-
Notifications
You must be signed in to change notification settings - Fork 8
Expand file tree
/
Copy pathUtil.js
More file actions
191 lines (162 loc) · 5.36 KB
/
Util.js
File metadata and controls
191 lines (162 loc) · 5.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
import { platform, release } from 'os'
const HOST_REGEX = /^(?!\w+:\/\/)([\w-:]+\.)+([\w-:]+)(?::(\d+))?(?!:)$/
export function isHost (host) {
return HOST_REGEX.test(host)
}
export function isNode () {
return typeof process !== 'undefined' && !process.browser
}
export function getNodeVersion () {
return process.versions.node ? `v${process.versions.node}` : process.version
}
function isReactNative () {
return typeof window !== 'undefined' && 'navigator' in window && 'product' in window.navigator && window.navigator.product === 'ReactNative'
}
function getBrowserOS () {
if (!window) {
return null
}
const userAgent = window.navigator.userAgent
const platform = window.navigator.platform
const macosPlatforms = ['Macintosh', 'MacIntel', 'MacPPC', 'Mac68K']
const windowsPlatforms = ['Win32', 'Win64', 'Windows', 'WinCE']
const iosPlatforms = ['iPhone', 'iPad', 'iPod']
let os = null
if (macosPlatforms.indexOf(platform) !== -1) {
os = 'macOS'
} else if (iosPlatforms.indexOf(platform) !== -1) {
os = 'iOS'
} else if (windowsPlatforms.indexOf(platform) !== -1) {
os = 'Windows'
} else if (/Android/.test(userAgent)) {
os = 'Android'
} else if (/Linux/.test(platform)) {
os = 'Linux'
}
return os
}
function getNodeOS () {
const os = platform() || 'linux'
const version = release() || '0.0.0'
const osMap = {
android: 'Android',
aix: 'Linux',
darwin: 'macOS',
freebsd: 'Linux',
linux: 'Linux',
openbsd: 'Linux',
sunos: 'Linux',
win32: 'Windows'
}
if (os in osMap) {
return `${osMap[os] || 'Linux'}/${version}`
}
return null
}
export default function getUserAgent (sdk, application, integration, feature) {
const headerParts = []
if (application) {
headerParts.push(`app ${application}`)
}
if (integration) {
headerParts.push(`integration ${integration}`)
}
if (feature) {
headerParts.push('feature ' + feature)
}
headerParts.push(`sdk ${sdk}`)
let os = null
try {
if (isReactNative()) {
os = getBrowserOS()
headerParts.push('platform ReactNative')
} else if (isNode()) {
os = getNodeOS()
headerParts.push(`platform node.js/${getNodeVersion()}`)
} else {
os = getBrowserOS()
headerParts.push(`platform browser`)
}
} catch (e) {
os = null
}
if (os) {
headerParts.push(`os ${os}`)
}
return `${headerParts.filter((item) => item !== '').join('; ')};`
}
// URL validation functions to prevent SSRF attacks
const isValidURL = (url) => {
try {
// Reject obviously malicious patterns early
if (url.includes('@') || url.includes('file://') || url.includes('ftp://')) {
return false
}
// Allow relative URLs (they are safe as they use the same origin)
if (url.startsWith('/') || url.startsWith('./') || url.startsWith('../')) {
return true
}
// Only validate absolute URLs for SSRF protection
const parsedURL = new URL(url)
// Reject non-HTTP(S) protocols
if (!['http:', 'https:'].includes(parsedURL.protocol)) {
return false
}
// Prevent IP addresses in URLs to avoid internal network access
const ipv4Regex = /^(\d{1,3}\.){3}\d{1,3}$/
const ipv6Regex = /^\[?([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}\]?$/
if (ipv4Regex.test(parsedURL.hostname) || ipv6Regex.test(parsedURL.hostname)) {
// Only allow localhost IPs in development
const isDevelopment = process.env.NODE_ENV === 'development' ||
process.env.NODE_ENV === 'test' ||
!process.env.NODE_ENV
const localhostIPs = ['127.0.0.1', '0.0.0.0', '::1', 'localhost']
if (!isDevelopment || !localhostIPs.includes(parsedURL.hostname)) {
return false
}
}
return isAllowedHost(parsedURL.hostname)
} catch (error) {
// If URL parsing fails, it might be a relative URL without protocol
// Allow it if it doesn't contain protocol indicators or suspicious patterns
return !url.includes('://') && !url.includes('\\') && !url.includes('@')
}
}
const isAllowedHost = (hostname) => {
// Define allowed domains for Contentstack API
const allowedDomains = [
'api.contentstack.io',
'eu-api.contentstack.com',
'azure-na-api.contentstack.com',
'azure-eu-api.contentstack.com',
'gcp-na-api.contentstack.com',
'gcp-eu-api.contentstack.com'
]
// Check for localhost/development environments
const localhostPatterns = [
'localhost',
'127.0.0.1',
'0.0.0.0'
]
// Only allow localhost in development environments to prevent SSRF in production
const isDevelopment = process.env.NODE_ENV === 'development' ||
process.env.NODE_ENV === 'test' ||
!process.env.NODE_ENV // Default to allowing in non-production if NODE_ENV is not set
if (isDevelopment && localhostPatterns.includes(hostname)) {
return true
}
// Check if hostname is in allowed domains or is a subdomain of allowed domains
return allowedDomains.some(domain => {
return hostname === domain || hostname.endsWith('.' + domain)
})
}
export const validateAndSanitizeConfig = (config) => {
if (!config || !config.url) {
throw new Error('Invalid request configuration: missing URL')
}
// Validate the URL to prevent SSRF attacks
if (!isValidURL(config.url)) {
throw new Error(`SSRF Prevention: URL "${config.url}" is not allowed`)
}
return config
}