gitnexus 1.6.4-rc.49 → 1.6.4-rc.50
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/server/git-clone.js +30 -0
- package/package.json +1 -1
package/dist/server/git-clone.js
CHANGED
|
@@ -116,6 +116,36 @@ function assertNotPrivateIPv6(ip) {
|
|
|
116
116
|
if (lower.includes(':ffff:')) {
|
|
117
117
|
throw new Error('Cloning from private/internal addresses is not allowed');
|
|
118
118
|
}
|
|
119
|
+
// IPv4-compatible IPv6 (RFC 4291 § 2.5.5.1, deprecated form: ::w.x.y.z).
|
|
120
|
+
// Node's URL parser collapses http://[::127.0.0.1]/ to "::7f00:1" — the IPv4
|
|
121
|
+
// is hidden in the last 32 bits without the ::ffff: marker, so the check
|
|
122
|
+
// above misses it. The form is still routable to the embedded IPv4 on most
|
|
123
|
+
// network stacks, so any address compressed to ::xxxx[:yyyy] must be blocked.
|
|
124
|
+
if (/^::[0-9a-f]{1,4}(:[0-9a-f]{1,4})?$/.test(lower)) {
|
|
125
|
+
throw new Error('Cloning from private/internal addresses is not allowed');
|
|
126
|
+
}
|
|
127
|
+
// NAT64 well-known prefix (RFC 6052 § 2.1: 64:ff9b::/96, plus the local
|
|
128
|
+
// 64:ff9b:1::/48 from RFC 8215). Maps any IPv4 address — including private
|
|
129
|
+
// ranges — into IPv6, so a host with NAT64 can reach the embedded IPv4 via
|
|
130
|
+
// e.g. 64:ff9b::7f00:1 → 127.0.0.1.
|
|
131
|
+
// The check intentionally covers the full 64:ff9b::/32 block (broader than
|
|
132
|
+
// the two cited ranges): IANA reserves it for IPv4-IPv6 translation, so
|
|
133
|
+
// blocking the whole prefix is defensively sound and prevents a narrower
|
|
134
|
+
// CIDR check from quietly re-opening the bypass for 64:ff9b:1::/48 or any
|
|
135
|
+
// future translation assignment.
|
|
136
|
+
if (lower.startsWith('64:ff9b:')) {
|
|
137
|
+
throw new Error('Cloning from private/internal addresses is not allowed');
|
|
138
|
+
}
|
|
139
|
+
// 6to4 (RFC 3056, 2002::/16). Encodes an IPv4 address in bits 17-48, so
|
|
140
|
+
// 2002:7f00:0001::1 routes to 127.0.0.1 on 6to4-capable stacks. The
|
|
141
|
+
// protocol was deprecated by RFC 7526 and the public relay anycast
|
|
142
|
+
// (192.88.99.1) has been retired, so broad-blocking the prefix has near-
|
|
143
|
+
// zero false-positive cost while closing the IPv4-embedded bypass.
|
|
144
|
+
// Teredo (2001::/32) embeds IPv4 obfuscated by XOR; precise blocking is
|
|
145
|
+
// impractical and is out of scope here.
|
|
146
|
+
if (lower.startsWith('2002:')) {
|
|
147
|
+
throw new Error('Cloning from private/internal addresses is not allowed');
|
|
148
|
+
}
|
|
119
149
|
}
|
|
120
150
|
function assertNotPrivateIPv4(ip) {
|
|
121
151
|
const parts = ip.split('.').map(Number);
|
package/package.json
CHANGED