Skip to content

Commit

Permalink
feat: add hostname for checkAddress (#525) (#528)
Browse files Browse the repository at this point in the history
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Introduced hostname validation in address checking for enhanced
security.
  
- **Tests**
  - Added a new test case to verify hostname validation logic.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
  • Loading branch information
killagu authored Jul 8, 2024
1 parent 97a25c5 commit 0022641
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 4 deletions.
8 changes: 4 additions & 4 deletions src/HttpAgent.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import {
buildConnector,
} from 'undici';

export type CheckAddressFunction = (ip: string, family: number | string) => boolean;
export type CheckAddressFunction = (ip: string, family: number | string, hostname: string) => boolean;

export type HttpAgentOptions = {
lookup?: LookupFunction;
Expand Down Expand Up @@ -46,13 +46,13 @@ export class HttpAgent extends Agent {
if (options.checkAddress) {
// dnsOptions.all set to default on Node.js >= 20, dns.lookup will return address array object
if (typeof address === 'string') {
if (!options.checkAddress(address, family)) {
if (!options.checkAddress(address, family, hostname)) {
err = new IllegalAddressError(hostname, address, family);
}
} else if (Array.isArray(address)) {
const addresses = address as { address: string, family: number }[];
for (const addr of addresses) {
if (!options.checkAddress(addr.address, addr.family)) {
if (!options.checkAddress(addr.address, addr.family, hostname)) {
err = new IllegalAddressError(hostname, addr.address, addr.family);
break;
}
Expand All @@ -79,7 +79,7 @@ export class HttpAgent extends Agent {
const family = isIP(hostname);
if (family === 4 || family === 6) {
// if request hostname is ip, custom lookup won't execute
if (!this.#checkAddress(hostname, family)) {
if (!this.#checkAddress(hostname, family, hostname)) {
throw new IllegalAddressError(hostname, hostname, family);
}
}
Expand Down
27 changes: 27 additions & 0 deletions test/HttpClient.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -313,5 +313,32 @@ describe('HttpClient.test.ts', () => {
return true;
});
});

it('should allow hostname check', async () => {
let hostname: string;
const httpclient = new HttpClient({
checkAddress(ip, family, aHostname) {
hostname = aHostname;
return true;
},
lookup(hostname, options, callback) {
if (
process.version.startsWith('v18')
|| process.version.startsWith('v16')
|| process.version.startsWith('v14')
) {
return callback(null, '127.0.0.1', 4);
}
return callback(null, [{
address: '127.0.0.1',
family: 4,
}]);
},
});

const response = await httpclient.request(_url.replace('localhost', 'check-host-ssrf.com'));
assert.equal(hostname, 'check-host-ssrf.com');
assert.equal(response.status, 200);
});
});
});

0 comments on commit 0022641

Please sign in to comment.