UNPKG

safe-request

Version:

`request` wrapper to protect from SSRF and similar attacks

119 lines (98 loc) 2.92 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
'use strict'; const {resolve, parse} = require('url'); const request = require('request'); const {noop, once, safeCallSync} = require('./utils'); const Safety = require('./Safety'); const errors = require('./errors'); const {createRestrictions, createOptions} = require('./defaults'); const normalizeOptions = (optionsOrUrlString) => { const opts = 'string' === typeof optionsOrUrlString ? {uri: optionsOrUrlString} : optionsOrUrlString; if (opts.url) { opts.uri = opts.url; delete opts.url; } if (opts.baseUrl) { opts.uri = resolve(opts.baseUrl, opts.uri); delete opts.baseUrl; } return opts; }; const safeRequest = (restrictions, options, callback) => { const limits = { network: restrictions.networkLimit, encoded: restrictions.encodedLimit, decoded: restrictions.decodedLimit }; const validate = { uri: restrictions.checkUri, address: restrictions.checkAddress }; if (validate.uri && (validate.uri(parse(options.uri)) !== true)) { return setImmediate(callback, new Error(errors.BadUri)); } const params = Object.assign( { followRedirect: (res) => { if (!validate.uri) return true; const redirectTo = res.caseless.has('location') && res.caseless.get('location'); const url = resolve(res.request.uri.href, redirectTo); const valid = validate.uri(parse(url)); if (valid !== true) safety.fail(new Error(errors.BadUri)); return valid; } }, options ); // Create request. const req = safeCallSync(request, params); if (req instanceof Error) return setImmediate(callback, errors._wrapError(req)); // Create safety thingy. const safety = new Safety(req, {limits, validate}); if (callback !== noop) { const finish = once(callback); safety.on('success', (body, response, stats) => { finish(null, response, body, stats); }); safety.on('error', (error, body, response, stats) => { finish(error, response, body, stats); }); } }; module.exports = (...args) => { let restrictions; let options; let callback; // options if (args.length === 1) { callback = noop; options = args[0]; } // options, callback // restrictions, options else if (args.length === 2) { const hasCallback = args[1] instanceof Function; restrictions = hasCallback ? {} : args[0]; options = hasCallback ? args[0] : args[1]; callback = hasCallback ? args[1] : noop; } // restrictions, options, callback else if (args.length === 3) { restrictions = args[0]; options = args[1]; callback = args[2]; } else { const message = 'Invalid number of arguments: expected 1, 2, or 3, got '; throw new Error(message + args.length); } return safeRequest( createRestrictions(restrictions), createOptions(normalizeOptions(options)), callback ); };