npm - payload - Versions diffs - 3.45.0 → 3.46.0-canary.1 - Mend

payload 3.45.0 → 3.46.0-canary.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/uploads/safeFetch.d.ts +1 -0
package/dist/uploads/safeFetch.d.ts.map +1 -1
package/dist/uploads/safeFetch.js +29 -9
package/dist/uploads/safeFetch.js.map +1 -1
package/package.json +2 -2

package/dist/uploads/safeFetch.d.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import { fetch as undiciFetch } from 'undici';
  * A "safe" version of undici's fetch that prevents SSRF attacks.
  *
  * - Utilizes a custom dispatcher that filters out requests to unsafe IP addresses.
+ * - Validates domain names by resolving them to IP addresses and checking if they're safe.
  * - Undici was used because it supported interceptors as well as "credentials: include". Native fetch
  */
 export declare const safeFetch: (input: import("undici").RequestInfo, init?: import("undici").RequestInit | undefined) => Promise<import("undici").Response>;

package/dist/uploads/safeFetch.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"safeFetch.d.ts","sourceRoot":"","sources":["../../src/uploads/safeFetch.ts"],"names":[],"mappings":"~~AAGA~~,OAAO,EAAS,KAAK,IAAI,WAAW,EAAE,MAAM,QAAQ,CAAA;~~AAmCpD;;;;;GAKG~~;AACH,eAAO,MAAM,SAAS,~~8HA0BrB~~,CAAA"}
1	+ {"version":3,"file":"safeFetch.d.ts","sourceRoot":"","sources":["../../src/uploads/safeFetch.ts"],"names":[],"mappings":"AAIA,OAAO,EAAS,KAAK,IAAI,WAAW,EAAE,MAAM,QAAQ,CAAA;AAiDpD;;;;;;GAMG;AACH,eAAO,MAAM,SAAS,8HAoCrB,CAAA"}

package/dist/uploads/safeFetch.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { lookup } from 'dns/promises';
 import ipaddr from 'ipaddr.js';
 import { Agent, fetch as undiciFetch } from 'undici';
 const isSafeIp = (ip)=>{
@@ -19,12 +20,23 @@ const isSafeIp = (ip)=>{
     }
     return true;
 };
+/**
+ * Checks if a hostname or IP address is safe to fetch from.
+ * @param hostname a hostname or IP address
+ * @returns
+ */ const isSafe = async (hostname)=>{
+    try {
+        if (ipaddr.isValid(hostname)) {
+            return isSafeIp(hostname);
+        }
+        const { address } = await lookup(hostname);
+        return isSafeIp(address);
+    } catch (_ignore) {
+        return false;
+    }
+};
 const ssrfFilterInterceptor = (dispatch)=>{
     return (opts, handler)=>{
-        const url = new URL(opts.origin?.toString() + opts.path);
-        if (!isSafeIp(url.hostname)) {
-            throw new Error(`Blocked unsafe attempt to ${url}`);
-        }
         return dispatch(opts, handler);
     };
 };
@@ -33,10 +45,16 @@ const safeDispatcher = new Agent().compose(ssrfFilterInterceptor);
  * A "safe" version of undici's fetch that prevents SSRF attacks.
  *
  * - Utilizes a custom dispatcher that filters out requests to unsafe IP addresses.
+ * - Validates domain names by resolving them to IP addresses and checking if they're safe.
  * - Undici was used because it supported interceptors as well as "credentials: include". Native fetch
  */ export const safeFetch = async (...args)=>{
-    const [url, options] = args;
+    const [unverifiedUrl, options] = args;
     try {
+        const url = new URL(unverifiedUrl);
+        const isHostnameSafe = await isSafe(url.hostname);
+        if (!isHostnameSafe) {
+            throw new Error(`Blocked unsafe attempt to ${url.toString()}`);
+        }
         return await undiciFetch(url, {
             ...options,
             dispatcher: safeDispatcher
@@ -49,10 +67,12 @@ const safeDispatcher = new Agent().compose(ssrfFilterInterceptor);
                 throw new Error(error.cause.message);
             } else {
                 let stringifiedUrl = undefined;
-                if (typeof url === 'string' || url instanceof URL) {
-                    stringifiedUrl = url;
-                } else if (url instanceof Request) {
-                    stringifiedUrl = url.url;
+                if (typeof unverifiedUrl === 'string') {
+                    stringifiedUrl = unverifiedUrl;
+                } else if (unverifiedUrl instanceof URL) {
+                    stringifiedUrl = unverifiedUrl.toString();
+                } else if (unverifiedUrl instanceof Request) {
+                    stringifiedUrl = unverifiedUrl.url;
                 }
                 throw new Error(`Failed to fetch from ${stringifiedUrl}, ${error.message}`);
             }

package/dist/uploads/safeFetch.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/uploads/safeFetch.ts"],"sourcesContent":["import type { Dispatcher } from 'undici'\n\nimport ipaddr from 'ipaddr.js'\nimport { Agent, fetch as undiciFetch } from 'undici'\n\nconst isSafeIp = (ip: string) => {\n try {\n if (!ip) {\n return false\n }\n\n if (!ipaddr.isValid(ip)) {\n return false\n }\n\n const parsedIpAddress = ipaddr.parse(ip)\n const range = parsedIpAddress.range()\n if (range !== 'unicast') {\n return false // Private IP Range\n }\n } catch (ignore) {\n return false\n }\n return true\n}\n\nconst ~~ssrfFilterInterceptor:~~ ~~Dispatcher.DispatcherComposeInterceptor~~ = (~~dispatch~~) => {\n ~~return~~ (~~opts, handler~~) => {\n const ~~url~~ = ~~new~~ ~~URL~~(~~opts.origin?.toString(~~) ~~+ opts.path)~~\n if (!isSafeIp(~~url.hostname~~)) {\n ~~throw~~ ~~new~~ ~~Error(`Blocked~~ ~~unsafe~~ ~~attempt~~ to ${~~url}`)~~\n }\n return dispatch(opts, handler)\n }\n}\n\nconst safeDispatcher = new Agent().compose(ssrfFilterInterceptor)\n\n/*\n A \"safe\" version of undici's fetch that prevents SSRF attacks.\n \n - Utilizes a custom dispatcher that filters out requests to unsafe IP addresses.\n * - Undici was used because it supported interceptors as well as \"credentials: include\". Native fetch\n */\nexport const safeFetch = async (...args: Parameters<typeof undiciFetch>) => {\n const [~~url~~, options] = args\n try {\n return await undiciFetch(url, {\n ...options,\n dispatcher: safeDispatcher,\n })\n } catch (error) {\n if (error instanceof Error) {\n if (error.cause instanceof Error && error.cause.message.includes('unsafe')) {\n // Errors thrown from within interceptors always have 'fetch error' as the message\n // The desired message we want to bubble up is in the cause\n throw new Error(error.cause.message)\n } else {\n let stringifiedUrl: string \| undefined ~~\| URL~~ = undefined\n if (typeof ~~url~~ === 'string' \|\| ~~url~~ instanceof URL) {\n stringifiedUrl = ~~url~~\n } else if (~~url~~ instanceof Request) {\n stringifiedUrl = ~~url~~.url\n }\n\n throw new Error(`Failed to fetch from ${stringifiedUrl}, ${error.message}`)\n }\n }\n throw error\n }\n}\n"],"names":["ipaddr","Agent","fetch","undiciFetch","isSafeIp","ip","isValid","parsedIpAddress","parse","range","ignore","ssrfFilterInterceptor","dispatch","opts","handler","~~url~~","~~URL~~","~~origin~~","~~toString~~","~~path~~","~~hostname~~","~~Error~~","~~safeDispatcher~~","~~compose~~","~~safeFetch~~","~~args~~","~~options","~~dispatcher","error","cause","message","includes","stringifiedUrl","undefined","Request"],"mappings":"AAEA,~~OAAOA~~,YAAY,YAAW;AAC9B,SAASC,KAAK,EAAEC,SAASC,WAAW,QAAQ,SAAQ;AAEpD,MAAMC,WAAW,CAACC;IAChB,IAAI;QACF,IAAI,CAACA,IAAI;YACP,OAAO;QACT;QAEA,IAAI,CAACL,OAAOM,OAAO,CAACD,KAAK;YACvB,OAAO;QACT;QAEA,MAAME,kBAAkBP,OAAOQ,KAAK,CAACH;QACrC,MAAMI,QAAQF,gBAAgBE,KAAK;QACnC,IAAIA,UAAU,WAAW;YACvB,OAAO,MAAM,mBAAmB;;QAClC;IACF,EAAE,OAAOC,QAAQ;QACf,OAAO;IACT;IACA,OAAO;AACT;AAEA,MAAMC,~~wBAAiE~~,~~CAACC~~;~~IACtE~~,~~OAAO~~,~~CAACC~~,~~MAAMC;QACZ~~,~~MAAMC~~,~~MAAM~~,~~IAAIC~~,~~IAAIH~~,~~KAAKI~~,MAAM,EAAEC,~~aAAaL~~,~~KAAKM~~,~~IAAI~~;~~QACvD~~,~~IAAI~~,~~CAACf~~,~~SAASW~~,~~IAAIK~~,~~QAAQ~~,~~GAAG~~;~~YAC3B~~,~~MAAM~~,~~IAAIC~~,~~MAAM~~,~~CAAC~~,~~0BAA0B~~,~~EAAEN,KAAK~~;~~QACpD;QACA~~,~~OAAOH~~,SAASC,MAAMC;IACxB;AACF;AAEA,~~MAAMQ~~,iBAAiB,~~IAAIrB~~,~~QAAQsB~~,OAAO,~~CAACZ~~;AAE3C~~;;;;;CAKC~~,GACD,OAAO,~~MAAMa~~,YAAY,OAAO,GAAGC;IACjC,MAAM,~~CAACV~~,~~KAAKW~~,QAAQ,~~GAAGD~~;~~IACvB~~,IAAI;QACF,OAAO,~~MAAMtB~~,~~YAAYY~~,KAAK;YAC5B,~~GAAGW~~,OAAO;~~YACVC~~,~~YAAYL~~;QACd;IACF,EAAE,~~OAAOM~~,OAAO;QACd,IAAIA,~~iBAAiBP~~,OAAO;YAC1B,~~IAAIO~~,MAAMC,KAAK,~~YAAYR~~,~~SAASO~~,MAAMC,KAAK,CAACC,OAAO,CAACC,QAAQ,CAAC,WAAW;gBAC1E,kFAAkF;gBAClF,2DAA2D;gBAC3D,MAAM,~~IAAIV~~,~~MAAMO~~,MAAMC,KAAK,CAACC,OAAO;YACrC,OAAO;gBACL,IAAIE,~~iBAA2CC~~;~~gBAC/C~~,IAAI,~~OAAOlB~~,~~QAAQ~~,~~YAAYA~~,~~eAAeC~~,KAAK;~~oBACjDgB~~,~~iBAAiBjB~~;~~gBACnB~~,OAAO,~~IAAIA~~,~~eAAemB~~,SAAS;~~oBACjCF~~,~~iBAAiBjB~~,~~IAAIA~~,GAAG;~~gBAC1B~~;gBAEA,MAAM,~~IAAIM~~,MAAM,CAAC,qBAAqB,~~EAAEW~~,eAAe,EAAE,EAAEJ,MAAME,OAAO,EAAE;YAC5E;QACF;QACA,MAAMF;IACR;AACF,EAAC"}
1	+ {"version":3,"sources":["../../src/uploads/safeFetch.ts"],"sourcesContent":["import type { Dispatcher } from 'undici'\n\nimport { lookup } from 'dns/promises'\nimport ipaddr from 'ipaddr.js'\nimport { Agent, fetch as undiciFetch } from 'undici'\n\nconst isSafeIp = (ip: string) => {\n try {\n if (!ip) {\n return false\n }\n\n if (!ipaddr.isValid(ip)) {\n return false\n }\n\n const parsedIpAddress = ipaddr.parse(ip)\n const range = parsedIpAddress.range()\n if (range !== 'unicast') {\n return false // Private IP Range\n }\n } catch (ignore) {\n return false\n }\n return true\n}\n\n/*\n Checks if a hostname or IP address is safe to fetch from.\n * @param hostname a hostname or IP address\n * @returns\n /\nconst isSafe = async (hostname: string) => {\n try {\n if (ipaddr.isValid(hostname)) {\n return isSafeIp(hostname)\n }\n\n const { address } = await lookup(hostname)\n return isSafeIp(address)\n } catch (_ignore) {\n return false\n }\n}\n\nconst ssrfFilterInterceptor: Dispatcher.DispatcherComposeInterceptor = (dispatch) => {\n return (opts, handler) => {\n return dispatch(opts, handler)\n }\n}\n\nconst safeDispatcher = new Agent().compose(ssrfFilterInterceptor)\n\n/\n A \"safe\" version of undici's fetch that prevents SSRF attacks.\n \n - Utilizes a custom dispatcher that filters out requests to unsafe IP addresses.\n * - Validates domain names by resolving them to IP addresses and checking if they're safe.\n * - Undici was used because it supported interceptors as well as \"credentials: include\". Native fetch\n */\nexport const safeFetch = async (...args: Parameters<typeof undiciFetch>) => {\n const [unverifiedUrl, options] = args\n\n try {\n const url = new URL(unverifiedUrl)\n\n const isHostnameSafe = await isSafe(url.hostname)\n if (!isHostnameSafe) {\n throw new Error(`Blocked unsafe attempt to ${url.toString()}`)\n }\n\n return await undiciFetch(url, {\n ...options,\n dispatcher: safeDispatcher,\n })\n } catch (error) {\n if (error instanceof Error) {\n if (error.cause instanceof Error && error.cause.message.includes('unsafe')) {\n // Errors thrown from within interceptors always have 'fetch error' as the message\n // The desired message we want to bubble up is in the cause\n throw new Error(error.cause.message)\n } else {\n let stringifiedUrl: string \| undefined = undefined\n if (typeof unverifiedUrl === 'string') {\n stringifiedUrl = unverifiedUrl\n } else if (unverifiedUrl instanceof URL) {\n stringifiedUrl = unverifiedUrl.toString()\n } else if (unverifiedUrl instanceof Request) {\n stringifiedUrl = unverifiedUrl.url\n }\n\n throw new Error(`Failed to fetch from ${stringifiedUrl}, ${error.message}`)\n }\n }\n throw error\n }\n}\n"],"names":["lookup","ipaddr","Agent","fetch","undiciFetch","isSafeIp","ip","isValid","parsedIpAddress","parse","range","ignore","isSafe","hostname","address","_ignore","ssrfFilterInterceptor","dispatch","opts","handler","safeDispatcher","compose","safeFetch","args","unverifiedUrl","options","url","URL","isHostnameSafe","Error","toString","dispatcher","error","cause","message","includes","stringifiedUrl","undefined","Request"],"mappings":"AAEA,SAASA,MAAM,QAAQ,eAAc;AACrC,OAAOC,YAAY,YAAW;AAC9B,SAASC,KAAK,EAAEC,SAASC,WAAW,QAAQ,SAAQ;AAEpD,MAAMC,WAAW,CAACC;IAChB,IAAI;QACF,IAAI,CAACA,IAAI;YACP,OAAO;QACT;QAEA,IAAI,CAACL,OAAOM,OAAO,CAACD,KAAK;YACvB,OAAO;QACT;QAEA,MAAME,kBAAkBP,OAAOQ,KAAK,CAACH;QACrC,MAAMI,QAAQF,gBAAgBE,KAAK;QACnC,IAAIA,UAAU,WAAW;YACvB,OAAO,MAAM,mBAAmB;;QAClC;IACF,EAAE,OAAOC,QAAQ;QACf,OAAO;IACT;IACA,OAAO;AACT;AAEA;;;;CAIC,GACD,MAAMC,SAAS,OAAOC;IACpB,IAAI;QACF,IAAIZ,OAAOM,OAAO,CAACM,WAAW;YAC5B,OAAOR,SAASQ;QAClB;QAEA,MAAM,EAAEC,OAAO,EAAE,GAAG,MAAMd,OAAOa;QACjC,OAAOR,SAASS;IAClB,EAAE,OAAOC,SAAS;QAChB,OAAO;IACT;AACF;AAEA,MAAMC,wBAAiE,CAACC;IACtE,OAAO,CAACC,MAAMC;QACZ,OAAOF,SAASC,MAAMC;IACxB;AACF;AAEA,MAAMC,iBAAiB,IAAIlB,QAAQmB,OAAO,CAACL;AAE3C;;;;;;CAMC,GACD,OAAO,MAAMM,YAAY,OAAO,GAAGC;IACjC,MAAM,CAACC,eAAeC,QAAQ,GAAGF;IAEjC,IAAI;QACF,MAAMG,MAAM,IAAIC,IAAIH;QAEpB,MAAMI,iBAAiB,MAAMhB,OAAOc,IAAIb,QAAQ;QAChD,IAAI,CAACe,gBAAgB;YACnB,MAAM,IAAIC,MAAM,CAAC,0BAA0B,EAAEH,IAAII,QAAQ,IAAI;QAC/D;QAEA,OAAO,MAAM1B,YAAYsB,KAAK;YAC5B,GAAGD,OAAO;YACVM,YAAYX;QACd;IACF,EAAE,OAAOY,OAAO;QACd,IAAIA,iBAAiBH,OAAO;YAC1B,IAAIG,MAAMC,KAAK,YAAYJ,SAASG,MAAMC,KAAK,CAACC,OAAO,CAACC,QAAQ,CAAC,WAAW;gBAC1E,kFAAkF;gBAClF,2DAA2D;gBAC3D,MAAM,IAAIN,MAAMG,MAAMC,KAAK,CAACC,OAAO;YACrC,OAAO;gBACL,IAAIE,iBAAqCC;gBACzC,IAAI,OAAOb,kBAAkB,UAAU;oBACrCY,iBAAiBZ;gBACnB,OAAO,IAAIA,yBAAyBG,KAAK;oBACvCS,iBAAiBZ,cAAcM,QAAQ;gBACzC,OAAO,IAAIN,yBAAyBc,SAAS;oBAC3CF,iBAAiBZ,cAAcE,GAAG;gBACpC;gBAEA,MAAM,IAAIG,MAAM,CAAC,qBAAqB,EAAEO,eAAe,EAAE,EAAEJ,MAAME,OAAO,EAAE;YAC5E;QACF;QACA,MAAMF;IACR;AACF,EAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "payload",
-  "version": "3.45.0",
+  "version": "3.46.0-canary.1",
   "description": "Node, React, Headless CMS and Application Framework built on Next.js",
   "keywords": [
     "admin panel",
@@ -101,7 +101,7 @@
     "undici": "7.10.0",
     "uuid": "10.0.0",
     "ws": "^8.16.0",
-    "@payloadcms/translations": "3.45.0"
+    "@payloadcms/translations": "3.46.0-canary.1"
   },
   "devDependencies": {
     "@hyrious/esbuild-plugin-commonjs": "0.2.6",