zapier-platform-core 15.7.3 → 15.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/package.json +4 -3
  2. package/src/http-middlewares/after/prepare-response.js +2 -0
  3. package/src/http-middlewares/after/throw-for-disallowed-hostname-after-redirect.js +36 -0
  4. package/src/tools/create-app-request-client.js +2 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "zapier-platform-core",
3
- "version": "15.7.3",
3
+ "version": "15.8.0",
4
4
  "description": "The core SDK for CLI apps in the Zapier Developer Platform.",
5
5
  "repository": "zapier/zapier-platform",
6
6
  "homepage": "https://platform.zapier.com/",
@@ -52,7 +52,7 @@
52
52
  "node-fetch": "2.6.7",
53
53
  "oauth-sign": "0.9.0",
54
54
  "semver": "7.5.2",
55
- "zapier-platform-schema": "15.7.3"
55
+ "zapier-platform-schema": "15.8.0"
56
56
  },
57
57
  "devDependencies": {
58
58
  "@types/node-fetch": "^2.6.11",
@@ -60,7 +60,8 @@
60
60
  "aws-sdk": "^2.1397.0",
61
61
  "dicer": "^0.3.1",
62
62
  "fs-extra": "^11.1.1",
63
- "mock-fs": "^5.2.0"
63
+ "mock-fs": "^5.2.0",
64
+ "nock": "^13.5.4"
64
65
  },
65
66
  "optionalDependencies": {
66
67
  "@types/node": "^20.3.1"
package/src/http-middlewares/after/prepare-response.js CHANGED
@@ -45,7 +45,9 @@ const prepareContentResponse = async (resp, request) => {
45
45
 
46
46
  // trim down the response signature a ton for simplicity
47
47
  const preppedResp = {
48
+ url: resp.url,
48
49
  status: resp.status,
50
+ redirected: resp.redirected,
49
51
  json: undefined,
50
52
  data: undefined,
51
53
  content,
package/src/http-middlewares/after/throw-for-disallowed-hostname-after-redirect.js ADDED
@@ -0,0 +1,36 @@
1
+ 'use strict';
2
+
3
+ const { Error } = require('../../errors');
4
+
5
+ const disallowedRedirectHosts = [
6
+ // Loopback addresses (IPv4)
7
+ 'localhost',
8
+ '127.0.0.1',
9
+
10
+ // Loopback addresses (IPv6)
11
+ '::1',
12
+ '[::1]',
13
+ ];
14
+
15
+ function isDisallowedAfterRedirect(url) {
16
+ try {
17
+ const { hostname } = new URL(url);
18
+ return disallowedRedirectHosts.includes(hostname);
19
+ } catch (e) {
20
+ // If URL parsing fails, consider it allowed
21
+ // (being permissive just in case it affects backwards compatibility)
22
+ return false;
23
+ }
24
+ }
25
+
26
+ const throwForDisallowedHostnameAfterRedirect = (resp) => {
27
+ // Looking at the response URL instead of the request URL
28
+ // because the response URL can change after a redirect
29
+ if (resp.redirected && isDisallowedAfterRedirect(resp.url)) {
30
+ throw new Error('Redirecting to disallowed hostname');
31
+ }
32
+
33
+ return resp;
34
+ };
35
+
36
+ module.exports = throwForDisallowedHostnameAfterRedirect;
package/src/tools/create-app-request-client.js CHANGED
@@ -20,6 +20,7 @@ const { logResponse } = require('../http-middlewares/after/log-response');
20
20
  const prepareResponse = require('../http-middlewares/after/prepare-response');
21
21
  const throwForStaleAuth = require('../http-middlewares/after/throw-for-stale-auth');
22
22
  const throwForStatusMiddleware = require('../http-middlewares/after/throw-for-status');
23
+ const throwForDisallowedHostnameAfterRedirect = require('../http-middlewares/after/throw-for-disallowed-hostname-after-redirect');
23
24
 
24
25
  const createAppRequestClient = (input, options) => {
25
26
  input = ensurePath(input, '_zapier.app');
@@ -64,6 +65,7 @@ const createAppRequestClient = (input, options) => {
64
65
 
65
66
  const httpAfters = [
66
67
  prepareResponse,
68
+ throwForDisallowedHostnameAfterRedirect,
67
69
  logResponse,
68
70
  ...(includeAutoRefresh ? [throwForStaleAuth] : []),
69
71
  ...ensureArray(app.afterResponse),