UNPKG

@ai-sdk/provider-utils

Version:

ai-sdk.dev/docs

vercel/ai

231 lines (201 loc) 7.16 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
import { DownloadError } from './download-error'; /** * Validates that a URL is safe to download from, blocking private/internal addresses * to prevent SSRF attacks. * * Note: this performs string/literal-IP checks only. It does not resolve DNS, so a * hostname that resolves to a private address is not blocked here (see callers, which * should additionally constrain egress at the network layer when handling untrusted URLs). * * @param url - The URL string to validate. * @throws DownloadError if the URL is unsafe. */ export function validateDownloadUrl(url: string): void { let parsed: URL; try { parsed = new URL(url); } catch { throw new DownloadError({ url, message: `Invalid URL: ${url}`, }); } // data: URLs are inline content, so they do not trigger a network fetch or SSRF risk. if (parsed.protocol === 'data:') { return; } // Only allow http and https network protocols if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') { throw new DownloadError({ url, message: `URL scheme must be http, https, or data, got ${parsed.protocol}`, }); } // Strip a trailing dot so a fully-qualified name like `localhost.` (which resolves // identically to `localhost`) cannot bypass the hostname blocklist below. const hostname = parsed.hostname.toLowerCase().replace(/\.+$/, ''); // Block empty hostname if (!hostname) { throw new DownloadError({ url, message: `URL must have a hostname`, }); } // Block localhost and .local domains if ( hostname === 'localhost' || hostname.endsWith('.local') || hostname.endsWith('.localhost') ) { throw new DownloadError({ url, message: `URL with hostname ${hostname} is not allowed`, }); } // Check for IPv6 addresses (enclosed in brackets in URLs) if (hostname.startsWith('[') && hostname.endsWith(']')) { const ipv6 = hostname.slice(1, -1); if (isPrivateIPv6(ipv6)) { throw new DownloadError({ url, message: `URL with IPv6 address ${hostname} is not allowed`, }); } return; } // Check for IPv4 addresses if (isIPv4(hostname)) { if (isPrivateIPv4(hostname)) { throw new DownloadError({ url, message: `URL with IP address ${hostname} is not allowed`, }); } return; } } function isIPv4(hostname: string): boolean { const parts = hostname.split('.'); if (parts.length !== 4) return false; return parts.every(part => { const num = Number(part); return ( Number.isInteger(num) && num >= 0 && num <= 255 && String(num) === part ); }); } function isPrivateIPv4(ip: string): boolean { const parts = ip.split('.').map(Number); const [a, b, c] = parts; // 0.0.0.0/8 if (a === 0) return true; // 10.0.0.0/8 if (a === 10) return true; // 100.64.0.0/10 (CGNAT, used by some cloud providers for internal traffic) if (a === 100 && b >= 64 && b <= 127) return true; // 127.0.0.0/8 if (a === 127) return true; // 169.254.0.0/16 if (a === 169 && b === 254) return true; // 172.16.0.0/12 if (a === 172 && b >= 16 && b <= 31) return true; // 192.0.0.0/24 (IETF protocol assignments) if (a === 192 && b === 0 && c === 0) return true; // 192.168.0.0/16 if (a === 192 && b === 168) return true; // 198.18.0.0/15 (benchmarking) if (a === 198 && (b === 18 || b === 19)) return true; // 240.0.0.0/4 (reserved, includes 255.255.255.255 broadcast) if (a >= 240) return true; return false; } /** * Expands an IPv6 address string into its 8 16-bit groups, handling `::` * compression and an optional dotted-decimal IPv4 tail (e.g. `::ffff:127.0.0.1`). * * @returns the 8 groups, or null if the input is not a parseable IPv6 address. */ function parseIPv6(ip: string): number[] | null { // Strip an optional zone id (e.g. `fe80::1%eth0`). let address = ip.toLowerCase(); const zoneIndex = address.indexOf('%'); if (zoneIndex !== -1) { address = address.slice(0, zoneIndex); } // At most one `::` compression marker is allowed. const halves = address.split('::'); if (halves.length > 2) return null; const toGroups = (segment: string): number[] | null => { if (segment === '') return []; const groups: number[] = []; const parts = segment.split(':'); for (let i = 0; i < parts.length; i++) { const part = parts[i]; // A dotted-decimal IPv4 tail is only valid as the final part. if (part.includes('.')) { if (i !== parts.length - 1 || !isIPv4(part)) return null; const [a, b, c, d] = part.split('.').map(Number); groups.push((a << 8) | b, (c << 8) | d); continue; } if (!/^[0-9a-f]{1,4}$/.test(part)) return null; groups.push(parseInt(part, 16)); } return groups; }; const head = toGroups(halves[0]); if (head === null) return null; if (halves.length === 2) { const tail = toGroups(halves[1]); if (tail === null) return null; const fill = 8 - head.length - tail.length; if (fill < 0) return null; return [...head, ...new Array<number>(fill).fill(0), ...tail]; } // No `::` compression: the address must contain exactly 8 groups. return head.length === 8 ? head : null; } function isPrivateIPv6(ip: string): boolean { const groups = parseIPv6(ip); // Fail closed: if the address cannot be parsed, treat it as unsafe. if (groups === null) return true; const topZero = (count: number) => groups.slice(0, count).every(group => group === 0); // ::1 (loopback) and :: (unspecified) if (topZero(7) && (groups[7] === 0 || groups[7] === 1)) return true; // fc00::/7 (unique local addresses) if ((groups[0] & 0xfe00) === 0xfc00) return true; // fe80::/10 (link-local) if ((groups[0] & 0xffc0) === 0xfe80) return true; // fec0::/10 (site-local, deprecated but still routable internally) if ((groups[0] & 0xffc0) === 0xfec0) return true; // ff00::/8 (multicast) if ((groups[0] & 0xff00) === 0xff00) return true; // Addresses that embed an IPv4 address in their last 32 bits. For these we // extract the embedded IPv4 and reuse the IPv4 private-range checks, so that // e.g. ::ffff:127.0.0.1 or 64:ff9b::169.254.169.254 are blocked. const embedsIPv4 = // ::/96 — IPv4-compatible (deprecated) topZero(6) || // ::ffff:0:0/96 — IPv4-mapped (ffff in group 5) (topZero(5) && groups[5] === 0xffff) || // ::ffff:0:0/96 — IPv4-translated form (ffff in group 4, group 5 zero) (topZero(4) && groups[4] === 0xffff && groups[5] === 0) || // 64:ff9b::/96 — NAT64 well-known prefix (groups[0] === 0x0064 && groups[1] === 0xff9b && groups[2] === 0 && groups[3] === 0 && groups[4] === 0 && groups[5] === 0) || // 64:ff9b:1::/48 — NAT64 local-use prefix (groups[0] === 0x0064 && groups[1] === 0xff9b && groups[2] === 0x0001); if (embedsIPv4) { const a = (groups[6] >> 8) & 0xff; const b = groups[6] & 0xff; const c = (groups[7] >> 8) & 0xff; const d = groups[7] & 0xff; return isPrivateIPv4(`${a}.${b}.${c}.${d}`); } return false; }