@aikidosec/firewall/vulnerabilities/ssrf/isRequestToServiceHostname.js

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.isRequestToServiceHostname = isRequestToServiceHostname;
// e.g. "discord-bot" or "my_service" or "BACKEND"
const SERVICE_HOSTNAME_PATTERN = /^[a-z-_]+$/;
const NOT_SERVICE_HOSTNAMES = [
    "localhost",
    "localdomain",
    // On GCP "metadata" resolves to the IMDS service (metadata.google.internal)
    // See https://stackoverflow.com/questions/23362887/can-you-get-external-ip-address-from-within-a-google-compute-vm-instance
    // See https://cloud.google.com/compute/docs/internal-dns
    "metadata",
];
function isRequestToServiceHostname(hostname) {
    const lowerHostname = hostname.toLowerCase();
    if (NOT_SERVICE_HOSTNAMES.includes(lowerHostname)) {
        return false;
    }
    return SERVICE_HOSTNAME_PATTERN.test(lowerHostname);
}