ssrf-agent-guard 0.1.3 → 0.1.5

package/README.md

@@ -1,6 +1,6 @@
 # ssrf-agent-guard
 
-#### SSRF-Guard is a Node.js module for protecting your HTTP/HTTPS requests against SSRF (Server-Side Request Forgery) attacks. It wraps http.Agent and https.Agent to enforce pre and post DNS host/IP checks, block access to cloud metadata endpoints, private IPs, and unsafe domains.
+#### `ssrf-agent-guard` is a Node.js module for protecting your HTTP/HTTPS requests against SSRF (Server-Side Request Forgery) attacks. It wraps http.Agent and https.Agent to enforce pre and post DNS host/IP checks, block access to cloud metadata endpoints, private IPs, and unsafe domains.
 ---
 
 ## Features
@@ -35,7 +35,10 @@ const isValidDomainOptions = {
   subdomain: true,
   wildcard: true
 };
-axios.get(url, {httpAgent: ssrfAgentGuard(url), httpsAgent: ssrfAgentGuard(url)})
+axios.get(
+  url, {
+    httpAgent: ssrfAgentGuard(url, isValidDomainOptions), httpsAgent: ssrfAgentGuard(url, isValidDomainOptions)
+    })
       .then((response) => {
         console.log(`Success`);
       })

package/dist/index.cjs.js

@@ -27,25 +27,16 @@ function isIp(input) {
 function isPublicIp(ip) {
     return ipaddr.parse(ip).range() === 'unicast';
 }
-/**
- * Validates whether a domain is syntactically valid.
- */
-function isSafeIp(hostname) {
-    // Case 1: IP address
-    if (isIp(hostname)) {
-        return isPublicIp(hostname); // only allow public IPs
-    }
-    return true;
-}
 /**
  * High-level validation for hostnames (domains + public IPs).
  */
 function isSafeHost(hostname, isValidDomainOptions) {
     // Block cloud metadata IP/domains
-    if (CLOUD_METADATA_HOSTS.indexOf(hostname))
-        return false;
-    if (!isSafeIp(hostname))
+    if (CLOUD_METADATA_HOSTS.indexOf(hostname) !== -1)
         return false;
+    // Case 1: IP address
+    if (isIp(hostname))
+        return isPublicIp(hostname);
     // Case 2: Domain name
     return isValidDomain(hostname, {
         allowUnicode: false,
@@ -90,7 +81,7 @@ const ssrfAgentGuard = function (url, isValidDomainOptions) {
     // The original createConnection function from the Agent
     const createConnection = finalAgent.createConnection;
     // Patch the createConnection method on the agent
-    finalAgent.createConnection = (options, fn) => {
+    finalAgent.createConnection = function (options, fn) {
         const { host: address } = options;
         // --- 1. Pre-DNS Check (Host/Address Check) ---
         // If the 'host' option is an IP address, check it immediately.
@@ -99,22 +90,19 @@ const ssrfAgentGuard = function (url, isValidDomainOptions) {
             throw new Error(`DNS lookup ${address} is not allowed.`);
         }
         // Call the original createConnection
-        // @ts-expect-error 'this' is not assignable to type 'HttpAgent | HttpsAgent'
         const client = createConnection.call(this, options, fn);
         // --- 2. Post-DNS Check (Lookup Event Check) ---
         // The 'lookup' event fires after the DNS lookup is complete
         // and provides the resolved IP address.
         client?.on('lookup', (err, resolvedAddress) => {
-            // If there was an error in lookup, or if the resolved IP is allowed, do nothing.
-            if (err) {
-                return;
-            }
             // Ensure resolvedAddress is a string for the check (it's typically a string for simple lookups)
             const ipToCheck = Array.isArray(resolvedAddress) ? resolvedAddress[0] : resolvedAddress;
-            if (!isSafeHost(ipToCheck)) {
-                // If the resolved IP is NOT allowed (e.g., a private IP), destroy the connection.
-                return client?.destroy(new Error(`DNS lookup ${ipToCheck} is not allowed.`));
+            // If there was an error in lookup, or if the resolved IP is allowed, do nothing.
+            if (err || isSafeHost(ipToCheck, isValidDomainOptions)) {
+                return false;
             }
+            // If the resolved IP is NOT allowed (e.g., a private IP), destroy the connection.
+            return client?.destroy(new Error(`DNS lookup ${ipToCheck} is not allowed.`));
         });
         return client;
     };

package/dist/index.esm.js

@@ -23,25 +23,16 @@ function isIp(input) {
 function isPublicIp(ip) {
     return ipaddr.parse(ip).range() === 'unicast';
 }
-/**
- * Validates whether a domain is syntactically valid.
- */
-function isSafeIp(hostname) {
-    // Case 1: IP address
-    if (isIp(hostname)) {
-        return isPublicIp(hostname); // only allow public IPs
-    }
-    return true;
-}
 /**
  * High-level validation for hostnames (domains + public IPs).
  */
 function isSafeHost(hostname, isValidDomainOptions) {
     // Block cloud metadata IP/domains
-    if (CLOUD_METADATA_HOSTS.indexOf(hostname))
-        return false;
-    if (!isSafeIp(hostname))
+    if (CLOUD_METADATA_HOSTS.indexOf(hostname) !== -1)
         return false;
+    // Case 1: IP address
+    if (isIp(hostname))
+        return isPublicIp(hostname);
     // Case 2: Domain name
     return isValidDomain(hostname, {
         allowUnicode: false,
@@ -86,7 +77,7 @@ const ssrfAgentGuard = function (url, isValidDomainOptions) {
     // The original createConnection function from the Agent
     const createConnection = finalAgent.createConnection;
     // Patch the createConnection method on the agent
-    finalAgent.createConnection = (options, fn) => {
+    finalAgent.createConnection = function (options, fn) {
         const { host: address } = options;
         // --- 1. Pre-DNS Check (Host/Address Check) ---
         // If the 'host' option is an IP address, check it immediately.
@@ -95,22 +86,19 @@ const ssrfAgentGuard = function (url, isValidDomainOptions) {
             throw new Error(`DNS lookup ${address} is not allowed.`);
         }
         // Call the original createConnection
-        // @ts-expect-error 'this' is not assignable to type 'HttpAgent | HttpsAgent'
         const client = createConnection.call(this, options, fn);
         // --- 2. Post-DNS Check (Lookup Event Check) ---
         // The 'lookup' event fires after the DNS lookup is complete
         // and provides the resolved IP address.
         client?.on('lookup', (err, resolvedAddress) => {
-            // If there was an error in lookup, or if the resolved IP is allowed, do nothing.
-            if (err) {
-                return;
-            }
             // Ensure resolvedAddress is a string for the check (it's typically a string for simple lookups)
             const ipToCheck = Array.isArray(resolvedAddress) ? resolvedAddress[0] : resolvedAddress;
-            if (!isSafeHost(ipToCheck)) {
-                // If the resolved IP is NOT allowed (e.g., a private IP), destroy the connection.
-                return client?.destroy(new Error(`DNS lookup ${ipToCheck} is not allowed.`));
+            // If there was an error in lookup, or if the resolved IP is allowed, do nothing.
+            if (err || isSafeHost(ipToCheck, isValidDomainOptions)) {
+                return false;
             }
+            // If the resolved IP is NOT allowed (e.g., a private IP), destroy the connection.
+            return client?.destroy(new Error(`DNS lookup ${ipToCheck} is not allowed.`));
         });
         return client;
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ssrf-agent-guard",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "A TypeScript SSRF protection library for Node.js (express/axios) with advanced policies, DNS rebinding detection and cloud metadata protection.",
   "main": "dist/index.cjs.js",
   "module": "dist/index.esm.js",