nemoris 0.1.0 → 0.1.2

package/src/runtime/ulid.js

@@ -1,44 +1,44 @@
-import { randomBytes } from "node:crypto";
-
-const ENCODING = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
-
-let lastTime = 0;
-let lastRandom = new Uint8Array(10);
-
-export function ulid() {
-  let now = Date.now();
-  if (now === lastTime) {
-    // Increment random component for monotonicity within same millisecond
-    for (let i = 9; i >= 0; i--) {
-      if (lastRandom[i] < 255) { lastRandom[i]++; break; }
-      lastRandom[i] = 0;
-    }
-  } else {
-    lastTime = now;
-    randomBytes(10).copy(lastRandom);
-  }
-
-  let str = "";
-  // Encode 48-bit timestamp → 10 Crockford Base32 chars
-  for (let i = 9; i >= 0; i--) {
-    str = ENCODING[now & 31] + str;
-    now = Math.floor(now / 32);
-  }
-  // Encode 80-bit random → 16 Crockford Base32 chars
-  // Process as two 40-bit halves, each → 8 chars
-  const rand = lastRandom;
-  for (let half = 0; half < 2; half++) {
-    const off = half * 5;
-    const hi = (rand[off] << 12) | (rand[off + 1] << 4) | (rand[off + 2] >> 4);
-    const lo = ((rand[off + 2] & 0xF) << 16) | (rand[off + 3] << 8) | rand[off + 4];
-    str += ENCODING[(hi >> 15) & 31];
-    str += ENCODING[(hi >> 10) & 31];
-    str += ENCODING[(hi >> 5) & 31];
-    str += ENCODING[hi & 31];
-    str += ENCODING[(lo >> 15) & 31];
-    str += ENCODING[(lo >> 10) & 31];
-    str += ENCODING[(lo >> 5) & 31];
-    str += ENCODING[lo & 31];
-  }
-  return str;
-}
+import { randomBytes } from "node:crypto";
+
+const ENCODING = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
+
+let lastTime = 0;
+let lastRandom = new Uint8Array(10);
+
+export function ulid() {
+  let now = Date.now();
+  if (now === lastTime) {
+    // Increment random component for monotonicity within same millisecond
+    for (let i = 9; i >= 0; i--) {
+      if (lastRandom[i] < 255) { lastRandom[i]++; break; }
+      lastRandom[i] = 0;
+    }
+  } else {
+    lastTime = now;
+    randomBytes(10).copy(lastRandom);
+  }
+
+  let str = "";
+  // Encode 48-bit timestamp → 10 Crockford Base32 chars
+  for (let i = 9; i >= 0; i--) {
+    str = ENCODING[now & 31] + str;
+    now = Math.floor(now / 32);
+  }
+  // Encode 80-bit random → 16 Crockford Base32 chars
+  // Process as two 40-bit halves, each → 8 chars
+  const rand = lastRandom;
+  for (let half = 0; half < 2; half++) {
+    const off = half * 5;
+    const hi = (rand[off] << 12) | (rand[off + 1] << 4) | (rand[off + 2] >> 4);
+    const lo = ((rand[off + 2] & 0xF) << 16) | (rand[off + 3] << 8) | rand[off + 4];
+    str += ENCODING[(hi >> 15) & 31];
+    str += ENCODING[(hi >> 10) & 31];
+    str += ENCODING[(hi >> 5) & 31];
+    str += ENCODING[hi & 31];
+    str += ENCODING[(lo >> 15) & 31];
+    str += ENCODING[(lo >> 10) & 31];
+    str += ENCODING[(lo >> 5) & 31];
+    str += ENCODING[lo & 31];
+  }
+  return str;
+}

package/src/security/ssrf-check.js

@@ -1,197 +1,197 @@
-import net from "node:net";
-import { lookup } from "node:dns/promises";
-
-const IPV4_BITS = 32;
-const IPV6_BITS = 128;
-const BLOCKED_HOSTNAME_RE = /^(localhost|localhost\.localdomain|local|internal)$/i;
-const LOOPBACK_HOSTNAME_RE = /^(localhost|localhost\.localdomain)$/i;
-
-const BLOCKED_IPV4_RANGES = [
-  rangeFromPrefix("0.0.0.0", 8, IPV4_BITS),
-  rangeFromPrefix("10.0.0.0", 8, IPV4_BITS),
-  rangeFromPrefix("100.64.0.0", 10, IPV4_BITS),
-  rangeFromPrefix("127.0.0.0", 8, IPV4_BITS),
-  rangeFromPrefix("169.254.0.0", 16, IPV4_BITS),
-  rangeFromPrefix("172.16.0.0", 12, IPV4_BITS),
-  rangeFromPrefix("192.168.0.0", 16, IPV4_BITS),
-  rangeFromPrefix("198.18.0.0", 15, IPV4_BITS),
-];
-
-const LOOPBACK_IPV4_RANGES = [
-  rangeFromPrefix("127.0.0.0", 8, IPV4_BITS),
-];
-
-const BLOCKED_IPV6_RANGES = [
-  rangeFromPrefix("::", 128, IPV6_BITS),
-  rangeFromPrefix("::1", 128, IPV6_BITS),
-  rangeFromPrefix("fc00::", 7, IPV6_BITS),
-  rangeFromPrefix("fe80::", 10, IPV6_BITS),
-  rangeFromPrefix("ff00::", 8, IPV6_BITS),
-];
-
-const LOOPBACK_IPV6_RANGES = [
-  rangeFromPrefix("::1", 128, IPV6_BITS),
-];
-
-export const OUTBOUND_ADDRESS_POLICY = {
-  BLOCK_PRIVATE: "block-private",
-  REQUIRE_LOOPBACK: "require-loopback",
-};
-
-function normaliseAddress(address) {
-  if (typeof address !== "string") return "";
-  if (address.startsWith("[") && address.endsWith("]")) {
-    return address.slice(1, -1);
-  }
-  return address;
-}
-
-function ipv4ToBigInt(address) {
-  return normaliseAddress(address)
-    .split(".")
-    .reduce((value, octet) => (value << 8n) + BigInt(Number(octet)), 0n);
-}
-
-function expandEmbeddedIpv4(address) {
-  if (!address.includes(".")) return address;
-  const lastColon = address.lastIndexOf(":");
-  const ipv4Value = ipv4ToBigInt(address.slice(lastColon + 1));
-  const upper = Number((ipv4Value >> 16n) & 0xffffn).toString(16);
-  const lower = Number(ipv4Value & 0xffffn).toString(16);
-  return `${address.slice(0, lastColon)}:${upper}:${lower}`;
-}
-
-function ipv6ToBigInt(address) {
-  const expanded = expandEmbeddedIpv4(normaliseAddress(address).toLowerCase());
-  const hasCompression = expanded.includes("::");
-  const [head, tail = ""] = expanded.split("::");
-  const headParts = head ? head.split(":").filter(Boolean) : [];
-  const tailParts = tail ? tail.split(":").filter(Boolean) : [];
-  const missingParts = hasCompression ? 8 - (headParts.length + tailParts.length) : 0;
-  const parts = hasCompression
-    ? [...headParts, ...Array(missingParts).fill("0"), ...tailParts]
-    : expanded.split(":");
-
-  if (parts.length !== 8) {
-    throw new Error(`Invalid IPv6 address: ${address}`);
-  }
-
-  return parts.reduce((value, part) => (value << 16n) + BigInt(parseInt(part || "0", 16)), 0n);
-}
-
-function rangeFromPrefix(address, prefixLength, totalBits) {
-  const rawValue = totalBits === IPV4_BITS ? ipv4ToBigInt(address) : ipv6ToBigInt(address);
-  const shift = BigInt(totalBits - prefixLength);
-  const maxValue = (1n << BigInt(totalBits)) - 1n;
-  const mask = shift === 0n ? maxValue : maxValue ^ ((1n << shift) - 1n);
-  const start = rawValue & mask;
-  const end = start | (maxValue ^ mask);
-  return { start, end };
-}
-
-function isAddressInRanges(address, ranges) {
-  const normalised = normaliseAddress(address);
-  const family = net.isIP(normalised);
-  if (family === 4) {
-    const value = ipv4ToBigInt(normalised);
-    return ranges.some((range) => value >= range.start && value <= range.end);
-  }
-  if (family === 6) {
-    const value = ipv6ToBigInt(normalised);
-    return ranges.some((range) => value >= range.start && value <= range.end);
-  }
-  return false;
-}
-
-export function isBlockedIpAddress(address) {
-  return isAddressInRanges(address, BLOCKED_IPV4_RANGES.concat(BLOCKED_IPV6_RANGES));
-}
-
-export function isLoopbackIpAddress(address) {
-  return isAddressInRanges(address, LOOPBACK_IPV4_RANGES.concat(LOOPBACK_IPV6_RANGES));
-}
-
-function policyRejectsHostname(hostname, { addressPolicy, allowLoopbackAddresses }) {
-  if (addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK) {
-    return !LOOPBACK_HOSTNAME_RE.test(hostname);
-  }
-  if (allowLoopbackAddresses && LOOPBACK_HOSTNAME_RE.test(hostname)) {
-    return false;
-  }
-  return BLOCKED_HOSTNAME_RE.test(hostname);
-}
-
-function policyRejectsAddress(address, { addressPolicy, allowLoopbackAddresses }) {
-  if (addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK) {
-    return !isLoopbackIpAddress(address);
-  }
-  if (allowLoopbackAddresses && isLoopbackIpAddress(address)) {
-    return false;
-  }
-  return isBlockedIpAddress(address);
-}
-
-export async function inspectOutboundUrl(rawUrl, {
-  lookupImpl = lookup,
-  allowedProtocols = ["http:", "https:"],
-  invalidUrlMessage = "Invalid URL.",
-  invalidProtocolMessage = "Only http:// and https:// URLs are allowed.",
-  privateAddressMessage = "Target resolves to a private/reserved IP address.",
-  loopbackOnlyMessage = "Target must resolve to a loopback address.",
-  addressPolicy = OUTBOUND_ADDRESS_POLICY.BLOCK_PRIVATE,
-  allowLoopbackAddresses = false,
-} = {}) {
-  let parsedUrl;
-  try {
-    parsedUrl = rawUrl instanceof URL ? rawUrl : new URL(rawUrl);
-  } catch {
-    return { ok: false, reason: invalidUrlMessage };
-  }
-
-  if (!allowedProtocols.includes(parsedUrl.protocol)) {
-    return { ok: false, reason: invalidProtocolMessage, parsedUrl };
-  }
-
-  const hostname = parsedUrl.hostname;
-  if (!hostname) {
-    return {
-      ok: false,
-      reason: addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK ? loopbackOnlyMessage : privateAddressMessage,
-      parsedUrl
-    };
-  }
-
-  if (policyRejectsHostname(hostname, { addressPolicy, allowLoopbackAddresses })) {
-    return {
-      ok: false,
-      reason: addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK ? loopbackOnlyMessage : privateAddressMessage,
-      parsedUrl
-    };
-  }
-
-  if (net.isIP(normaliseAddress(hostname)) && policyRejectsAddress(hostname, { addressPolicy, allowLoopbackAddresses })) {
-    return {
-      ok: false,
-      reason: addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK ? loopbackOnlyMessage : privateAddressMessage,
-      parsedUrl
-    };
-  }
-
-  try {
-    const addresses = await lookupImpl(normaliseAddress(hostname), { all: true, verbatim: true });
-    if (addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK) {
-      if (!addresses.length || addresses.some(({ address }) => !isLoopbackIpAddress(address))) {
-        return { ok: false, reason: loopbackOnlyMessage, parsedUrl };
-      }
-    } else if (addresses.some(({ address }) => policyRejectsAddress(address, { addressPolicy, allowLoopbackAddresses }))) {
-      return { ok: false, reason: privateAddressMessage, parsedUrl };
-    }
-  } catch {
-    if (addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK) {
-      return { ok: false, reason: loopbackOnlyMessage, parsedUrl };
-    }
-    // Allow downstream fetch errors to surface if DNS resolution fails here.
-  }
-
-  return { ok: true, parsedUrl };
-}
+import net from "node:net";
+import { lookup } from "node:dns/promises";
+
+const IPV4_BITS = 32;
+const IPV6_BITS = 128;
+const BLOCKED_HOSTNAME_RE = /^(localhost|localhost\.localdomain|local|internal)$/i;
+const LOOPBACK_HOSTNAME_RE = /^(localhost|localhost\.localdomain)$/i;
+
+const BLOCKED_IPV4_RANGES = [
+  rangeFromPrefix("0.0.0.0", 8, IPV4_BITS),
+  rangeFromPrefix("10.0.0.0", 8, IPV4_BITS),
+  rangeFromPrefix("100.64.0.0", 10, IPV4_BITS),
+  rangeFromPrefix("127.0.0.0", 8, IPV4_BITS),
+  rangeFromPrefix("169.254.0.0", 16, IPV4_BITS),
+  rangeFromPrefix("172.16.0.0", 12, IPV4_BITS),
+  rangeFromPrefix("192.168.0.0", 16, IPV4_BITS),
+  rangeFromPrefix("198.18.0.0", 15, IPV4_BITS),
+];
+
+const LOOPBACK_IPV4_RANGES = [
+  rangeFromPrefix("127.0.0.0", 8, IPV4_BITS),
+];
+
+const BLOCKED_IPV6_RANGES = [
+  rangeFromPrefix("::", 128, IPV6_BITS),
+  rangeFromPrefix("::1", 128, IPV6_BITS),
+  rangeFromPrefix("fc00::", 7, IPV6_BITS),
+  rangeFromPrefix("fe80::", 10, IPV6_BITS),
+  rangeFromPrefix("ff00::", 8, IPV6_BITS),
+];
+
+const LOOPBACK_IPV6_RANGES = [
+  rangeFromPrefix("::1", 128, IPV6_BITS),
+];
+
+export const OUTBOUND_ADDRESS_POLICY = {
+  BLOCK_PRIVATE: "block-private",
+  REQUIRE_LOOPBACK: "require-loopback",
+};
+
+function normaliseAddress(address) {
+  if (typeof address !== "string") return "";
+  if (address.startsWith("[") && address.endsWith("]")) {
+    return address.slice(1, -1);
+  }
+  return address;
+}
+
+function ipv4ToBigInt(address) {
+  return normaliseAddress(address)
+    .split(".")
+    .reduce((value, octet) => (value << 8n) + BigInt(Number(octet)), 0n);
+}
+
+function expandEmbeddedIpv4(address) {
+  if (!address.includes(".")) return address;
+  const lastColon = address.lastIndexOf(":");
+  const ipv4Value = ipv4ToBigInt(address.slice(lastColon + 1));
+  const upper = Number((ipv4Value >> 16n) & 0xffffn).toString(16);
+  const lower = Number(ipv4Value & 0xffffn).toString(16);
+  return `${address.slice(0, lastColon)}:${upper}:${lower}`;
+}
+
+function ipv6ToBigInt(address) {
+  const expanded = expandEmbeddedIpv4(normaliseAddress(address).toLowerCase());
+  const hasCompression = expanded.includes("::");
+  const [head, tail = ""] = expanded.split("::");
+  const headParts = head ? head.split(":").filter(Boolean) : [];
+  const tailParts = tail ? tail.split(":").filter(Boolean) : [];
+  const missingParts = hasCompression ? 8 - (headParts.length + tailParts.length) : 0;
+  const parts = hasCompression
+    ? [...headParts, ...Array(missingParts).fill("0"), ...tailParts]
+    : expanded.split(":");
+
+  if (parts.length !== 8) {
+    throw new Error(`Invalid IPv6 address: ${address}`);
+  }
+
+  return parts.reduce((value, part) => (value << 16n) + BigInt(parseInt(part || "0", 16)), 0n);
+}
+
+function rangeFromPrefix(address, prefixLength, totalBits) {
+  const rawValue = totalBits === IPV4_BITS ? ipv4ToBigInt(address) : ipv6ToBigInt(address);
+  const shift = BigInt(totalBits - prefixLength);
+  const maxValue = (1n << BigInt(totalBits)) - 1n;
+  const mask = shift === 0n ? maxValue : maxValue ^ ((1n << shift) - 1n);
+  const start = rawValue & mask;
+  const end = start | (maxValue ^ mask);
+  return { start, end };
+}
+
+function isAddressInRanges(address, ranges) {
+  const normalised = normaliseAddress(address);
+  const family = net.isIP(normalised);
+  if (family === 4) {
+    const value = ipv4ToBigInt(normalised);
+    return ranges.some((range) => value >= range.start && value <= range.end);
+  }
+  if (family === 6) {
+    const value = ipv6ToBigInt(normalised);
+    return ranges.some((range) => value >= range.start && value <= range.end);
+  }
+  return false;
+}
+
+export function isBlockedIpAddress(address) {
+  return isAddressInRanges(address, BLOCKED_IPV4_RANGES.concat(BLOCKED_IPV6_RANGES));
+}
+
+export function isLoopbackIpAddress(address) {
+  return isAddressInRanges(address, LOOPBACK_IPV4_RANGES.concat(LOOPBACK_IPV6_RANGES));
+}
+
+function policyRejectsHostname(hostname, { addressPolicy, allowLoopbackAddresses }) {
+  if (addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK) {
+    return !LOOPBACK_HOSTNAME_RE.test(hostname);
+  }
+  if (allowLoopbackAddresses && LOOPBACK_HOSTNAME_RE.test(hostname)) {
+    return false;
+  }
+  return BLOCKED_HOSTNAME_RE.test(hostname);
+}
+
+function policyRejectsAddress(address, { addressPolicy, allowLoopbackAddresses }) {
+  if (addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK) {
+    return !isLoopbackIpAddress(address);
+  }
+  if (allowLoopbackAddresses && isLoopbackIpAddress(address)) {
+    return false;
+  }
+  return isBlockedIpAddress(address);
+}
+
+export async function inspectOutboundUrl(rawUrl, {
+  lookupImpl = lookup,
+  allowedProtocols = ["http:", "https:"],
+  invalidUrlMessage = "Invalid URL.",
+  invalidProtocolMessage = "Only http:// and https:// URLs are allowed.",
+  privateAddressMessage = "Target resolves to a private/reserved IP address.",
+  loopbackOnlyMessage = "Target must resolve to a loopback address.",
+  addressPolicy = OUTBOUND_ADDRESS_POLICY.BLOCK_PRIVATE,
+  allowLoopbackAddresses = false,
+} = {}) {
+  let parsedUrl;
+  try {
+    parsedUrl = rawUrl instanceof URL ? rawUrl : new URL(rawUrl);
+  } catch {
+    return { ok: false, reason: invalidUrlMessage };
+  }
+
+  if (!allowedProtocols.includes(parsedUrl.protocol)) {
+    return { ok: false, reason: invalidProtocolMessage, parsedUrl };
+  }
+
+  const hostname = parsedUrl.hostname;
+  if (!hostname) {
+    return {
+      ok: false,
+      reason: addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK ? loopbackOnlyMessage : privateAddressMessage,
+      parsedUrl
+    };
+  }
+
+  if (policyRejectsHostname(hostname, { addressPolicy, allowLoopbackAddresses })) {
+    return {
+      ok: false,
+      reason: addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK ? loopbackOnlyMessage : privateAddressMessage,
+      parsedUrl
+    };
+  }
+
+  if (net.isIP(normaliseAddress(hostname)) && policyRejectsAddress(hostname, { addressPolicy, allowLoopbackAddresses })) {
+    return {
+      ok: false,
+      reason: addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK ? loopbackOnlyMessage : privateAddressMessage,
+      parsedUrl
+    };
+  }
+
+  try {
+    const addresses = await lookupImpl(normaliseAddress(hostname), { all: true, verbatim: true });
+    if (addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK) {
+      if (!addresses.length || addresses.some(({ address }) => !isLoopbackIpAddress(address))) {
+        return { ok: false, reason: loopbackOnlyMessage, parsedUrl };
+      }
+    } else if (addresses.some(({ address }) => policyRejectsAddress(address, { addressPolicy, allowLoopbackAddresses }))) {
+      return { ok: false, reason: privateAddressMessage, parsedUrl };
+    }
+  } catch {
+    if (addressPolicy === OUTBOUND_ADDRESS_POLICY.REQUIRE_LOOPBACK) {
+      return { ok: false, reason: loopbackOnlyMessage, parsedUrl };
+    }
+    // Allow downstream fetch errors to surface if DNS resolution fails here.
+  }
+
+  return { ok: true, parsedUrl };
+}