UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

aikido.dev/zen

AikidoSec/firewall-node

38 lines (37 loc) 1.31 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.containsPrivateIPAddress = containsPrivateIPAddress; const tryParseURL_1 = require("../../helpers/tryParseURL"); const isPrivateIP_1 = require("./isPrivateIP"); /** * Check if the hostname contains a private IP address * This function is used to detect obvious SSRF attacks (with a private IP address being used as the hostname) * * Examples * http://192.168.0.1/some/path * http://[::1]/some/path * http://localhost/some/path * * This function gets to see "192.168.0.1", "[::1]", and "localhost" * * We won't flag this-domain-points-to-a-private-ip.com * This will be handled by the inspectDNSLookupCalls function */ function containsPrivateIPAddress(hostname) { if (hostname === "localhost") { return true; } const url = (0, tryParseURL_1.tryParseURL)(`http://${hostname}`); if (!url) { return false; } // IPv6 addresses are enclosed in square brackets // e.g. http://[::1] if (url.hostname.startsWith("[") && url.hostname.endsWith("]")) { const ipv6 = url.hostname.substring(1, url.hostname.length - 1); if ((0, isPrivateIP_1.isPrivateIP)(ipv6)) { return true; } } return (0, isPrivateIP_1.isPrivateIP)(url.hostname); }