npm - socket-function - Versions diffs - 0.66.0 → 0.67.0 - Mend

socket-function 0.66.0 → 0.67.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +1 -1
package/require/RequireController.ts +9 -2
package/src/callHTTPHandler.ts +47 -0
package/src/corsCheck.ts +0 -0
package/temp.md.ai.temp +41 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "socket-function",
-	"version": "0.66.0",
+	"version": "0.67.0",
 	"main": "index.js",
 	"license": "MIT",
 	"dependencies": {

package/require/RequireController.ts CHANGED Viewed

@@ -134,8 +134,9 @@ class RequireControllerBase {
     public async requireHTML(config?: {
         requireCalls?: string[];
+        cacheTime?: number;
     }) {
-        let { requireCalls } = config || {};
+        let { requireCalls, cacheTime } = config || {};
         let result = resolvedHTMLFile();
         if (beforeEntryText.length > 0) {
             let resolved: string[] = [];
@@ -166,7 +167,13 @@ class RequireControllerBase {
         } else {
             result = result.replace(ENTRY_TEMPLATE, "");
         }
-        return setHTTPResultHeaders(Buffer.from(result), { "Content-Type": "text/html" });
+        let headers: Record<string, string> = {
+            "Content-Type": "text/html"
+        };
+        if (cacheTime) {
+            headers["Cache-Control"] = `max-age=${Math.floor(cacheTime / 1000)}`;
+        }
+        return setHTTPResultHeaders(Buffer.from(result), headers);
     }
     public async getModules(

package/src/callHTTPHandler.ts CHANGED Viewed

@@ -61,6 +61,53 @@ export async function httpCallHandler(request: http.IncomingMessage, response: h
         // Don't keep alive, to prevent issues with zombie sockets.
         response.setHeader("Connection", "close");
+        // CORS bs (due to having to explictly allow subdomains)
+        {
+            response.setHeader("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload");
+            response.setHeader("Cross-Origin-Opener-Policy", "same-origin-allow-popups");
+            // NOTE: "credentialless" would work here too
+            response.setHeader("Cross-Origin-Embedder-Policy", "require-corp");
+            let origin = request.headers.origin || request.headers.referer;
+            let allowed = false;
+            if (!origin) {
+                // I guess it's a script, so just allow it (as it could easily set any header it wanted anyways)
+                allowed = true;
+                origin = "*";
+            } else {
+                let host = request.headers.host;
+                if (!host) {
+                    throw new Error("Missing host in request headers");
+                }
+                function rootDomain(hostname: string) {
+                    let parts = hostname.split(".");
+                    if (parts.length > 2) {
+                        return parts.slice(-2).join(".");
+                    }
+                    return hostname;
+                }
+                allowed = rootDomain(host) === rootDomain(origin);
+            }
+            // Allow if it has no origin, as that means it isn't a CORS request?
+            if (allowed) {
+                response.setHeader("Cross-Origin-Resource-Policy", "cross-origin");
+            } else {
+                response.setHeader("Cross-Origin-Resource-Policy", "same-site");
+            }
+            response.setHeader("vary", "Access-Control-Request-Headers");
+            response.setHeader("Access-Control-Allow-Origin", allowed ? origin : "");
+            if (allowed) {
+                response.setHeader("Access-Control-Allow-Credentials", "true");
+                response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+                response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, Content-Length, X-Requested-With, x-uncompressed-content-length, Cookie");
+            }
+            response.setHeader("Access-Control-Expose-Headers", "x-uncompressed-content-length");
+        }
         let urlBase = request.url;
         if (!urlBase) {
             throw new Error("Missing URL");

package/src/corsCheck.ts ADDED Viewed

File without changes

package/temp.md.ai.temp ADDED Viewed

@@ -0,0 +1,41 @@
+{
+    "instructions": [
+        {
+            "messages": [
+                {
+                    "role": "user",
+                    "header": "# user",
+                    "content": "How secure is comparing the Host and Origin headers, checking if they have the same root domain, and then adding \"Access-Control-Allow-Origin\"\n\n",
+                    "slot": "",
+                    "chStart": 0,
+                    "chEnd": 7
+                }
+            ],
+            "params": {
+                "model": "openrouter-deepseek/deepseek-chat",
+                "max_tokens": 9999
+            },
+            "startIndex": 150,
+            "endIndex": 150
+        },
+        {
+            "messages": [
+                {
+                    "role": "user",
+                    "header": "# user",
+                    "content": "How secure is comparing the Host and Origin headers, checking if they have the same root domain, and then adding \"Access-Control-Allow-Origin\"\n\n",
+                    "slot": "",
+                    "chStart": 0,
+                    "chEnd": 7
+                }
+            ],
+            "params": {
+                "model": "openrouter-deepseek/deepseek-r1",
+                "max_tokens": 9999
+            },
+            "startIndex": 219,
+            "endIndex": 219
+        }
+    ],
+    "rawResult": "Comparing the `Host` and `Origin` headers to check if they have the same root domain and then dynamically setting the `Access-Control-Allow-Origin` header can be a reasonable approach to enforce cross-origin resource sharing (CORS) policies, but it has its nuances and potential pitfalls. Here's a detailed analysis of its security implications:\n\n### How It Works\n1. **Host Header**: Represents the domain of the server receiving the request.\n2. **Origin Header**: Represents the domain from which the request originates (e.g., in a cross-origin request).\n3. **Root Domain Comparison**: Check if the `Origin` and `Host` share the same root domain (e.g., `example.com` and `api.example.com`).\n4. **Access-Control-Allow-Origin**: If they match, set this header to the value of the `Origin` header to allow the request.\n\n### Security Considerations\n\n#### **1. Same-Origin Policy**\nThis approach ensures that only requests from the same root domain are allowed, which aligns with the same-origin policy. This can prevent unauthorized cross-origin requests.\n\n#### **2. Root Domain Matching**\nComparing the root domain ensures that subdomains of the same root domain are allowed. For example, `api.example.com` and `app.example.com` share the same root domain (`example.com`). This can be useful for microservices or APIs hosted on subdomains.\n\n#### **3. Potential Misconfigurations**\n- **Weak Root Domain Matching**: If the root domain matching logic is not strict, it could lead to vulnerabilities. For example, improperly parsing domains could allow `example.com.evil.com` to be treated as the same root domain.\n- **HTTP Header Spoofing**: If the server blindly trusts the `Origin` header, an attacker could spoof it to bypass CORS restrictions. Always validate the `Origin` header against a whitelist of allowed domains.\n\n#### **4. Security Best Practices**\n- **Whitelist Allowed Origins**: Instead of dynamically allowing any origin that matches the root domain, maintain a whitelist of trusted origins. This reduces the risk of allowing unintended domains.\n- **Validate Headers**: Ensure that the `Origin` and `Host` headers are properly validated to prevent spoofing or injection attacks.\n- **Use HTTPS**: Always enforce HTTPS to prevent man-in-the-middle attacks that could tamper with headers.\n- **Limit Scopes**: Only allow CORS for specific endpoints that require it, and restrict methods (e.g., `GET`, `POST`) and headers as needed.\n- **Avoid Wildcards**: Avoid using `Access-Control-Allow-Origin: *` unless absolutely necessary, as it allows access from any domain.\n\n#### **5. Additional Security Headers**\n- **Access-Control-Allow-Credentials**: Only set this to `true` if the request includes credentials (e.g., cookies) and you explicitly need to allow them.\n- **Vary: Origin**: Include this header to prevent caching issues with CORS responses.\n\n### Example Implementation (Pseudocode)\n```pseudocode\nif request.headers['Origin'] is not null:\n    root_domain_origin = extract_root_domain(request.headers['Origin'])\n    root_domain_host = extract_root_domain(request.headers['Host'])\n    \n    if root_domain_origin == root_domain_host:\n        response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']\n        response.headers['Vary'] = 'Origin'\n    else:\n        deny_request()\nelse:\n    deny_request()\n```\n\n### Conclusion\nThis approach can be secure if implemented carefully, but it's essential to follow best practices like strict domain validation, whitelisting origins, and enforcing HTTPS. Always test your CORS implementation thoroughly to ensure it doesn't introduce vulnerabilities."
+}