request-filtering-agent - npm Package Compare versions

Comparing version 1.0.4 to 1.0.5

lib/request-filtering-agent.d.ts

 /// <reference types="node" />
-import { Socket, TcpNetConnectOpts } from "net";
 import * as http from "http";
 import * as https from "https";
-declare module "http" {
-    interface Agent {
-        createConnection(options: TcpNetConnectOpts, connectionListener?: (error?: Error) => void): Socket;
-    }
-}
 export interface RequestFilteringAgentOptions {
@@ -19,5 +13,5 @@ allowPrivateIPAddress?: boolean;
  */
-export declare function applyRequestFilter<T extends http.Agent | http.Agent>(agent: T, options?: RequestFilteringAgentOptions): T;
+export declare function applyRequestFilter<T extends http.Agent | https.Agent>(agent: T, options?: RequestFilteringAgentOptions): T;
 /**
- * A subclsss of http.Agent with request filtering
+ * A subclass of http.Agent with request filtering
  */
@@ -28,3 +22,3 @@ export declare class RequestFilteringHttpAgent extends http.Agent {
 /**
- * A subclsss of https.Agent with request filtering
+ * A subclass of https.Agent with request filtering
  */
@@ -37,5 +31,6 @@ export declare class RequestFilteringHttpsAgent extends https.Agent {
 /**
- * get right an agent for the url
+ * Get an agent for the url
+ * return http or https agent
  * @param url
  */
 export declare const useAgent: (url: string) => RequestFilteringHttpAgent | RequestFilteringHttpsAgent;

lib/request-filtering-agent.js

@@ -15,7 +15,19 @@ "use strict";
 })();
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
     return result;
@@ -27,2 +39,3 @@ };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.useAgent = exports.globalHttpsAgent = exports.globalHttpAgent = exports.RequestFilteringHttpsAgent = exports.RequestFilteringHttpAgent = exports.applyRequestFilter = void 0;
 var net = __importStar(require("net"));
@@ -103,3 +116,5 @@ var http = __importStar(require("http"));
     // https://nodejs.org/api/net.html#net_net_createconnection_options_connectlistener
+    // @ts-expect-error - @types/node does not defined createConnection
     var createConnection = agent.createConnection;
+    // @ts-expect-error - @types/node does not defined createConnection
     agent.createConnection = function (options, connectionListener) {
@@ -131,3 +146,3 @@ var socket = createConnection.call(agent, options, function () {
 /**
- * A subclsss of http.Agent with request filtering
+ * A subclass of http.Agent with request filtering
  */
@@ -145,3 +160,3 @@ var RequestFilteringHttpAgent = /** @class */ (function (_super) {
 /**
- * A subclsss of https.Agent with request filtering
+ * A subclass of https.Agent with request filtering
  */
@@ -161,3 +176,4 @@ var RequestFilteringHttpsAgent = /** @class */ (function (_super) {
 /**
- * get right an agent for the url
+ * Get an agent for the url
+ * return http or https agent
  * @param url
@@ -164,0 +180,0 @@ */

package.json

 {
   "name": "request-filtering-agent",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "An http(s).Agent implementation that block request Private IP address.",
@@ -60,11 +60,11 @@ "homepage": "https://github.com/azu/request-filtering-agent",
     "@types/ip": "^1.1.0",
-    "@types/mocha": "^5.2.7",
-    "@types/node": "^12.7.2",
+    "@types/mocha": "^7.0.2",
+    "@types/node": "^14.0.14",
     "@types/node-fetch": "^2.5.0",
-    "cross-env": "^5.2.0",
-    "husky": "^3.0.4",
-    "lint-staged": "^9.2.5",
-    "mocha": "^6.2.0",
+    "cross-env": "^7.0.2",
+    "husky": "^4.2.5",
+    "lint-staged": "^10.2.11",
+    "mocha": "^8.0.1",
     "node-fetch": "^2.6.0",
-    "prettier": "^1.18.2",
+    "prettier": "^2.0.5",
     "rimraf": "^3.0.0",
@@ -71,0 +71,0 @@ "ts-node": "^8.3.0",

README.md

@@ -1,9 +0,19 @@
-# request-filtering-agent [![Build Status](https://travis-ci.org/azu/request-filtering-agent.svg?branch=master)](https://travis-ci.org/azu/request-filtering-agent)
+# request-filtering-agent [![Actions Status](https://github.com/azu/request-filtering-agent/workflows/ci/badge.svg)](https://github.com/azu/request-filtering-agent/actions)
 
-An [http(s).Agent](https://nodejs.org/api/http.html#http_class_http_agent) class that block request Private IP address.
+An [http(s).Agent](https://nodejs.org/api/http.html#http_class_http_agent) class block the request to [Private IP addresses](https://en.wikipedia.org/wiki/Private_network) and [Reserved IP addresses](https://en.wikipedia.org/wiki/Reserved_IP_addresses).
 
-It help to prevent [server-side request forgery (SSRF)](https://en.wikipedia.org/wiki/Server-side_request_forgery) attack.
+It helps to prevent [server-side request forgery (SSRF)](https://en.wikipedia.org/wiki/Server-side_request_forgery) attack.
 
 - [What is SSRF (Server-side request forgery)? Tutorial & Examples](https://portswigger.net/web-security/ssrf)
 
+This library depended on [ipaddr.js](https://github.com/whitequark/ipaddr.js) definitions.
+This library block the request to these IP addresses by default.
+
+- [Private IPv4 addresses](https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses)
+- [Private IPv6 addresses](https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses)
+- [Link-local addresses](https://en.wikipedia.org/wiki/Private_network#Link-local_addresses)
+- [Reserved IP addresses](https://en.wikipedia.org/wiki/Reserved_IP_addresses)
+
+So, This library block the request to non-`unicast` IP addresses.
+
 ## Install
@@ -15,7 +25,21 @@
 
+## `http.Agent` libraries
+
+This library provides Node.js's [http.Agent](https://nodejs.org/api/http.html#http_class_http_agent) implementation.
+[http.Agent](https://nodejs.org/api/http.html#http_class_http_agent) is supported by popular library.
+
+- Node.js's built-in `http` and `https`
+- [node-fetch](https://github.com/bitinn/node-fetch)
+- [Request](https://github.com/request/request)
+- [node-http-proxy](https://github.com/http-party/node-http-proxy)
+- [axios](https://github.com/axios/axios)
+
+`request-filtering-agent` works with these libraries!
+
 ## Usage
 
 `useAgent(url)` return an agent for the url.
-`request-filtering-agent` disallow to request to [Private network](https://en.wikipedia.org/wiki/Private_network).
 
+The agent blocks the request to [Private network](https://en.wikipedia.org/wiki/Private_network) and [Reserved IP addresses](https://en.wikipedia.org/wiki/Reserved_IP_addresses) by default.
+
 ```js
@@ -34,5 +58,4 @@ const fetch = require("node-fetch");
 `request-filtering-agent` support loopback domain like [xip.io](http://xip.io) and [nip.io](https://nip.io/).
-This library detect the IP adpress that is dns lookup-ed.
+This library detects the IP address that is dns lookup-ed.
 
-
 ```
@@ -67,3 +90,6 @@ $ dig 127.0.0.1.xip.io
     // Allow to connect private IP address
-    // Example, http://127.0.0.1/, http://localhost/
+    // This includes Private IP addresses and Reserved IP addresses.
+    // https://en.wikipedia.org/wiki/Private_network
+    // https://en.wikipedia.org/wiki/Reserved_IP_addresses
+    // Example, http://127.0.0.1/, http://localhost/, https://169.254.169.254/
     // Default: false
@@ -88,5 +114,5 @@ allowPrivateIPAddress?: boolean;
  */
-export declare function applyRequestFilter<T extends http.Agent | http.Agent>(agent: T, options?: RequestFilteringAgentOptions): T;
+export declare function applyRequestFilter<T extends http.Agent | https.Agent>(agent: T, options?: RequestFilteringAgentOptions): T;
 /**
- * A subclsss of http.Agent with request filtering
+ * A subclass of http.Agent with request filtering
  */
@@ -97,3 +123,3 @@ export declare class RequestFilteringHttpAgent extends http.Agent {
 /**
- * A subclsss of https.Agent with request filtering
+ * A subclass of https.Agent with request filtering
  */
@@ -106,7 +132,7 @@ export declare class RequestFilteringHttpsAgent extends https.Agent {
 /**
- * get right an agent for the url
+ * Get an agent for the url
+ * return http or https agent
  * @param url
  */
 export declare const useAgent: (url: string) => RequestFilteringHttpAgent | RequestFilteringHttpsAgent;
-
 ```
@@ -116,3 +142,3 @@
 
-An agent that allow to request `127.0.0.1`, but it dissllow other Private IP.
+An agent that allow requesting `127.0.0.1`, but it disallows other Private IP.
 
@@ -137,3 +163,3 @@ ```js
 
-### Example: Apply request filtering to exising `http.Agent`
+### Example: Apply request filtering to excising `http.Agent`
 
@@ -155,4 +181,6 @@ You can apply request filtering to `http.Agent` or `https.Agent` using `applyRequestFilter` method.
 });
-// 127.0.0.1 is private ip address
-const url = 'http://127.0.0.1:8080/';
+// 169.254.169.254 is private ip address aka. link-local addresses
+// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
+// https://serverfault.com/questions/427018/what-is-this-ip-address-169-254-169-254
+const url = 'http://169.254.169.254/';
 fetch(url, {
@@ -165,18 +193,7 @@ agent: agentWithFiltering
 
-## `http.Agent` libraries
-
-[http.Agent](https://nodejs.org/api/http.html#http_class_http_agent) is supported by popular library.
-
-- [node-fetch](https://github.com/bitinn/node-fetch)
-- [Request](https://github.com/request/request)
-- [node-http-proxy](https://github.com/http-party/node-http-proxy)
-- [axios](https://github.com/axios/axios)
-
-`request-filtering-agent` work with these libraries.
-
 ## Related
 
 - [welefen/ssrf-agent: make http(s) request to prevent SSRF](https://github.com/welefen/ssrf-agent)
-    - It provide only high level wrapper
-    - It only handle Private IP address that is definition in [node-ip](https://github.com/indutny/node-ip/blob/43e442366bf5a93493c8c4c36736f87d675b0c3d/lib/ip.js#L302-L314)
+    - It provides only high level wrapper
+    - It only handles Private IP address that is definition in [node-ip](https://github.com/indutny/node-ip/blob/43e442366bf5a93493c8c4c36736f87d675b0c3d/lib/ip.js#L302-L314)
         - Missing Meta IP Address like `0.0.0.0`
@@ -190,6 +207,11 @@
 
-Install devDependencies and Run `npm test`:
+Install devDependencies and Run `yarn test`:
 
-    npm test
+    yarn test
 
+:memo: This testing require IPv6 supports:
+
+- Travis CI: NG 
+- GitHub Actions: OK
+
 ## Contributing
@@ -201,2 +223,4 @@
 
+For security issue, please see [SECURITY.md](./SECURITY.md)
+
 1. Fork it!
@@ -203,0 +227,0 @@ 2. Create your feature branch: `git checkout -b my-new-feature`

src/request-filtering-agent.ts

 import * as net from "net";
-import { Socket, TcpNetConnectOpts } from "net";
+import { TcpNetConnectOpts } from "net";
 import * as http from "http";
@@ -7,12 +7,8 @@ import * as https from "https";
 
-// Definition missing interface
-declare module "http" {
-    interface Agent {
-        createConnection(options: TcpNetConnectOpts, connectionListener?: (error?: Error) => void): Socket;
-    }
-}
-
 export interface RequestFilteringAgentOptions {
     // Allow to connect private IP address
-    // Example, http://127.0.0.1/, http://localhost/
+    // This includes Private IP addresses and Reserved IP addresses.
+    // https://en.wikipedia.org/wiki/Private_network
+    // https://en.wikipedia.org/wiki/Reserved_IP_addresses
+    // Example, http://127.0.0.1/, http://localhost/, https://169.254.169.254/
     // Default: false
@@ -95,3 +91,3 @@ allowPrivateIPAddress?: boolean;
  */
-export function applyRequestFilter<T extends http.Agent | http.Agent>(agent: T, options?: RequestFilteringAgentOptions): T {
+export function applyRequestFilter<T extends http.Agent | https.Agent>(agent: T, options?: RequestFilteringAgentOptions): T {
     if (appliedAgentSet.has(agent)) {
@@ -110,4 +106,6 @@ return agent;
     // https://nodejs.org/api/net.html#net_net_createconnection_options_connectlistener
+    // @ts-expect-error - @types/node does not defined createConnection
     const createConnection = agent.createConnection;
-    agent.createConnection = (options, connectionListener) => {
+    // @ts-expect-error - @types/node does not defined createConnection
+    agent.createConnection = (options: TcpNetConnectOpts, connectionListener?: (error?: Error) => void) => {
         const socket = createConnection.call(agent, options, () => {
@@ -138,3 +136,3 @@ // https://nodejs.org/api/net.html#net_socket_connect_options_connectlistener
 /**
- * A subclsss of http.Agent with request filtering
+ * A subclass of http.Agent with request filtering
  */
@@ -149,3 +147,3 @@ export class RequestFilteringHttpAgent extends http.Agent {
 /**
- * A subclsss of https.Agent with request filtering
+ * A subclass of https.Agent with request filtering
  */
@@ -162,3 +160,4 @@ export class RequestFilteringHttpsAgent extends https.Agent {
 /**
- * get right an agent for the url
+ * Get an agent for the url
+ * return http or https agent
  * @param url
@@ -165,0 +164,0 @@ */

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

29485

increased by9.56%

Lines of code

361

increased by3.14%

Number of lines in readme file

228

increased by11.76%

No dependency changes