UNPKG

@juspay/neurolink

Version:

Universal AI Development Platform with working MCP integration, multi-provider support, voice (TTS/STT/realtime), and professional CLI. 58+ external MCP servers discoverable, multimodal file processing, RAG pipelines. Build, test, and deploy AI applicatio

github.com/juspay/neurolink

juspay/neurolink

53 lines (52 loc) 2.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
/** * SSRF Guard — Safe URL Validation Utility * * Prevents Server-Side Request Forgery by: * 1. Enforcing HTTPS-only (no plain HTTP). * 2. Normalising encoded IPv4 forms (octal, hex, decimal integer, IPv4-mapped IPv6) * to canonical dotted-decimal before rangechecking. * 3. Resolving the hostname for **both** A and AAAA families and rejecting * requests to RFC 1918 private ranges, loopback, link-local, CGNAT, * IPv6 link-local/ULA, and cloud metadata endpoints * (AWS / GCP / Azure / Alibaba). * 4. Re-throwing on DNS failure rather than silently allowing the request. * * **DNS rebinding residual race:** `assertSafeUrl` validates the IP at the * moment of the lookup. If the resolver returns a public IP here and a private * IP at the actual `fetch()` call, the guard is bypassed. To eliminate the * race, use the companion `safeDownload` helper in `safeFetch.ts` which pins * the resolved IP onto the request via an undici Agent dispatcher. * * Usage: * await assertSafeUrl(url); * // ... or, for actual downloads: ... * await safeDownload(url, { maxBytes, label }); * * @module utils/ssrfGuard */ /** * Assert that `url` is safe to fetch server-side. * * @throws {Error} when the URL is non-HTTPS, parses as a blocked IP literal, * or resolves (A or AAAA) to a blocked IP. **Also throws on DNS lookup * failure** (the previous behaviour of silently allowing was a bypass — * an attacker-controlled resolver could force NXDOMAIN here and a private * IP at the actual fetch). */ export declare function assertSafeUrl(url: string): Promise<void>; /** * Validate `url` and return the resolved IP that should be used for the * actual fetch (companion to `safeFetch.ts:safeDownload`). * * For IP-literal hosts, returns the normalised IP and family. For hostnames, * returns the first acceptable IP from the resolver. Same throw semantics as * {@link assertSafeUrl}. * * This is the canonical entry point for binary downloads where DNS-rebinding * pinning matters — see `safeFetch.ts`. */ export declare function validateAndResolveUrl(url: string): Promise<{ url: string; ip: string; family: 4 | 6; }>;