forked from sanbuphy/learn-coding-agent
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathssrfGuard.ts
More file actions
294 lines (269 loc) · 8.53 KB
/
Copy pathssrfGuard.ts
File metadata and controls
294 lines (269 loc) · 8.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
import type { AddressFamily, LookupAddress as AxiosLookupAddress } from 'axios'
import { lookup as dnsLookup } from 'dns'
import { isIP } from 'net'
/**
* SSRF guard for HTTP hooks.
*
* Blocks private, link-local, and other non-routable address ranges to prevent
* project-configured HTTP hooks from reaching cloud metadata endpoints
* (169.254.169.254) or internal infrastructure.
*
* Loopback (127.0.0.0/8, ::1) is intentionally ALLOWED — local dev policy
* servers are a primary HTTP hook use case.
*
* When a global proxy or the sandbox network proxy is in use, the guard is
* effectively bypassed for the target host because the proxy performs DNS
* resolution. The sandbox proxy enforces its own domain allowlist.
*/
/**
* Returns true if the address is in a range that HTTP hooks should not reach.
*
* Blocked IPv4:
* 0.0.0.0/8 "this" network
* 10.0.0.0/8 private
* 100.64.0.0/10 shared address space / CGNAT (some cloud metadata, e.g. Alibaba 100.100.100.200)
* 169.254.0.0/16 link-local (cloud metadata)
* 172.16.0.0/12 private
* 192.168.0.0/16 private
*
* Blocked IPv6:
* :: unspecified
* fc00::/7 unique local
* fe80::/10 link-local
* ::ffff:<v4> mapped IPv4 in a blocked range
*
* Allowed (returns false):
* 127.0.0.0/8 loopback (local dev hooks)
* ::1 loopback
* everything else
*/
export function isBlockedAddress(address: string): boolean {
const v = isIP(address)
if (v === 4) {
return isBlockedV4(address)
}
if (v === 6) {
return isBlockedV6(address)
}
// Not a valid IP literal — let the real DNS path handle it (this function
// is only called on results from dns.lookup, which always returns valid IPs)
return false
}
function isBlockedV4(address: string): boolean {
const parts = address.split('.').map(Number)
const [a, b] = parts
if (
parts.length !== 4 ||
a === undefined ||
b === undefined ||
parts.some(n => Number.isNaN(n))
) {
return false
}
// Loopback explicitly allowed
if (a === 127) return false
// 0.0.0.0/8
if (a === 0) return true
// 10.0.0.0/8
if (a === 10) return true
// 169.254.0.0/16 — link-local, cloud metadata
if (a === 169 && b === 254) return true
// 172.16.0.0/12
if (a === 172 && b >= 16 && b <= 31) return true
// 100.64.0.0/10 — shared address space (RFC 6598, CGNAT). Some cloud
// providers use this range for metadata endpoints (e.g. Alibaba Cloud at
// 100.100.100.200).
if (a === 100 && b >= 64 && b <= 127) return true
// 192.168.0.0/16
if (a === 192 && b === 168) return true
return false
}
function isBlockedV6(address: string): boolean {
const lower = address.toLowerCase()
// ::1 loopback explicitly allowed
if (lower === '::1') return false
// :: unspecified
if (lower === '::') return true
// IPv4-mapped IPv6 (0:0:0:0:0:ffff:X:Y in any representation — ::ffff:a.b.c.d,
// ::ffff:XXXX:YYYY, expanded, or partially expanded). Extract the embedded
// IPv4 address and delegate to the v4 check. Without this, hex-form mapped
// addresses (e.g. ::ffff:a9fe:a9fe = 169.254.169.254) bypass the guard.
const mappedV4 = extractMappedIPv4(lower)
if (mappedV4 !== null) {
return isBlockedV4(mappedV4)
}
// fc00::/7 — unique local addresses (fc00:: through fdff::)
if (lower.startsWith('fc') || lower.startsWith('fd')) {
return true
}
// fe80::/10 — link-local. The /10 means fe80 through febf, but the first
// hextet is always fe80 in practice (RFC 4291 requires the next 54 bits
// to be zero). Check both to be safe.
const firstHextet = lower.split(':')[0]
if (
firstHextet &&
firstHextet.length === 4 &&
firstHextet >= 'fe80' &&
firstHextet <= 'febf'
) {
return true
}
return false
}
/**
* Expand `::` and optional trailing dotted-decimal so an IPv6 address is
* represented as exactly 8 hex groups. Returns null if expansion is not
* well-formed (the caller has already validated with isIP, so this is
* defensive).
*/
function expandIPv6Groups(addr: string): number[] | null {
// Handle trailing dotted-decimal IPv4 (e.g. ::ffff:169.254.169.254).
// Replace it with its two hex groups so the rest of the expansion is uniform.
let tailHextets: number[] = []
if (addr.includes('.')) {
const lastColon = addr.lastIndexOf(':')
const v4 = addr.slice(lastColon + 1)
addr = addr.slice(0, lastColon)
const octets = v4.split('.').map(Number)
if (
octets.length !== 4 ||
octets.some(n => !Number.isInteger(n) || n < 0 || n > 255)
) {
return null
}
tailHextets = [
(octets[0]! << 8) | octets[1]!,
(octets[2]! << 8) | octets[3]!,
]
}
// Expand `::` (at most one) into the right number of zero groups.
const dbl = addr.indexOf('::')
let head: string[]
let tail: string[]
if (dbl === -1) {
head = addr.split(':')
tail = []
} else {
const headStr = addr.slice(0, dbl)
const tailStr = addr.slice(dbl + 2)
head = headStr === '' ? [] : headStr.split(':')
tail = tailStr === '' ? [] : tailStr.split(':')
}
const target = 8 - tailHextets.length
const fill = target - head.length - tail.length
if (fill < 0) return null
const hex = [...head, ...new Array<string>(fill).fill('0'), ...tail]
const nums = hex.map(h => parseInt(h, 16))
if (nums.some(n => Number.isNaN(n) || n < 0 || n > 0xffff)) {
return null
}
nums.push(...tailHextets)
return nums.length === 8 ? nums : null
}
/**
* Extract the embedded IPv4 address from an IPv4-mapped IPv6 address
* (0:0:0:0:0:ffff:X:Y) in any valid representation — compressed, expanded,
* hex groups, or trailing dotted-decimal. Returns null if the address is
* not an IPv4-mapped IPv6 address.
*/
function extractMappedIPv4(addr: string): string | null {
const g = expandIPv6Groups(addr)
if (!g) return null
// IPv4-mapped: first 80 bits zero, next 16 bits ffff, last 32 bits = IPv4
if (
g[0] === 0 &&
g[1] === 0 &&
g[2] === 0 &&
g[3] === 0 &&
g[4] === 0 &&
g[5] === 0xffff
) {
const hi = g[6]!
const lo = g[7]!
return `${hi >> 8}.${hi & 0xff}.${lo >> 8}.${lo & 0xff}`
}
return null
}
/**
* A dns.lookup-compatible function that resolves a hostname and rejects
* addresses in blocked ranges. Used as the `lookup` option in axios request
* config so that the validated IP is the one the socket connects to — no
* rebinding window between validation and connection.
*
* IP literals in the hostname are validated directly without DNS.
*
* Signature matches axios's `lookup` config option (not Node's dns.lookup).
*/
export function ssrfGuardedLookup(
hostname: string,
options: object,
callback: (
err: Error | null,
address: AxiosLookupAddress | AxiosLookupAddress[],
family?: AddressFamily,
) => void,
): void {
const wantsAll = 'all' in options && options.all === true
// If hostname is already an IP literal, validate it directly. dns.lookup
// would short-circuit too, but checking here gives a clearer error and
// avoids any platform-specific lookup behavior for literals.
const ipVersion = isIP(hostname)
if (ipVersion !== 0) {
if (isBlockedAddress(hostname)) {
callback(ssrfError(hostname, hostname), '')
return
}
const family = ipVersion === 6 ? 6 : 4
if (wantsAll) {
callback(null, [{ address: hostname, family }])
} else {
callback(null, hostname, family)
}
return
}
dnsLookup(hostname, { all: true }, (err, addresses) => {
if (err) {
callback(err, '')
return
}
for (const { address } of addresses) {
if (isBlockedAddress(address)) {
callback(ssrfError(hostname, address), '')
return
}
}
const first = addresses[0]
if (!first) {
callback(
Object.assign(new Error(`ENOTFOUND ${hostname}`), {
code: 'ENOTFOUND',
hostname,
}),
'',
)
return
}
const family = first.family === 6 ? 6 : 4
if (wantsAll) {
callback(
null,
addresses.map(a => ({
address: a.address,
family: a.family === 6 ? 6 : 4,
})),
)
} else {
callback(null, first.address, family)
}
})
}
function ssrfError(hostname: string, address: string): NodeJS.ErrnoException {
const err = new Error(
`HTTP hook blocked: ${hostname} resolves to ${address} (private/link-local address). Loopback (127.0.0.1, ::1) is allowed for local dev.`,
)
return Object.assign(err, {
code: 'ERR_HTTP_HOOK_BLOCKED_ADDRESS',
hostname,
address,
})
}