UNPKG

dtamind-components

Version:

DTAmindai Components

dtamind.com

222 lines (186 loc) 8.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
import * as ipaddr from 'ipaddr.js' import dns from 'dns/promises' import axios, { AxiosRequestConfig, AxiosResponse } from 'axios' import fetch, { RequestInit, Response } from 'node-fetch' /** * Checks if an IP address is in the deny list * @param ip - IP address to check * @param denyList - Array of denied IP addresses/CIDR ranges * @throws Error if IP is in deny list */ export function isDeniedIP(ip: string, denyList: string[]): void { const parsedIp = ipaddr.parse(ip) for (const entry of denyList) { if (entry.includes('/')) { try { const [range, _] = entry.split('/') const parsedRange = ipaddr.parse(range) if (parsedIp.kind() === parsedRange.kind()) { if (parsedIp.match(ipaddr.parseCIDR(entry))) { throw new Error('Access to this host is denied by policy.') } } } catch (error) { throw new Error(`isDeniedIP: ${error}`) } } else if (ip === entry) { throw new Error('Access to this host is denied by policy.') } } } /** * Checks if a URL is allowed based on HTTP_DENY_LIST environment variable * @param url - URL to check * @throws Error if URL hostname resolves to a denied IP */ export async function checkDenyList(url: string): Promise<void> { const httpDenyListString: string | undefined = process.env.HTTP_DENY_LIST if (!httpDenyListString) return const httpDenyList = httpDenyListString.split(',').map((ip) => ip.trim()) const urlObj = new URL(url) const hostname = urlObj.hostname if (ipaddr.isValid(hostname)) { isDeniedIP(hostname, httpDenyList) } else { const addresses = await dns.lookup(hostname, { all: true }) for (const address of addresses) { isDeniedIP(address.address, httpDenyList) } } } /** * Makes a secure HTTP request that validates all URLs in redirect chains against the deny list * @param config - Axios request configuration * @param maxRedirects - Maximum number of redirects to follow (default: 5) * @returns Promise<AxiosResponse> * @throws Error if any URL in the redirect chain is denied */ export async function secureAxiosRequest(config: AxiosRequestConfig, maxRedirects: number = 5): Promise<AxiosResponse> { let currentUrl = config.url let redirectCount = 0 let currentConfig = { ...config, maxRedirects: 0 } // Disable automatic redirects // Validate the initial URL if (currentUrl) { await checkDenyList(currentUrl) } while (redirectCount <= maxRedirects) { try { // Update the URL in config for subsequent requests currentConfig.url = currentUrl const response = await axios(currentConfig) // If it's a successful response (not a redirect), return it if (response.status < 300 || response.status >= 400) { return response } // Handle redirect const location = response.headers.location if (!location) { // No location header, but it's a redirect status - return the response return response } redirectCount++ if (redirectCount > maxRedirects) { throw new Error('Too many redirects') } // Resolve the redirect URL (handle relative URLs) const redirectUrl = new URL(location, currentUrl).toString() // Validate the redirect URL against the deny list await checkDenyList(redirectUrl) // Update current URL for next iteration currentUrl = redirectUrl // For redirects, we only need to preserve certain headers and change method if needed if (response.status === 301 || response.status === 302 || response.status === 303) { // For 303, or when redirecting POST requests, change to GET if ( response.status === 303 || (currentConfig.method && ['POST', 'PUT', 'PATCH'].includes(currentConfig.method.toUpperCase())) ) { currentConfig.method = 'GET' delete currentConfig.data } } } catch (error) { // If it's not a redirect-related error from axios, propagate it if (error.response && error.response.status >= 300 && error.response.status < 400) { // This is a redirect response that axios couldn't handle automatically // Continue with our manual redirect handling const response = error.response const location = response.headers.location if (!location) { return response } redirectCount++ if (redirectCount > maxRedirects) { throw new Error('Too many redirects') } const redirectUrl = new URL(location, currentUrl).toString() await checkDenyList(redirectUrl) currentUrl = redirectUrl // Handle method changes for redirects if (response.status === 301 || response.status === 302 || response.status === 303) { if ( response.status === 303 || (currentConfig.method && ['POST', 'PUT', 'PATCH'].includes(currentConfig.method.toUpperCase())) ) { currentConfig.method = 'GET' delete currentConfig.data } } continue } // For other errors, re-throw throw error } } throw new Error('Too many redirects') } /** * Makes a secure fetch request that validates all URLs in redirect chains against the deny list * @param url - URL to fetch * @param init - Fetch request options * @param maxRedirects - Maximum number of redirects to follow (default: 5) * @returns Promise<Response> * @throws Error if any URL in the redirect chain is denied */ export async function secureFetch(url: string, init?: RequestInit, maxRedirects: number = 5): Promise<Response> { let currentUrl = url let redirectCount = 0 let currentInit = { ...init, redirect: 'manual' as const } // Disable automatic redirects // Validate the initial URL await checkDenyList(currentUrl) while (redirectCount <= maxRedirects) { const response = await fetch(currentUrl, currentInit) // If it's a successful response (not a redirect), return it if (response.status < 300 || response.status >= 400) { return response } // Handle redirect const location = response.headers.get('location') if (!location) { // No location header, but it's a redirect status - return the response return response } redirectCount++ if (redirectCount > maxRedirects) { throw new Error('Too many redirects') } // Resolve the redirect URL (handle relative URLs) const redirectUrl = new URL(location, currentUrl).toString() // Validate the redirect URL against the deny list await checkDenyList(redirectUrl) // Update current URL for next iteration currentUrl = redirectUrl // Handle method changes for redirects according to HTTP specs if (response.status === 301 || response.status === 302 || response.status === 303) { // For 303, or when redirecting POST/PUT/PATCH requests, change to GET if (response.status === 303 || (currentInit.method && ['POST', 'PUT', 'PATCH'].includes(currentInit.method.toUpperCase()))) { currentInit = { ...currentInit, method: 'GET', body: undefined } } } } throw new Error('Too many redirects') }