
- *
31
- * @param {string} ip The IP address to check.
32
- * @returns {boolean} True if the IP is private.
33
- */
34
- function isPrivateIP(ip) {
35
- if (net.isIPv4(ip)) {
36
- const parts = ip.split('.').map(Number);
37
- return (
38
- parts[0] === 0 ||
39
- parts[0] === 10 ||
40
- (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) ||
41
- (parts[0] === 192 && parts[1] === 168) ||
42
- parts[0] === 127 ||
43
- (parts[0] === 169 && parts[1] === 254) ||
44
- (parts[0] === 100 && parts[1] >= 64 && parts[1] <= 127)
45
- );
46
- }
47
- if (net.isIPv6(ip)) {
48
- const lower = ip.toLowerCase();
49
- const parts = lower.split(':');
50
- const last = parts[parts.length - 1];
51
-
52
- // Handle IPv4-mapped IPv6 addresses (::ffff:1.2.3.4 or ::ffff:7f00:1)
53
- const ffffIndex = parts.indexOf('ffff');
54
- if (ffffIndex !== -1) {
55
- const prefixAllZeros = parts.slice(0, ffffIndex).every(p => p === '' || p === '0');
56
- if (prefixAllZeros) {
57
- if (net.isIPv4(last)) {
58
- return isPrivateIP(last);
59
- }
60
- const p1 = parseInt(parts[parts.length - 2], 16);
61
- const p2 = parseInt(parts[parts.length - 1], 16);
62
- if (!isNaN(p1) && !isNaN(p2)) {
63
- return isPrivateIP(`${(p1 >> 8) & 0xff}.${p1 & 0xff}.${(p2 >> 8) & 0xff}.${p2 & 0xff}`);
64
- }
65
- }
66
- }
67
-
68
- // Handle IPv4-compatible IPv6 addresses (::1.2.3.4 or ::7f00:1)
69
- if (ffffIndex === -1) {
70
- const prefixAllZeros = parts.slice(0, -2).every(p => p === '' || p === '0');
71
- if (prefixAllZeros) {
72
- if (net.isIPv4(last)) {
73
- return isPrivateIP(last);
74
- }
75
- const p1 = parseInt(parts[parts.length - 2], 16);
76
- const p2 = parseInt(parts[parts.length - 1], 16);
77
- if (!isNaN(p1) && !isNaN(p2)) {
78
- return isPrivateIP(`${(p1 >> 8) & 0xff}.${p1 & 0xff}.${(p2 >> 8) & 0xff}.${p2 & 0xff}`);
79
- }
80
- }
81
- }
82
-
83
- // ::1 loopback, :: unspecified
84
- if (lower === '::1' || lower === '::' || lower === '0:0:0:0:0:0:0:0' || lower === '0:0:0:0:0:0:0:1') {
85
- return true;
86
- }
87
-
88
- // fe80:: link-local, fc00::/fd00:: unique local
89
- return (
90
- lower.startsWith('fe80:') ||
91
- lower.startsWith('fc') ||
92
- lower.startsWith('fd')
93
- );
94
- }
95
- return false;
96
- }
97
-
98
- const VALID_HOSTNAME_CACHE = new Set();
99
- const INVALID_HOSTNAME_CACHE = new Set();
100
- const CACHE_TTL = 30000; // 30 seconds
101
- let lastCacheClear = Date.now();
102
-
103
- /**
104
- * Validates a URL to prevent SSRF by blocking private IP ranges.
105
- * @param {string} urlStr The URL to validate.
106
- * @returns {string} The validated URL string.
107
- * @throws {Error} If the URL is invalid or points to a private network.
108
- */
109
- async function validateUrl(urlStr) {
110
- if (!urlStr) return '';
111
-
112
- let url;
113
- try {
114
- url = new URL(urlStr);
115
- } catch (e) {
116
- throw new Error('Invalid URL');
117
- }
118
-
119
- if (url.protocol !== 'http:' && url.protocol !== 'https:') {
120
- throw new Error('Only HTTP and HTTPS protocols are allowed');
121
- }
122
-
123
- if (ALLOW_PRIVATE_NETWORKS) return url.href;
124
-
125
- let hostname = url.hostname;
126
- // Strip brackets from IPv6 hostnames
127
- if (hostname.startsWith('[') && hostname.endsWith(']')) {
128
- hostname = hostname.substring(1, hostname.length - 1);
129
- }
130
-
131
- const lowerHost = hostname.toLowerCase();
132
-
133
- // Cache management
134
- if (Date.now() - lastCacheClear > CACHE_TTL) {
135
- VALID_HOSTNAME_CACHE.clear();
136
- INVALID_HOSTNAME_CACHE.clear();
137
- lastCacheClear = Date.now();
138
- }
139
-
140
- if (VALID_HOSTNAME_CACHE.has(lowerHost)) return url.href;
141
- if (INVALID_HOSTNAME_CACHE.has(lowerHost)) {
142
- throw new Error('Access to private network is restricted');
143
- }
144
-
145
- // Direct check for common private hostnames
146
- if (
147
- lowerHost === 'localhost' ||
148
- lowerHost.endsWith('.localhost') ||
149
- lowerHost === 'host.docker.internal'
150
- ) {
151
- INVALID_HOSTNAME_CACHE.add(lowerHost);
152
- throw new Error('Access to private network is restricted');
153
- }
154
-
155
- // Resolve hostname to IP
156
- try {
157
- // If it's already an IP address, check it directly
158
- if (net.isIP(hostname)) {
159
- if (isPrivateIP(hostname)) {
160
- INVALID_HOSTNAME_CACHE.add(lowerHost);
161
- throw new Error('Access to private network is restricted');
162
- }
163
- return url.href;
164
- }
165
-
166
- // dns.lookup follows /etc/hosts and is what's typically used for connecting
167
- const addresses = await dns.lookup(hostname, { all: true });
168
- for (const addr of addresses) {
169
- if (isPrivateIP(addr.address)) {
170
- INVALID_HOSTNAME_CACHE.add(lowerHost);
171
- throw new Error('Access to private network is restricted');
172
- }
173
- }
174
- VALID_HOSTNAME_CACHE.add(lowerHost);
175
- } catch (e) {
176
- if (e.message === 'Access to private network is restricted') {
177
- throw e;
178
- }
179
-
180
- // If we can't resolve it and it's not an IP, we allow it to proceed
181
- // to the browser where it will likely fail normally.
182
- }
183
-
184
- return url.href;
185
- }
186
-
187
- /**
188
- * Perform a fetch with manual redirect following and validation at each hop.
189
- * Ensures sensitive headers (Authorization, Token) are stripped on cross-origin redirects.
190
- * @param {string} urlStr Initial URL.
191
- * @param {object} options Fetch options.
192
- * @param {number} maxRedirects Maximum number of redirects to follow.
193
- */
194
- async function fetchWithRedirectValidation(urlStr, options = {}, maxRedirects = 5) {
195
- let currentUrl;
196
- try {
197
- currentUrl = new URL(urlStr);
198
- } catch (e) {
199
- throw new Error('Invalid URL');
200
- }
201
-
202
- let currentOptions = { ...options };
203
- let redirectCount = 0;
204
-
205
- while (redirectCount <= maxRedirects) {
206
- // validateUrl respects ALLOW_PRIVATE_NETWORKS internally
207
- const validatedHref = await validateUrl(currentUrl.href);
208
-
209
- // Explicitly reconstruct URL from validated href to ensure taint is cleared
210
- const safeUrl = new URL(validatedHref);
211
-
212
- // CodeQL mitigation: strictly verify protocol and pass URL object to fetch
213
- if (safeUrl.protocol !== 'http:' && safeUrl.protocol !== 'https:') {
214
- throw new Error('Only HTTP and HTTPS protocols are allowed');
215
- }
216
-
217
- const response = await fetch(safeUrl, {
218
- ...currentOptions,
219
- redirect: 'manual'
220
- });
221
-
222
- // Handle redirects (301, 302, 303, 307, 308)
223
- if (response.status >= 300 && response.status < 400) {
224
- const location = response.headers.get('location');
225
- if (!location) return response;
226
-
227
- const nextUrl = new URL(location, safeUrl.href);
228
- const isCrossOrigin = nextUrl.origin !== currentUrl.origin;
229
-
230
- // Update options for the next request (shallow copy)
231
- const nextOptions = { ...currentOptions };
232
- if (nextOptions.headers) {
233
- nextOptions.headers = { ...nextOptions.headers };
234
- }
235
-
236
- // Strip sensitive headers on cross-origin redirects
237
- if (isCrossOrigin && nextOptions.headers) {
238
- const sensitiveHeaders = ['authorization', 'x-api-key', 'token', 'cookie', 'proxy-authorization'];
239
- for (const h of Object.keys(nextOptions.headers)) {
240
- if (sensitiveHeaders.includes(h.toLowerCase())) {
241
- delete nextOptions.headers[h];
242
- }
243
- }
244
- }
245
-
246
- // Standards compliance: 301, 302, 303 redirects switch to GET and drop body
247
- if ([301, 302, 303].includes(response.status)) {
248
- nextOptions.method = 'GET';
249
- delete nextOptions.body;
250
- if (nextOptions.headers) {
251
- for (const h of Object.keys(nextOptions.headers)) {
252
- if (['content-type', 'content-length'].includes(h.toLowerCase())) {
253
- delete nextOptions.headers[h];
254
- }
255
- }
256
- }
257
- }
258
-
259
- currentUrl = nextUrl;
260
- currentOptions = nextOptions;
261
- redirectCount++;
262
- continue;
263
- }
264
-
265
- return response;
266
- }
267
-
268
- throw new Error('Too many redirects');
269
- }
270
-
271
- /**
272
- * Sets up navigation protection for a Playwright context.
273
- * Intercepts requests and validates destination URLs.
274
- * @param {object} context Playwright context.
275
- */
276
- async function setupNavigationProtection(context) {
277
- if (ALLOW_PRIVATE_NETWORKS) return;
278
-
279
- await context.route('**/*', async (route) => {
280
- const request = route.request();
281
- // Only validate main frame navigations for performance and to avoid breaking sub-resources
282
- if (request.isNavigationRequest() && request.frame() === request.frame().page().mainFrame()) {
283
- const url = request.url();
284
- const currentUrl = request.frame().url();
285
-
286
- try {
287
- // If it's a same-origin navigation, skip validation for speed
288
- if (currentUrl && currentUrl !== 'about:blank') {
289
- const u1 = new URL(url);
290
- const u2 = new URL(currentUrl);
291
- if (u1.origin === u2.origin) {
292
- return route.continue();
293
- }
294
- }
295
-
296
- await validateUrl(url);
297
- return route.continue();
298
- } catch (err) {
299
- console.error(`[SECURITY] Navigation to ${url} blocked: ${err.message}`);
300
- return route.abort('blockedbyclient');
301
- }
302
- }
303
- return route.continue();
304
- });
305
- }
306
-
307
- /**
308
- * Verifies if a WebSocket origin matches the request host (CSWSH protection).
309
- * @param {string} origin The Origin header value.
310
- * @param {string} host The Host header value.
311
- * @returns {boolean} True if the origin is valid or missing.
312
- */
313
- function isValidWebSocketOrigin(origin, host) {
314
- if (!origin) return true;
315
- try {
316
- const originHost = new URL(origin).host;
317
- return !!(originHost && host && originHost === host);
318
- } catch (e) {
319
- return false;
320
- }
321
- }
322
-
323
- module.exports = { validateUrl, isPrivateIP, isValidWebSocketOrigin, fetchWithRedirectValidation, setupNavigationProtection };
1
+ const dns = require('dns').promises;
2
+ const net = require('net');
3
+ const { ALLOW_PRIVATE_NETWORKS } = require('./src/server/constants');
4
+
5
+ /**
6
+ * Checks if an IP address is private.
7
+ *
8
+ * Qualifies as a private network/blocked destination:
9
+ *
10
+ * IPv4 Ranges:
11
+ * - 0.0.0.0/8 (Current network)
12
+ * - 10.0.0.0/8 (Private-Use Networks - RFC 1918)
13
+ * - 100.64.0.0/10 (Shared Address Space - RFC 6598)
14
+ * - 127.0.0.0/8 (Loopback)
15
+ * - 169.254.0.0/16 (Link-Local)
16
+ * - 172.16.0.0/12 (Private-Use Networks - RFC 1918)
17
+ * - 192.0.0.0/24 (IETF Protocol Assignments)
18
+ * - 192.0.2.0/24 (TEST-NET-1)
19
+ * - 192.168.0.0/16 (Private-Use Networks - RFC 1918)
20
+ * - 198.18.0.0/15 (Benchmarking)
21
+ * - 198.51.100.0/24 (TEST-NET-2)
22
+ * - 203.0.113.0/24 (TEST-NET-3)
23
+ * - 224.0.0.0/4 (Multicast)
24
+ * - 240.0.0.0/4 (Reserved)
25
+ *
26
+ * IPv6 Ranges:
27
+ * - ::/128 (Unspecified)
28
+ * - ::1/128 (Loopback)
29
+ * - fc00::/7 (Unique Local Address)
30
+ * - fe80::/10 (Link-Local Unicast)
31
+ * - ff00::/8 (Multicast)
32
+ * - IPv4-mapped/compatible addresses pointing to the above IPv4 ranges
33
+ *
34
+ * Hostnames:
35
+ * - localhost
36
+ * - *.localhost
37
+ * - host.docker.internal
38
+ *
39
+ * @param {string} ip The IP address to check.
40
+ * @returns {boolean} True if the IP is private.
41
+ */
42
+ function isPrivateIP(ip) {
43
+ if (net.isIPv4(ip)) {
44
+ const parts = ip.split('.').map(Number);
45
+ return (
46
+ parts[0] === 0 ||
47
+ parts[0] === 10 ||
48
+ (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) ||
49
+ (parts[0] === 192 && parts[1] === 168) ||
50
+ parts[0] === 127 ||
51
+ (parts[0] === 169 && parts[1] === 254) ||
52
+ (parts[0] === 100 && parts[1] >= 64 && parts[1] <= 127) ||
53
+ (parts[0] === 192 && parts[1] === 0 && parts[2] === 0) || // 192.0.0.0/24
54
+ (parts[0] === 192 && parts[1] === 0 && parts[2] === 2) || // 192.0.2.0/24
55
+ (parts[0] === 198 && parts[1] >= 18 && parts[1] <= 19) || // 198.18.0.0/15
56
+ (parts[0] === 198 && parts[1] === 51 && parts[2] === 100) || // 198.51.100.0/24
57
+ (parts[0] === 203 && parts[1] === 0 && parts[2] === 113) || // 203.0.113.0/24
58
+ parts[0] >= 224 // 224.0.0.0/4 (Multicast) and 240.0.0.0/4 (Reserved)
59
+ );
60
+ }
61
+ if (net.isIPv6(ip)) {
62
+ const lower = ip.toLowerCase();
63
+ const parts = lower.split(':');
64
+ const last = parts[parts.length - 1];
65
+
66
+ // Handle IPv4-mapped IPv6 addresses (::ffff:1.2.3.4 or ::ffff:7f00:1)
67
+ const ffffIndex = parts.indexOf('ffff');
68
+ if (ffffIndex !== -1) {
69
+ const prefixAllZeros = parts.slice(0, ffffIndex).every(p => p === '' || p === '0');
70
+ if (prefixAllZeros) {
71
+ if (net.isIPv4(last)) {
72
+ return isPrivateIP(last);
73
+ }
74
+ const p1 = parseInt(parts[parts.length - 2], 16);
75
+ const p2 = parseInt(parts[parts.length - 1], 16);
76
+ if (!isNaN(p1) && !isNaN(p2)) {
77
+ return isPrivateIP(`${(p1 >> 8) & 0xff}.${p1 & 0xff}.${(p2 >> 8) & 0xff}.${p2 & 0xff}`);
78
+ }
79
+ }
80
+ }
81
+
82
+ // Handle IPv4-compatible IPv6 addresses (::1.2.3.4 or ::7f00:1)
83
+ if (ffffIndex === -1) {
84
+ const prefixAllZeros = parts.slice(0, -2).every(p => p === '' || p === '0');
85
+ if (prefixAllZeros) {
86
+ if (net.isIPv4(last)) {
87
+ return isPrivateIP(last);
88
+ }
89
+ const p1 = parseInt(parts[parts.length - 2], 16);
90
+ const p2 = parseInt(parts[parts.length - 1], 16);
91
+ if (!isNaN(p1) && !isNaN(p2)) {
92
+ return isPrivateIP(`${(p1 >> 8) & 0xff}.${p1 & 0xff}.${(p2 >> 8) & 0xff}.${p2 & 0xff}`);
93
+ }
94
+ }
95
+ }
96
+
97
+ // Native IPv6 checks (Unspecified, Loopback, Link-Local, Unique Local, Multicast)
98
+ const isUnspecified = parts.every(p => p === '0' || p === '0000' || p === '');
99
+ const isLoopback = parts.slice(0, -1).every(p => p === '0' || p === '0000' || p === '') &&
100
+ (parts[parts.length - 1] === '1' || parts[parts.length - 1] === '0001');
101
+
102
+ if (isUnspecified || isLoopback) return true;
103
+
104
+ const firstHex = parseInt(parts[0], 16);
105
+ if (!isNaN(firstHex)) {
106
+ if (firstHex >= 0xff00) return true; // ff00::/8 Multicast
107
+ if (firstHex >= 0xfe80 && firstHex <= 0xfebf) return true; // fe80::/10 Link-local
108
+ if (firstHex >= 0xfc00 && firstHex <= 0xfdff) return true; // fc00::/7 Unique local
109
+ }
110
+ }
111
+ return false;
112
+ }
113
+
114
+ const VALID_HOSTNAME_CACHE = new Set();
115
+ const INVALID_HOSTNAME_CACHE = new Set();
116
+ const CACHE_TTL = 30000; // 30 seconds
117
+ let lastCacheClear = Date.now();
118
+
119
+ /**
120
+ * Validates a URL to prevent SSRF by blocking private IP ranges.
121
+ * @param {string} urlStr The URL to validate.
122
+ * @returns {string} The validated URL string.
123
+ * @throws {Error} If the URL is invalid or points to a private network.
124
+ */
125
+ async function validateUrl(urlStr) {
126
+ if (!urlStr) return '';
127
+
128
+ let url;
129
+ try {
130
+ url = new URL(urlStr);
131
+ } catch (e) {
132
+ throw new Error('Invalid URL');
133
+ }
134
+
135
+ if (url.protocol !== 'http:' && url.protocol !== 'https:') {
136
+ throw new Error('Only HTTP and HTTPS protocols are allowed');
137
+ }
138
+
139
+ if (ALLOW_PRIVATE_NETWORKS) return url.href;
140
+
141
+ let hostname = url.hostname;
142
+ // Strip brackets from IPv6 hostnames
143
+ if (hostname.startsWith('[') && hostname.endsWith(']')) {
144
+ hostname = hostname.substring(1, hostname.length - 1);
145
+ }
146
+
147
+ const lowerHost = hostname.toLowerCase();
148
+
149
+ // Cache management
150
+ if (Date.now() - lastCacheClear > CACHE_TTL) {
151
+ VALID_HOSTNAME_CACHE.clear();
152
+ INVALID_HOSTNAME_CACHE.clear();
153
+ lastCacheClear = Date.now();
154
+ }
155
+
156
+ if (VALID_HOSTNAME_CACHE.has(lowerHost)) return url.href;
157
+ if (INVALID_HOSTNAME_CACHE.has(lowerHost)) {
158
+ throw new Error('Access to private network is restricted');
159
+ }
160
+
161
+ // Direct check for common private hostnames
162
+ if (
163
+ lowerHost === 'localhost' ||
164
+ lowerHost.endsWith('.localhost') ||
165
+ lowerHost === 'host.docker.internal'
166
+ ) {
167
+ INVALID_HOSTNAME_CACHE.add(lowerHost);
168
+ throw new Error('Access to private network is restricted');
169
+ }
170
+
171
+ // Resolve hostname to IP
172
+ try {
173
+ // If it's already an IP address, check it directly
174
+ if (net.isIP(hostname)) {
175
+ if (isPrivateIP(hostname)) {
176
+ INVALID_HOSTNAME_CACHE.add(lowerHost);
177
+ throw new Error('Access to private network is restricted');
178
+ }
179
+ return url.href;
180
+ }
181
+
182
+ // dns.lookup follows /etc/hosts and is what's typically used for connecting
183
+ const addresses = await dns.lookup(hostname, { all: true });
184
+ for (const addr of addresses) {
185
+ if (isPrivateIP(addr.address)) {
186
+ INVALID_HOSTNAME_CACHE.add(lowerHost);
187
+ throw new Error('Access to private network is restricted');
188
+ }
189
+ }
190
+ VALID_HOSTNAME_CACHE.add(lowerHost);
191
+ } catch (e) {
192
+ if (e.message === 'Access to private network is restricted') {
193
+ throw e;
194
+ }
195
+
196
+ // If we can't resolve it and it's not an IP, we allow it to proceed
197
+ // to the browser where it will likely fail normally.
198
+ }
199
+
200
+ return url.href;
201
+ }
202
+
203
+ /**
204
+ * Perform a fetch with manual redirect following and validation at each hop.
205
+ * Ensures sensitive headers (Authorization, Token) are stripped on cross-origin redirects.
206
+ * @param {string} urlStr Initial URL.
207
+ * @param {object} options Fetch options.
208
+ * @param {number} maxRedirects Maximum number of redirects to follow.
209
+ */
210
+ async function fetchWithRedirectValidation(urlStr, options = {}, maxRedirects = 5) {
211
+ let currentUrl;
212
+ try {
213
+ currentUrl = new URL(urlStr);
214
+ } catch (e) {
215
+ throw new Error('Invalid URL');
216
+ }
217
+
218
+ let currentOptions = { ...options };
219
+ let redirectCount = 0;
220
+
221
+ while (redirectCount <= maxRedirects) {
222
+ // validateUrl respects ALLOW_PRIVATE_NETWORKS internally
223
+ const validatedHref = await validateUrl(currentUrl.href);
224
+
225
+ // Explicitly reconstruct URL from validated href to ensure taint is cleared
226
+ const safeUrl = new URL(validatedHref);
227
+
228
+ // CodeQL mitigation: strictly verify protocol and pass URL object to fetch
229
+ if (safeUrl.protocol !== 'http:' && safeUrl.protocol !== 'https:') {
230
+ throw new Error('Only HTTP and HTTPS protocols are allowed');
231
+ }
232
+
233
+ const response = await fetch(safeUrl, {
234
+ ...currentOptions,
235
+ redirect: 'manual'
236
+ });
237
+
238
+ // Handle redirects (301, 302, 303, 307, 308)
239
+ if (response.status >= 300 && response.status < 400) {
240
+ const location = response.headers.get('location');
241
+ if (!location) return response;
242
+
243
+ const nextUrl = new URL(location, safeUrl.href);
244
+ const isCrossOrigin = nextUrl.origin !== currentUrl.origin;
245
+
246
+ // Update options for the next request (shallow copy)
247
+ const nextOptions = { ...currentOptions };
248
+ if (nextOptions.headers) {
249
+ nextOptions.headers = { ...nextOptions.headers };
250
+ }
251
+
252
+ // Strip sensitive headers on cross-origin redirects
253
+ if (isCrossOrigin && nextOptions.headers) {
254
+ const sensitiveHeaders = ['authorization', 'x-api-key', 'token', 'cookie', 'proxy-authorization'];
255
+ for (const h of Object.keys(nextOptions.headers)) {
256
+ if (sensitiveHeaders.includes(h.toLowerCase())) {
257
+ delete nextOptions.headers[h];
258
+ }
259
+ }
260
+ }
261
+
262
+ // Standards compliance: 301, 302, 303 redirects switch to GET and drop body
263
+ if ([301, 302, 303].includes(response.status)) {
264
+ nextOptions.method = 'GET';
265
+ delete nextOptions.body;
266
+ if (nextOptions.headers) {
267
+ for (const h of Object.keys(nextOptions.headers)) {
268
+ if (['content-type', 'content-length'].includes(h.toLowerCase())) {
269
+ delete nextOptions.headers[h];
270
+ }
271
+ }
272
+ }
273
+ }
274
+
275
+ currentUrl = nextUrl;
276
+ currentOptions = nextOptions;
277
+ redirectCount++;
278
+ continue;
279
+ }
280
+
281
+ return response;
282
+ }
283
+
284
+ throw new Error('Too many redirects');
285
+ }
286
+
287
+ /**
288
+ * Sets up navigation protection for a Playwright context.
289
+ * Intercepts requests and validates destination URLs.
290
+ * @param {object} context Playwright context.
291
+ */
292
+ async function setupNavigationProtection(context) {
293
+ if (ALLOW_PRIVATE_NETWORKS) return;
294
+
295
+ await context.route('**/*', async (route) => {
296
+ const request = route.request();
297
+ // Only validate main frame navigations for performance and to avoid breaking sub-resources
298
+ if (request.isNavigationRequest() && request.frame() === request.frame().page().mainFrame()) {
299
+ const url = request.url();
300
+ const currentUrl = request.frame().url();
301
+
302
+ try {
303
+ // If it's a same-origin navigation, skip validation for speed
304
+ if (currentUrl && currentUrl !== 'about:blank') {
305
+ const u1 = new URL(url);
306
+ const u2 = new URL(currentUrl);
307
+ if (u1.origin === u2.origin) {
308
+ return route.continue();
309
+ }
310
+ }
311
+
312
+ await validateUrl(url);
313
+ return route.continue();
314
+ } catch (err) {
315
+ console.error(`[SECURITY] Navigation to ${url} blocked: ${err.message}`);
316
+ return route.abort('blockedbyclient');
317
+ }
318
+ }
319
+ return route.continue();
320
+ });
321
+ }
322
+
323
+ /**
324
+ * Verifies if a WebSocket origin matches the request host (CSWSH protection).
325
+ * @param {string} origin The Origin header value.
326
+ * @param {string} host The Host header value.
327
+ * @returns {boolean} True if the origin is valid or missing.
328
+ */
329
+ function isValidWebSocketOrigin(origin, host) {
330
+ if (!origin) return true;
331
+ try {
332
+ const originHost = new URL(origin).host;
333
+ return !!(originHost && host && originHost === host);
334
+ } catch (e) {
335
+ return false;
336
+ }
337
+ }
338
+
339
+ module.exports = { validateUrl, isPrivateIP, isValidWebSocketOrigin, fetchWithRedirectValidation, setupNavigationProtection };