mocktp 0.0.1-security → 3.15.3

package/dist/rules/passthrough-handling.d.ts

@@ -0,0 +1,33 @@
+import * as _ from 'lodash';
+import * as tls from 'tls';
+import { Headers } from '../types';
+import { DnsLookupFunction } from '../util/dns';
+import { CallbackRequestResult, CallbackResponseMessageResult } from './requests/request-handler-definitions';
+import { CADefinition, PassThroughLookupOptions } from './passthrough-handling-definitions';
+export declare const getUpstreamTlsOptions: (strictChecks: boolean) => tls.SecureContextOptions;
+export declare function getTrustedCAs(trustedCAs: Array<string | CADefinition> | undefined, additionalTrustedCAs: Array<CADefinition> | undefined): Promise<Array<string> | undefined>;
+/**
+ * Takes a callback result and some headers, and returns a ready to send body, using the headers
+ * (and potentially modifying them) to match the content type & encoding.
+ */
+export declare function buildOverriddenBody(callbackResult: CallbackRequestResult | CallbackResponseMessageResult | void, headers: Headers): Promise<Uint8Array | Buffer | undefined>;
+/**
+ * Autocorrect the host header only in the case that if you didn't explicitly
+ * override it yourself for some reason (e.g. if you're testing bad behaviour).
+ */
+export declare function getHostAfterModification(reqUrl: string, originalHeaders: Headers, replacementHeaders: Headers | undefined): string;
+export declare const OVERRIDABLE_REQUEST_PSEUDOHEADERS: readonly [":authority", ":scheme"];
+/**
+ * Automatically update the :scheme and :authority headers to match the updated URL,
+ * as long as they weren't explicitly overriden themselves, in which case let them
+ * be set to any invalid value you like (e.g. to send a request to one server but
+ * pretend it was sent to another).
+ */
+export declare function getH2HeadersAfterModification(reqUrl: string, originalHeaders: Headers, replacementHeaders: Headers | undefined): {
+    [K in typeof OVERRIDABLE_REQUEST_PSEUDOHEADERS[number]]: string;
+};
+export declare function getContentLengthAfterModification(body: string | Uint8Array | Buffer, originalHeaders: Headers, replacementHeaders: Headers | undefined, mismatchAllowed?: boolean): string | undefined;
+export declare function shouldUseStrictHttps(hostname: string, port: number, ignoreHostHttpsErrors: string[] | boolean): boolean;
+export declare const getDnsLookupFunction: ((lookupOptions: PassThroughLookupOptions | undefined) => DnsLookupFunction) & _.MemoizedFunction;
+export declare function getClientRelativeHostname(hostname: string | null, remoteIp: string | undefined, lookupFn: DnsLookupFunction): Promise<string | null>;
+//# sourceMappingURL=passthrough-handling.d.ts.map

package/dist/rules/passthrough-handling.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passthrough-handling.d.ts","sourceRoot":"","sources":["../../src/rules/passthrough-handling.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,GAAG,MAAM,KAAK,CAAC;AAK3B,OAAO,EAAiB,OAAO,EAAE,MAAM,UAAU,CAAC;AAIlD,OAAO,EAAwB,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAItE,OAAO,EACH,qBAAqB,EACrB,6BAA6B,EAChC,MAAM,wCAAwC,CAAC;AAChD,OAAO,EACH,YAAY,EACZ,wBAAwB,EAC3B,MAAM,oCAAoC,CAAC;AAY5C,eAAO,MAAM,qBAAqB,iBAAkB,OAAO,KAAG,GAAG,CAAC,oBAiEhE,CAAC;AAEH,wBAAsB,aAAa,CAC/B,UAAU,EAAE,KAAK,CAAC,MAAM,GAAG,YAAY,CAAC,GAAG,SAAS,EACpD,oBAAoB,EAAE,KAAK,CAAC,YAAY,CAAC,GAAG,SAAS,GACtD,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC,CAapC;AAcD;;;GAGG;AACH,wBAAsB,mBAAmB,CACrC,cAAc,EAAE,qBAAqB,GAAG,6BAA6B,GAAG,IAAI,EAC5E,OAAO,EAAE,OAAO,4CA+BnB;AAsCD;;;GAGG;AACH,wBAAgB,wBAAwB,CACpC,MAAM,EAAE,MAAM,EACd,eAAe,EAAE,OAAO,EACxB,kBAAkB,EAAE,OAAO,GAAG,SAAS,GACxC,MAAM,CAOR;AAED,eAAO,MAAM,iCAAiC,oCAGpC,CAAC;AAEX;;;;;GAKG;AACH,wBAAgB,6BAA6B,CACzC,MAAM,EAAE,MAAM,EACd,eAAe,EAAE,OAAO,EACxB,kBAAkB,EAAE,OAAO,GAAG,SAAS,GACxC;KAAG,CAAC,IAAI,OAAO,iCAAiC,CAAC,MAAM,CAAC,GAAG,MAAM;CAAE,CAiBrE;AAGD,wBAAgB,iCAAiC,CAC7C,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,MAAM,EAClC,eAAe,EAAE,OAAO,EACxB,kBAAkB,EAAE,OAAO,GAAG,SAAS,EACvC,eAAe,GAAE,OAAe,GACjC,MAAM,GAAG,SAAS,CAsCpB;AAID,wBAAgB,oBAAoB,CAChC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,qBAAqB,EAAE,MAAM,EAAE,GAAG,OAAO,WAe5C;AAED,eAAO,MAAM,oBAAoB,mBAA6B,wBAAwB,GAAG,SAAS,4CAoBhG,CAAC;AAEH,wBAAsB,yBAAyB,CAC3C,QAAQ,EAAE,MAAM,GAAG,IAAI,EACvB,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,QAAQ,EAAE,iBAAiB,0BAyB9B"}

package/dist/rules/passthrough-handling.js

@@ -0,0 +1,294 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getDnsLookupFunction = exports.OVERRIDABLE_REQUEST_PSEUDOHEADERS = exports.getUpstreamTlsOptions = void 0;
+exports.getTrustedCAs = getTrustedCAs;
+exports.buildOverriddenBody = buildOverriddenBody;
+exports.getHostAfterModification = getHostAfterModification;
+exports.getH2HeadersAfterModification = getH2HeadersAfterModification;
+exports.getContentLengthAfterModification = getContentLengthAfterModification;
+exports.shouldUseStrictHttps = shouldUseStrictHttps;
+exports.getClientRelativeHostname = getClientRelativeHostname;
+const _ = require("lodash");
+const fs = require("fs/promises");
+const tls = require("tls");
+const url = require("url");
+const common_tags_1 = require("common-tags");
+const cacheable_lookup_1 = require("cacheable-lookup");
+const util_1 = require("../util/util");
+const buffer_utils_1 = require("../util/buffer-utils");
+const socket_util_1 = require("../util/socket-util");
+const dns_1 = require("../util/dns");
+const request_utils_1 = require("../util/request-utils");
+const openssl_compat_1 = require("../util/openssl-compat");
+// TLS settings for proxied connections, intended to avoid TLS fingerprint blocking
+// issues so far as possible, by closely emulating a Firefox Client Hello:
+const NEW_CURVES_SUPPORTED = (0, openssl_compat_1.areFFDHECurvesSupported)(process.versions.openssl);
+const SSL_OP_LEGACY_SERVER_CONNECT = 1 << 2;
+const SSL_OP_TLSEXT_PADDING = 1 << 4;
+const SSL_OP_NO_ENCRYPT_THEN_MAC = 1 << 19;
+// All settings are designed to exactly match Firefox v103, since that's a good baseline
+// that seems to be widely accepted and is easy to emulate from Node.js.
+const getUpstreamTlsOptions = (strictChecks) => ({
+    ecdhCurve: [
+        'X25519',
+        'prime256v1', // N.B. Equivalent to secp256r1
+        'secp384r1',
+        'secp521r1',
+        ...(NEW_CURVES_SUPPORTED
+            ? [
+                'ffdhe2048',
+                'ffdhe3072'
+            ] : [])
+    ].join(':'),
+    sigalgs: [
+        'ecdsa_secp256r1_sha256',
+        'ecdsa_secp384r1_sha384',
+        'ecdsa_secp521r1_sha512',
+        'rsa_pss_rsae_sha256',
+        'rsa_pss_rsae_sha384',
+        'rsa_pss_rsae_sha512',
+        'rsa_pkcs1_sha256',
+        'rsa_pkcs1_sha384',
+        'rsa_pkcs1_sha512',
+        'ECDSA+SHA1',
+        'rsa_pkcs1_sha1'
+    ].join(':'),
+    ciphers: [
+        'TLS_AES_128_GCM_SHA256',
+        'TLS_CHACHA20_POLY1305_SHA256',
+        'TLS_AES_256_GCM_SHA384',
+        'ECDHE-ECDSA-AES128-GCM-SHA256',
+        'ECDHE-RSA-AES128-GCM-SHA256',
+        'ECDHE-ECDSA-CHACHA20-POLY1305',
+        'ECDHE-RSA-CHACHA20-POLY1305',
+        'ECDHE-ECDSA-AES256-GCM-SHA384',
+        'ECDHE-RSA-AES256-GCM-SHA384',
+        'ECDHE-ECDSA-AES256-SHA',
+        'ECDHE-ECDSA-AES128-SHA',
+        'ECDHE-RSA-AES128-SHA',
+        'ECDHE-RSA-AES256-SHA',
+        'AES128-GCM-SHA256',
+        'AES256-GCM-SHA384',
+        'AES128-SHA',
+        'AES256-SHA',
+        // This magic cipher is the very obtuse way that OpenSSL downgrades the overall
+        // security level to allow various legacy settings, protocols & ciphers:
+        ...(!strictChecks
+            ? ['@SECLEVEL=0']
+            : [])
+    ].join(':'),
+    secureOptions: strictChecks
+        ? SSL_OP_TLSEXT_PADDING | SSL_OP_NO_ENCRYPT_THEN_MAC
+        : SSL_OP_TLSEXT_PADDING | SSL_OP_NO_ENCRYPT_THEN_MAC | SSL_OP_LEGACY_SERVER_CONNECT,
+    ...{
+        // Valid, but not included in Node.js TLS module types:
+        requestOSCP: true
+    },
+    // Allow TLSv1, if !strict:
+    minVersion: strictChecks ? tls.DEFAULT_MIN_VERSION : 'TLSv1',
+    // Skip certificate validation entirely, if not strict:
+    rejectUnauthorized: strictChecks,
+});
+exports.getUpstreamTlsOptions = getUpstreamTlsOptions;
+async function getTrustedCAs(trustedCAs, additionalTrustedCAs) {
+    if (trustedCAs && additionalTrustedCAs?.length) {
+        throw new Error(`trustedCAs and additionalTrustedCAs options are mutually exclusive`);
+    }
+    if (trustedCAs) {
+        return Promise.all(trustedCAs.map((caDefinition) => getCA(caDefinition)));
+    }
+    if (additionalTrustedCAs) {
+        const CAs = await Promise.all(additionalTrustedCAs.map((caDefinition) => getCA(caDefinition)));
+        return tls.rootCertificates.concat(CAs);
+    }
+}
+const getCA = async (caDefinition) => {
+    return typeof caDefinition === 'string'
+        ? caDefinition
+        : 'certPath' in caDefinition
+            ? await fs.readFile(caDefinition.certPath, 'utf8')
+            // 'cert' in caDefinition
+            : caDefinition.cert.toString('utf8');
+};
+// --- Various helpers for deriving parts of request/response data given partial overrides: ---
+/**
+ * Takes a callback result and some headers, and returns a ready to send body, using the headers
+ * (and potentially modifying them) to match the content type & encoding.
+ */
+async function buildOverriddenBody(callbackResult, headers) {
+    // Raw bodies are easy: use them as is.
+    if (callbackResult?.rawBody)
+        return callbackResult?.rawBody;
+    // In the json/body case, we need to get the body and transform it into a buffer
+    // for consistent handling later, and encode it to match the headers.
+    let replacementBody;
+    if (callbackResult?.json) {
+        headers['content-type'] = 'application/json';
+        replacementBody = JSON.stringify(callbackResult?.json);
+    }
+    else {
+        replacementBody = callbackResult?.body;
+    }
+    if (replacementBody === undefined)
+        return replacementBody;
+    let rawBuffer;
+    if ((0, request_utils_1.isMockttpBody)(replacementBody)) {
+        // It's our own bodyReader instance. That's not supposed to happen, but
+        // it's ok, we just need to use the buffer data instead of the whole object
+        rawBuffer = Buffer.from(replacementBody.buffer);
+    }
+    else if (replacementBody === '') {
+        // For empty bodies, it's slightly more convenient if they're truthy
+        rawBuffer = Buffer.alloc(0);
+    }
+    else {
+        rawBuffer = (0, buffer_utils_1.asBuffer)(replacementBody);
+    }
+    return await (0, request_utils_1.encodeBodyBuffer)(rawBuffer, headers);
+}
+/**
+ * If you override some headers, they have implications for the effective URL we send the
+ * request to. If you override that and the URL at the same time, it gets complicated.
+ *
+ * This method calculates the correct header value we should use: prioritising the header
+ * value you provide, printing a warning if it's contradictory, or return the URL-inferred
+ * value to override the header correctly if you didn't specify.
+ */
+function deriveUrlLinkedHeader(originalHeaders, replacementHeaders, headerName, expectedValue // The inferred 'correct' value from the URL
+) {
+    const replacementValue = replacementHeaders?.[headerName];
+    if (replacementValue !== undefined) {
+        if (replacementValue !== expectedValue && replacementValue === originalHeaders[headerName]) {
+            // If you rewrite the URL-based header wrongly, by explicitly setting it to the
+            // existing value, we accept it but print a warning. This would be easy to
+            // do if you mutate the existing headers, for example, and ignore the host.
+            console.warn((0, common_tags_1.oneLine) `
+                Passthrough callback overrode the URL and the ${headerName} header
+                with mismatched values, which may be a mistake. The URL implies
+                ${expectedValue}, whilst the header was set to ${replacementValue}.
+            `);
+        }
+        // Whatever happens, if you explicitly set a value, we use it.
+        return replacementValue;
+    }
+    // If you didn't override the header at all, then we automatically ensure
+    // the correct value is set automatically.
+    return expectedValue;
+}
+/**
+ * Autocorrect the host header only in the case that if you didn't explicitly
+ * override it yourself for some reason (e.g. if you're testing bad behaviour).
+ */
+function getHostAfterModification(reqUrl, originalHeaders, replacementHeaders) {
+    return deriveUrlLinkedHeader(originalHeaders, replacementHeaders, 'host', url.parse(reqUrl).host);
+}
+exports.OVERRIDABLE_REQUEST_PSEUDOHEADERS = [
+    ':authority',
+    ':scheme'
+];
+/**
+ * Automatically update the :scheme and :authority headers to match the updated URL,
+ * as long as they weren't explicitly overriden themselves, in which case let them
+ * be set to any invalid value you like (e.g. to send a request to one server but
+ * pretend it was sent to another).
+ */
+function getH2HeadersAfterModification(reqUrl, originalHeaders, replacementHeaders) {
+    const parsedUrl = url.parse(reqUrl);
+    return {
+        ':scheme': deriveUrlLinkedHeader(originalHeaders, replacementHeaders, ':scheme', parsedUrl.protocol.slice(0, -1)),
+        ':authority': deriveUrlLinkedHeader(originalHeaders, replacementHeaders, ':authority', parsedUrl.host)
+    };
+}
+// Helper to handle content-length nicely for you when rewriting requests with callbacks
+function getContentLengthAfterModification(body, originalHeaders, replacementHeaders, mismatchAllowed = false) {
+    // If there was a content-length header, it might now be wrong, and it's annoying
+    // to need to set your own content-length override when you just want to change
+    // the body. To help out, if you override the body but don't explicitly override
+    // the (now invalid) content-length, then we fix it for you.
+    if (!_.has(originalHeaders, 'content-length')) {
+        // Nothing to override - use the replacement value, or undefined
+        return (replacementHeaders || {})['content-length'];
+    }
+    if (!replacementHeaders) {
+        // There was a length set, and you've provided a body but not changed it.
+        // You probably just want to send this body and have it work correctly,
+        // so we should fix the content length for you automatically.
+        return (0, util_1.byteLength)(body).toString();
+    }
+    // There was a content length before, and you're replacing the headers entirely
+    const lengthOverride = replacementHeaders['content-length']?.toString();
+    // If you're setting the content-length to the same as the origin headers, even
+    // though that's the wrong value, it *might* be that you're just extending the
+    // existing headers, and you're doing this by accident (we can't tell for sure).
+    // We use invalid content-length as instructed, but print a warning just in case.
+    if (lengthOverride === originalHeaders['content-length'] &&
+        lengthOverride !== (0, util_1.byteLength)(body).toString() &&
+        !mismatchAllowed // Set for HEAD responses
+    ) {
+        console.warn((0, common_tags_1.oneLine) `
+            Passthrough modifications overrode the body and the content-length header
+            with mismatched values, which may be a mistake. The body contains
+            ${(0, util_1.byteLength)(body)} bytes, whilst the header was set to ${lengthOverride}.
+        `);
+    }
+    return lengthOverride;
+}
+// Function to check if we should skip https errors for the current hostname and port,
+// based on the given config
+function shouldUseStrictHttps(hostname, port, ignoreHostHttpsErrors) {
+    let skipHttpsErrors = false;
+    if (ignoreHostHttpsErrors === true) {
+        // Ignore cert errors if `ignoreHostHttpsErrors` is set to true, or
+        skipHttpsErrors = true;
+    }
+    else if (Array.isArray(ignoreHostHttpsErrors) && (
+    // if the whole hostname or host+port is whitelisted
+    _.includes(ignoreHostHttpsErrors, hostname) ||
+        _.includes(ignoreHostHttpsErrors, `${hostname}:${port}`))) {
+        skipHttpsErrors = true;
+    }
+    return !skipHttpsErrors;
+}
+exports.getDnsLookupFunction = _.memoize((lookupOptions) => {
+    if (!lookupOptions) {
+        // By default, use 10s caching of hostnames, just to reduce the delay from
+        // endlessly 10ms query delay for 'localhost' with every request.
+        return new dns_1.CachedDns(10000).lookup;
+    }
+    else {
+        // Or if options are provided, use those to configure advanced DNS cases:
+        const cacheableLookup = new cacheable_lookup_1.default({
+            maxTtl: lookupOptions.maxTtl,
+            errorTtl: lookupOptions.errorTtl,
+            // As little caching of "use the fallback server" as possible:
+            fallbackDuration: 0
+        });
+        if (lookupOptions.servers) {
+            cacheableLookup.servers = lookupOptions.servers;
+        }
+        return cacheableLookup.lookup;
+    }
+});
+async function getClientRelativeHostname(hostname, remoteIp, lookupFn) {
+    if (!hostname || !remoteIp || (0, socket_util_1.isLocalhostAddress)(remoteIp))
+        return hostname;
+    // Otherwise, we have a request from a different machine (or Docker container/VM/etc) and we need
+    // to make sure that 'localhost' means _that_ machine, not ourselves.
+    // This check must be run before req modifications. If a modification changes the address to localhost,
+    // then presumably it really does mean *this* localhost.
+    if (
+    // If the hostname is a known localhost address, we're done:
+    (0, socket_util_1.isLocalhostAddress)(hostname) ||
+        // Otherwise, we look up the IP, so we can accurately check for localhost-bound requests. This adds a little
+        // delay, but since it's cached we save the equivalent delay in request lookup later, so it should be
+        // effectively free. We ignore errors to delegate unresolvable etc to request processing later.
+        (0, socket_util_1.isLocalhostAddress)(await (0, dns_1.dnsLookup)(lookupFn, hostname).catch(() => null))) {
+        return remoteIp;
+        // Note that we just redirect - we don't update the host header. From the POV of the target, it's still
+        // 'localhost' traffic that should appear identical to normal.
+    }
+    else {
+        return hostname;
+    }
+}
+//# sourceMappingURL=passthrough-handling.js.map

package/dist/rules/passthrough-handling.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passthrough-handling.js","sourceRoot":"","sources":["../../src/rules/passthrough-handling.ts"],"names":[],"mappings":";;;AAqGA,sCAgBC;AAkBD,kDAiCC;AA0CD,4DAWC;AAaD,sEAqBC;AAGD,8EA2CC;AAID,oDAkBC;AAwBD,8DA4BC;AAvXD,4BAA4B;AAC5B,kCAAkC;AAClC,2BAA2B;AAC3B,2BAA4B;AAC5B,6CAAsC;AACtC,uDAA+C;AAG/C,uCAA0C;AAC1C,uDAAgD;AAChD,qDAAyD;AACzD,qCAAsE;AACtE,yDAAwE;AACxE,2DAAiE;AAWjE,mFAAmF;AACnF,0EAA0E;AAC1E,MAAM,oBAAoB,GAAG,IAAA,wCAAuB,EAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AAE/E,MAAM,4BAA4B,GAAG,CAAC,IAAI,CAAC,CAAC;AAC5C,MAAM,qBAAqB,GAAG,CAAC,IAAI,CAAC,CAAC;AACrC,MAAM,0BAA0B,GAAG,CAAC,IAAI,EAAE,CAAC;AAE3C,wFAAwF;AACxF,wEAAwE;AACjE,MAAM,qBAAqB,GAAG,CAAC,YAAqB,EAA4B,EAAE,CAAC,CAAC;IACvF,SAAS,EAAE;QACP,QAAQ;QACR,YAAY,EAAE,+BAA+B;QAC7C,WAAW;QACX,WAAW;QACX,GAAG,CAAC,oBAAoB;YACpB,CAAC,CAAC;gBACE,WAAW;gBACX,WAAW;aACd,CAAC,CAAC,CAAC,EAAE,CACT;KACJ,CAAC,IAAI,CAAC,GAAG,CAAC;IACX,OAAO,EAAE;QACL,wBAAwB;QACxB,wBAAwB;QACxB,wBAAwB;QACxB,qBAAqB;QACrB,qBAAqB;QACrB,qBAAqB;QACrB,kBAAkB;QAClB,kBAAkB;QAClB,kBAAkB;QAClB,YAAY;QACZ,gBAAgB;KACnB,CAAC,IAAI,CAAC,GAAG,CAAC;IACX,OAAO,EAAE;QACL,wBAAwB;QACxB,8BAA8B;QAC9B,wBAAwB;QACxB,+BAA+B;QAC/B,6BAA6B;QAC7B,+BAA+B;QAC/B,6BAA6B;QAC7B,+BAA+B;QAC/B,6BAA6B;QAC7B,wBAAwB;QACxB,wBAAwB;QACxB,sBAAsB;QACtB,sBAAsB;QACtB,mBAAmB;QACnB,mBAAmB;QACnB,YAAY;QACZ,YAAY;QAEZ,+EAA+E;QAC/E,wEAAwE;QACxE,GAAG,CAAC,CAAC,YAAY;YACb,CAAC,CAAC,CAAC,aAAa,CAAC;YACjB,CAAC,CAAC,EAAE,CACP;KACJ,CAAC,IAAI,CAAC,GAAG,CAAC;IACX,aAAa,EAAE,YAAY;QACvB,CAAC,CAAC,qBAAqB,GAAG,0BAA0B;QACpD,CAAC,CAAC,qBAAqB,GAAG,0BAA0B,GAAG,4BAA4B;IACvF,GAAI;QACA,uDAAuD;QACvD,WAAW,EAAE,IAAI;KACZ;IAET,2BAA2B;IAC3B,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO;IAE5D,uDAAuD;IACvD,kBAAkB,EAAE,YAAY;CACnC,CAAC,CAAC;AAjEU,QAAA,qBAAqB,yBAiE/B;AAEI,KAAK,UAAU,aAAa,CAC/B,UAAoD,EACpD,oBAAqD;IAErD,IAAI,UAAU,IAAI,oBAAoB,EAAE,MAAM,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACb,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,YAAY,EAAE,EAAE,CAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC/E,CAAC;IAED,IAAI,oBAAoB,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,YAAY,EAAE,EAAE,CAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAChG,OAAO,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC;AACL,CAAC;AAED,MAAM,KAAK,GAAG,KAAK,EAAE,YAAmC,EAAE,EAAE;IACxD,OAAO,OAAO,YAAY,KAAK,QAAQ;QACnC,CAAC,CAAC,YAAY;QAClB,CAAC,CAAC,UAAU,IAAI,YAAY;YACxB,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC;YACtD,yBAAyB;YACrB,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AAC5C,CAAC,CAAA;AAGD,+FAA+F;AAE/F;;;GAGG;AACI,KAAK,UAAU,mBAAmB,CACrC,cAA4E,EAC5E,OAAgB;IAEhB,uCAAuC;IACvC,IAAI,cAAc,EAAE,OAAO;QAAE,OAAO,cAAc,EAAE,OAAQ,CAAC;IAE7D,gFAAgF;IAChF,qEAAqE;IAErE,IAAI,eAAyE,CAAC;IAC9E,IAAI,cAAc,EAAE,IAAI,EAAE,CAAC;QACvB,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAC7C,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;IAC3D,CAAC;SAAM,CAAC;QACJ,eAAe,GAAG,cAAc,EAAE,IAAI,CAAC;IAC3C,CAAC;IAED,IAAI,eAAe,KAAK,SAAS;QAAE,OAAO,eAAe,CAAC;IAE1D,IAAI,SAAiB,CAAC;IACtB,IAAI,IAAA,6BAAa,EAAC,eAAe,CAAC,EAAE,CAAC;QACjC,uEAAuE;QACvE,2EAA2E;QAC3E,SAAS,GAAG,MAAM,CAAC,IAAI,CAAE,eAAiC,CAAC,MAAM,CAAC,CAAC;IACvE,CAAC;SAAM,IAAI,eAAe,KAAK,EAAE,EAAE,CAAC;QAChC,oEAAoE;QACpE,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC;SAAM,CAAC;QACJ,SAAS,GAAG,IAAA,uBAAQ,EAAC,eAAe,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,MAAM,IAAA,gCAAgB,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,qBAAqB,CAC1B,eAAwB,EACxB,kBAAuC,EACvC,UAA6C,EAC7C,aAAqB,CAAC,4CAA4C;;IAElE,MAAM,gBAAgB,GAAG,kBAAkB,EAAE,CAAC,UAAU,CAAC,CAAC;IAE1D,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACjC,IAAI,gBAAgB,KAAK,aAAa,IAAI,gBAAgB,KAAK,eAAe,CAAC,UAAU,CAAC,EAAE,CAAC;YACzF,+EAA+E;YAC/E,0EAA0E;YAC1E,2EAA2E;YAC3E,OAAO,CAAC,IAAI,CAAC,IAAA,qBAAO,EAAA;gEACgC,UAAU;;kBAExD,aAAa,kCAAkC,gBAAgB;aACpE,CAAC,CAAC;QACP,CAAC;QACD,8DAA8D;QAC9D,OAAO,gBAAgB,CAAC;IAC5B,CAAC;IAED,yEAAyE;IACzE,0CAA0C;IAC1C,OAAO,aAAa,CAAC;AACzB,CAAC;AAED;;;GAGG;AACH,SAAgB,wBAAwB,CACpC,MAAc,EACd,eAAwB,EACxB,kBAAuC;IAEvC,OAAO,qBAAqB,CACxB,eAAe,EACf,kBAAkB,EAClB,MAAM,EACN,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAK,CAC1B,CAAC;AACN,CAAC;AAEY,QAAA,iCAAiC,GAAG;IAC7C,YAAY;IACZ,SAAS;CACH,CAAC;AAEX;;;;;GAKG;AACH,SAAgB,6BAA6B,CACzC,MAAc,EACd,eAAwB,EACxB,kBAAuC;IAEvC,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAEpC,OAAO;QACH,SAAS,EAAE,qBAAqB,CAC5B,eAAe,EACf,kBAAkB,EAClB,SAAS,EACT,SAAS,CAAC,QAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CACnC;QACD,YAAY,EAAE,qBAAqB,CAC/B,eAAe,EACf,kBAAkB,EAClB,YAAY,EACZ,SAAS,CAAC,IAAK,CAClB;KACJ,CAAC;AACN,CAAC;AAED,wFAAwF;AACxF,SAAgB,iCAAiC,CAC7C,IAAkC,EAClC,eAAwB,EACxB,kBAAuC,EACvC,kBAA2B,KAAK;IAEhC,iFAAiF;IACjF,+EAA+E;IAC/E,gFAAgF;IAChF,4DAA4D;IAE5D,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,eAAe,EAAE,gBAAgB,CAAC,EAAE,CAAC;QAC5C,gEAAgE;QAChE,OAAO,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC,gBAAgB,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACtB,yEAAyE;QACzE,uEAAuE;QACvE,6DAA6D;QAC7D,OAAO,IAAA,iBAAU,EAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;IACvC,CAAC;IAED,+EAA+E;IAC/E,MAAM,cAAc,GAAG,kBAAkB,CAAC,gBAAgB,CAAC,EAAE,QAAQ,EAAE,CAAC;IAExE,+EAA+E;IAC/E,8EAA8E;IAC9E,gFAAgF;IAChF,iFAAiF;IACjF,IACI,cAAc,KAAK,eAAe,CAAC,gBAAgB,CAAC;QACpD,cAAc,KAAK,IAAA,iBAAU,EAAC,IAAI,CAAC,CAAC,QAAQ,EAAE;QAC9C,CAAC,eAAe,CAAC,yBAAyB;MAC5C,CAAC;QACC,OAAO,CAAC,IAAI,CAAC,IAAA,qBAAO,EAAA;;;cAGd,IAAA,iBAAU,EAAC,IAAI,CAAC,wCAAwC,cAAc;SAC3E,CAAC,CAAC;IACP,CAAC;IAED,OAAO,cAAc,CAAC;AAC1B,CAAC;AAED,sFAAsF;AACtF,4BAA4B;AAC5B,SAAgB,oBAAoB,CAChC,QAAgB,EAChB,IAAY,EACZ,qBAAyC;IAEzC,IAAI,eAAe,GAAG,KAAK,CAAC;IAE5B,IAAI,qBAAqB,KAAK,IAAI,EAAE,CAAC;QACjC,mEAAmE;QACnE,eAAe,GAAG,IAAI,CAAC;IAC3B,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,qBAAqB,CAAC,IAAI;IAC/C,oDAAoD;IACpD,CAAC,CAAC,QAAQ,CAAC,qBAAqB,EAAE,QAAQ,CAAC;QAC3C,CAAC,CAAC,QAAQ,CAAC,qBAAqB,EAAE,GAAG,QAAQ,IAAI,IAAI,EAAE,CAAC,CAC3D,EAAE,CAAC;QACA,eAAe,GAAG,IAAI,CAAC;IAC3B,CAAC;IACD,OAAO,CAAC,eAAe,CAAC;AAC5B,CAAC;AAEY,QAAA,oBAAoB,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,aAAmD,EAAE,EAAE;IAClG,IAAI,CAAC,aAAa,EAAE,CAAC;QACjB,0EAA0E;QAC1E,iEAAiE;QACjE,OAAO,IAAI,eAAS,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IACvC,CAAC;SAAM,CAAC;QACJ,yEAAyE;QACzE,MAAM,eAAe,GAAG,IAAI,0BAAe,CAAC;YACxC,MAAM,EAAE,aAAa,CAAC,MAAM;YAC5B,QAAQ,EAAE,aAAa,CAAC,QAAQ;YAChC,8DAA8D;YAC9D,gBAAgB,EAAE,CAAC;SACtB,CAAC,CAAC;QAEH,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;YACxB,eAAe,CAAC,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;QACpD,CAAC;QAED,OAAO,eAAe,CAAC,MAAM,CAAC;IAClC,CAAC;AACL,CAAC,CAAC,CAAC;AAEI,KAAK,UAAU,yBAAyB,CAC3C,QAAuB,EACvB,QAA4B,EAC5B,QAA2B;IAE3B,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,IAAI,IAAA,gCAAkB,EAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAE5E,iGAAiG;IACjG,qEAAqE;IAErE,uGAAuG;IACvG,wDAAwD;IAExD;IACI,4DAA4D;IAC5D,IAAA,gCAAkB,EAAC,QAAQ,CAAC;QAC5B,4GAA4G;QAC5G,qGAAqG;QACrG,+FAA+F;QAC/F,IAAA,gCAAkB,EAAC,MAAM,IAAA,eAAS,EAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,EAC3E,CAAC;QACC,OAAO,QAAQ,CAAC;QAEhB,uGAAuG;QACvG,8DAA8D;IAClE,CAAC;SAAM,CAAC;QACJ,OAAO,QAAQ,CAAC;IACpB,CAAC;AACL,CAAC"}

package/dist/rules/proxy-config.d.ts

@@ -0,0 +1,76 @@
+import { MaybePromise } from '../util/type-utils';
+import { RuleParameterReference } from './rule-parameters';
+import { CADefinition } from './passthrough-handling-definitions';
+/**
+ * A ProxySetting is a specific proxy setting to use, which is passed to a proxy agent
+ * who will manage creating a socket for the request (directly, or tunnelled, or whatever).
+ */
+export interface ProxySetting {
+    /**
+     * The URL for the proxy to forward traffic through.
+     *
+     * This can be any URL supported by https://www.npmjs.com/package/proxy-agent.
+     * For example: http://..., socks5://..., pac+http://...
+     */
+    proxyUrl: string;
+    /**
+     * A list of no-proxy values, matching hosts' traffic should *not* be proxied.
+     *
+     * This is a common proxy feature, but unfortunately isn't standardized. See
+     * https://about.gitlab.com/blog/2021/01/27/we-need-to-talk-no-proxy/ for some
+     * background. This implementation is intended to match Curl's behaviour, and
+     * any differences are a bug.
+     *
+     * The currently supported formats are:
+     * - example.com (matches domain and all subdomains)
+     * - example.com:443 (matches domain and all subdomains, but only on that port)
+     * - 10.0.0.1 (matches IP, but only when used directly - does not resolve domains)
+     *
+     * Some other formats (e.g. leading dots or *.) will work, but the leading
+     * characters are ignored. More formats may be added in future, e.g. CIDR ranges.
+     * To maximize compatibility with values used elsewhere, unrecognized formats
+     * will generally be ignored, but may match in unexpected ways.
+     */
+    noProxy?: string[];
+    /**
+     * CAs to trust for HTTPS connections to the proxy. Ignored if the connection to
+     * the proxy is not HTTPS. If not specified, this will default to the Node
+     * defaults, or you can override them here completely.
+     *
+     * This sets the complete list of trusted CAs, and is mutually exclusive with the
+     * `additionalTrustedCAs` option, which adds additional CAs (but also trusts the
+     * Node default CAs too).
+     *
+     * This should be specified as either a { cert: string | Buffer } object or a
+     * { certPath: string } object (to read the cert from disk). The previous
+     * simple string format is supported but deprecated.
+     */
+    trustedCAs?: Array<string | CADefinition>;
+    /**
+     * Extra CAs to trust for HTTPS connections to the proxy. Ignored if the connection
+     * to the proxy is not HTTPS.
+     *
+     * This appends to the list of trusted CAs, and is mutually exclusive with the
+     * `trustedCAs` option, which completely overrides the list of CAs.
+     */
+    additionalTrustedCAs?: Array<CADefinition>;
+}
+/**
+ * A ProxySettingSource is a way to calculate the ProxySetting for a given request. It
+ * may be a fixed ProxySetting value, or a callback to get ProxySetting values, or an
+ * array of sources, which should be iterated to get the first usable value
+ */
+export type ProxySettingSource = ProxySetting | ProxySettingCallback | Array<ProxySettingSource> | undefined;
+export type ProxySettingCallbackParams = {
+    hostname: string;
+};
+export type ProxySettingCallback = (params: ProxySettingCallbackParams) => MaybePromise<ProxySetting | undefined>;
+/**
+ * A ProxyConfig is externally provided config that specifies a ProxySettingSource.
+ * It might be a ProxySettingSource itself, or it might include references to rule
+ * parameters, which must be dereferenced to make it usable as a ProxySettingSource.
+ */
+export type ProxyConfig = ProxySettingSource | RuleParameterReference<ProxySettingSource> | Array<ProxySettingSource | RuleParameterReference<ProxySettingSource>>;
+export declare function getProxySetting(configSource: ProxySettingSource, params: ProxySettingCallbackParams): Promise<ProxySetting | undefined>;
+export declare const matchesNoProxy: (hostname: string, portNum: number, noProxyValues: string[] | undefined) => boolean;
+//# sourceMappingURL=proxy-config.d.ts.map

package/dist/rules/proxy-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-config.d.ts","sourceRoot":"","sources":["../../src/rules/proxy-config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAElE;;;GAGG;AACH,MAAM,WAAW,YAAY;IACzB;;;;;OAKG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;;;;;;;;;;;;;;;OAiBG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAEnB;;;;;;;;;;;;OAYG;IACH,UAAU,CAAC,EAAE,KAAK,CACZ,MAAM,GACN,YAAY,CACjB,CAAC;IAEF;;;;;;OAMG;IACH,oBAAoB,CAAC,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;CAC9C;AAED;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,GACxB,YAAY,GACZ,oBAAoB,GACpB,KAAK,CAAC,kBAAkB,CAAC,GACzB,SAAS,CAAC;AAEhB,MAAM,MAAM,0BAA0B,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC;AAC9D,MAAM,MAAM,oBAAoB,GAAG,CAAC,MAAM,EAAE,0BAA0B,KAAK,YAAY,CAAC,YAAY,GAAG,SAAS,CAAC,CAAC;AAElH;;;;GAIG;AACH,MAAM,MAAM,WAAW,GACpB,kBAAkB,GAClB,sBAAsB,CAAC,kBAAkB,CAAC,GAC1C,KAAK,CAAC,kBAAkB,GAAG,sBAAsB,CAAC,kBAAkB,CAAC,CAAC,CAAC;AAE1E,wBAAsB,eAAe,CACjC,YAAY,EAAE,kBAAkB,EAChC,MAAM,EAAE,0BAA0B,qCAYrC;AAED,eAAO,MAAM,cAAc,aAAc,MAAM,WAAW,MAAM,iBAAiB,MAAM,EAAE,GAAG,SAAS,YA4BpG,CAAA"}

package/dist/rules/proxy-config.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.matchesNoProxy = void 0;
+exports.getProxySetting = getProxySetting;
+const _ = require("lodash");
+async function getProxySetting(configSource, params) {
+    if (_.isFunction(configSource))
+        return configSource(params);
+    else if (_.isArray(configSource)) {
+        let result;
+        for (let configArrayOption of configSource) {
+            result = await getProxySetting(configArrayOption, params);
+            if (result)
+                break;
+        }
+        return result;
+    }
+    else
+        return configSource;
+}
+const matchesNoProxy = (hostname, portNum, noProxyValues) => {
+    if (!noProxyValues || noProxyValues.length === 0)
+        return false; // Skip everything in the common case.
+    const port = portNum.toString();
+    const hostParts = hostname.split('.').reverse();
+    return noProxyValues.some((noProxy) => {
+        const [noProxyHost, noProxyPort] = noProxy.split(':');
+        let noProxyParts = noProxyHost.split('.').reverse();
+        const lastPart = noProxyParts[noProxyParts.length - 1];
+        if (lastPart === '' || lastPart === '*') {
+            noProxyParts = noProxyParts.slice(0, -1);
+        }
+        if (noProxyPort && port !== noProxyPort)
+            return false;
+        for (let i = 0; i < noProxyParts.length; i++) {
+            let noProxyPart = noProxyParts[i];
+            let hostPart = hostParts[i];
+            if (hostPart === undefined)
+                return false; // No-proxy is longer than hostname
+            if (noProxyPart !== hostPart)
+                return false; // Mismatch
+        }
+        // If we run out of no-proxy parts with no mismatch then we've matched
+        return true;
+    });
+};
+exports.matchesNoProxy = matchesNoProxy;
+//# sourceMappingURL=proxy-config.js.map

package/dist/rules/proxy-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-config.js","sourceRoot":"","sources":["../../src/rules/proxy-config.ts"],"names":[],"mappings":";;;AA2FA,0CAcC;AAzGD,4BAA4B;AA2FrB,KAAK,UAAU,eAAe,CACjC,YAAgC,EAChC,MAAkC;IAElC,IAAI,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;SACvD,IAAI,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAC/B,IAAI,MAAgC,CAAC;QACrC,KAAK,IAAI,iBAAiB,IAAI,YAAY,EAAE,CAAC;YACzC,MAAM,GAAG,MAAM,eAAe,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;YAC1D,IAAI,MAAM;gBAAE,MAAM;QACtB,CAAC;QACD,OAAO,MAAM,CAAC;IAClB,CAAC;;QACI,OAAO,YAAY,CAAC;AAC7B,CAAC;AAEM,MAAM,cAAc,GAAG,CAAC,QAAgB,EAAE,OAAe,EAAE,aAAmC,EAAE,EAAE;IACrG,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,sCAAsC;IAEtG,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;IAChC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;IAEhD,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAClC,MAAM,CAAC,WAAW,EAAE,WAAW,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAiC,CAAC;QAEtF,IAAI,YAAY,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;QACpD,MAAM,QAAQ,GAAG,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACvD,IAAI,QAAQ,KAAK,EAAE,IAAI,QAAQ,KAAK,GAAG,EAAE,CAAC;YACtC,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,WAAW,IAAI,IAAI,KAAK,WAAW;YAAE,OAAO,KAAK,CAAC;QAEtD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3C,IAAI,WAAW,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YAClC,IAAI,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;YAE5B,IAAI,QAAQ,KAAK,SAAS;gBAAE,OAAO,KAAK,CAAC,CAAC,mCAAmC;YAC7E,IAAI,WAAW,KAAK,QAAQ;gBAAE,OAAO,KAAK,CAAC,CAAC,WAAW;QAC3D,CAAC;QAED,sEAAsE;QACtE,OAAO,IAAI,CAAC;IAChB,CAAC,CAAC,CAAC;AACP,CAAC,CAAA;AA5BY,QAAA,cAAc,kBA4B1B"}