New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

@atproto-labs/fetch-node

Package Overview
Dependencies
Maintainers
0
Versions
9
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@atproto-labs/fetch-node - npm Package Compare versions

Comparing version 0.1.0 to 0.1.1

dist/unicast.d.ts
dist/unicast.d.ts.map
dist/unicast.js
dist/unicast.js.map
dist/util.d.ts
dist/util.d.ts.map
dist/util.js
dist/util.js.map
src/unicast.ts
src/util.ts

11

CHANGELOG.md
# @atproto-labs/fetch-node
## 0.1.1
### Patch Changes
- [#2770](https://github.com/bluesky-social/atproto/pull/2770) [`a07b21151`](https://github.com/bluesky-social/atproto/commit/a07b21151f1850340c4b7797ebb11521b1a6cdf3) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Prevent bypass of ssrf ip verification
- [#2770](https://github.com/bluesky-social/atproto/pull/2770) [`a07b21151`](https://github.com/bluesky-social/atproto/commit/a07b21151f1850340c4b7797ebb11521b1a6cdf3) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Expose IP filtering utilities
- Updated dependencies [[`a07b21151`](https://github.com/bluesky-social/atproto/commit/a07b21151f1850340c4b7797ebb11521b1a6cdf3), [`a07b21151`](https://github.com/bluesky-social/atproto/commit/a07b21151f1850340c4b7797ebb11521b1a6cdf3), [`a07b21151`](https://github.com/bluesky-social/atproto/commit/a07b21151f1850340c4b7797ebb11521b1a6cdf3)]:
- @atproto-labs/fetch@0.1.1
## 0.1.0

@@ -4,0 +15,0 @@

3

dist/index.d.ts
export * from '@atproto-labs/fetch';
export * from './safe.js';
export * from './ssrf.js';
export * from './unicast.js';
export * from './util.js';
//# sourceMappingURL=index.d.ts.map

3

dist/index.js

@@ -19,3 +19,4 @@ "use strict";

__exportStar(require("./safe.js"), exports);
__exportStar(require("./ssrf.js"), exports);
__exportStar(require("./unicast.js"), exports);
__exportStar(require("./util.js"), exports);
//# sourceMappingURL=index.js.map

11

dist/safe.d.ts

@@ -6,10 +6,15 @@ import { Fetch } from '@atproto-labs/fetch';

* with user provided input (URL).
*
* @see {@link https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html}
*/
export declare function safeFetchWrap({ fetch, responseMaxSize, // 512kB
allowHttp, allowData, ssrfProtection, timeout, forbiddenDomainNames, }?: {
ssrfProtection, allowCustomPort, allowData, allowHttp, allowIpHost, allowPrivateIps, timeout, forbiddenDomainNames, }?: {
fetch?: Fetch | undefined;
responseMaxSize?: number | undefined;
ssrfProtection?: boolean | undefined;
allowCustomPort?: boolean | undefined;
allowData?: boolean | undefined;
allowHttp?: boolean | undefined;
allowData?: boolean | undefined;
ssrfProtection?: boolean | undefined;
allowIpHost?: boolean | undefined;
allowPrivateIps?: boolean | undefined;
timeout?: number | undefined;

@@ -16,0 +21,0 @@ forbiddenDomainNames?: Iterable<string> | undefined;

26

dist/safe.js

@@ -6,21 +6,31 @@ "use strict";

const pipe_1 = require("@atproto-labs/pipe");
const ssrf_js_1 = require("./ssrf.js");
const unicast_js_1 = require("./unicast.js");
/**
* Wrap a fetch function with safety checks so that it can be safely used
* with user provided input (URL).
*
* @see {@link https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html}
*/
function safeFetchWrap({ fetch = globalThis.fetch, responseMaxSize = 512 * 1024, // 512kB
allowHttp = false, allowData = false, ssrfProtection = true, timeout = 10e3, forbiddenDomainNames = fetch_1.DEFAULT_FORBIDDEN_DOMAIN_NAMES, } = {}) {
ssrfProtection = true, allowCustomPort = !ssrfProtection, allowData = false, allowHttp = !ssrfProtection, allowIpHost = true, allowPrivateIps = !ssrfProtection, timeout = 10e3, forbiddenDomainNames = fetch_1.DEFAULT_FORBIDDEN_DOMAIN_NAMES, } = {}) {
return (0, fetch_1.toRequestTransformer)((0, pipe_1.pipe)(
/**
* Prevent using http:, file: or data: protocols.
* Disable HTTP redirects
*/
(0, fetch_1.protocolCheckRequestTransform)(['https:']
.concat(allowHttp ? ['http:'] : [])
.concat(allowData ? ['data:'] : [])),
(0, fetch_1.redirectCheckRequestTransform)(),
/**
* Only requests that will be issued with a "Host" header are allowed.
*/
(0, fetch_1.requireHostHeaderTranform)(),
allowIpHost ? fetch_1.asRequest : (0, fetch_1.requireHostHeaderTransform)(),
/**
* Prevent using http:, file: or data: protocols.
*/
(0, fetch_1.protocolCheckRequestTransform)({
'about:': false,
'data:': allowData,
'file:': false,
'http:': allowHttp && { allowCustomPort },
'https:': { allowCustomPort },
}),
/**
* Disallow fetching from domains we know are not atproto/OIDC client

@@ -42,3 +52,3 @@ * implementation. Note that other domains can be blocked by providing a

*/
ssrfProtection ? (0, ssrf_js_1.ssrfFetchWrap)({ fetch }) : fetch),
allowPrivateIps ? fetch : (0, unicast_js_1.unicastFetchWrap)({ fetch })),
/**

@@ -45,0 +55,0 @@ * Since we will be fetching user owned data, we need to make sure that an

4

package.json
{
"name": "@atproto-labs/fetch-node",
"version": "0.1.0",
"version": "0.1.1",
"license": "MIT",

@@ -30,3 +30,3 @@ "description": "SSRF protection for fetch() in Node.js",

"undici": "^6.14.1",
"@atproto-labs/fetch": "0.1.0",
"@atproto-labs/fetch": "0.1.1",
"@atproto-labs/pipe": "0.1.0"

@@ -33,0 +33,0 @@ },

3

src/index.ts
export * from '@atproto-labs/fetch'
export * from './safe.js'
export * from './ssrf.js'
export * from './unicast.js'
export * from './util.js'

38

src/safe.ts
import {
asRequest,
DEFAULT_FORBIDDEN_DOMAIN_NAMES,

@@ -7,3 +8,4 @@ Fetch,

protocolCheckRequestTransform,
requireHostHeaderTranform,
redirectCheckRequestTransform,
requireHostHeaderTransform,
timedFetch,

@@ -14,3 +16,3 @@ toRequestTransformer,

import { ssrfFetchWrap } from './ssrf.js'
import { unicastFetchWrap } from './unicast.js'

@@ -24,2 +26,4 @@ export type SafeFetchWrapOptions = NonNullable<

* with user provided input (URL).
*
* @see {@link https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html}
*/

@@ -29,5 +33,8 @@ export function safeFetchWrap({

responseMaxSize = 512 * 1024, // 512kB
allowHttp = false,
ssrfProtection = true,
allowCustomPort = !ssrfProtection,
allowData = false,
ssrfProtection = true,
allowHttp = !ssrfProtection,
allowIpHost = true,
allowPrivateIps = !ssrfProtection,
timeout = 10e3,

@@ -39,9 +46,5 @@ forbiddenDomainNames = DEFAULT_FORBIDDEN_DOMAIN_NAMES as Iterable<string>,

/**
* Prevent using http:, file: or data: protocols.
* Disable HTTP redirects
*/
protocolCheckRequestTransform(
['https:']
.concat(allowHttp ? ['http:'] : [])
.concat(allowData ? ['data:'] : []),
),
redirectCheckRequestTransform(),

@@ -51,5 +54,16 @@ /**

*/
requireHostHeaderTranform(),
allowIpHost ? asRequest : requireHostHeaderTransform(),
/**
* Prevent using http:, file: or data: protocols.
*/
protocolCheckRequestTransform({
'about:': false,
'data:': allowData,
'file:': false,
'http:': allowHttp && { allowCustomPort },
'https:': { allowCustomPort },
}),
/**
* Disallow fetching from domains we know are not atproto/OIDC client

@@ -74,3 +88,3 @@ * implementation. Note that other domains can be blocked by providing a

*/
ssrfProtection ? ssrfFetchWrap({ fetch }) : fetch,
allowPrivateIps ? fetch : unicastFetchWrap({ fetch }),
),

@@ -77,0 +91,0 @@ 

dist/ssrf.d.ts
dist/ssrf.d.ts.map
dist/ssrf.js
dist/ssrf.js.map
src/ssrf.ts
dist/index.d.ts.map

Sorry, the diff of this file is not supported yet

dist/index.js.map

Sorry, the diff of this file is not supported yet

dist/safe.d.ts.map

Sorry, the diff of this file is not supported yet

dist/safe.js.map

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc