ssrf-req-filter - npm Package Compare versions

Comparing version 1.0.0 to 1.0.1

CHANGELOG.md

@@ -5,6 +5,6 @@ # Changelog
 
+### [1.0.1](https://github.com/y-mehta/ssrf-req-filter/compare/v1.0.0...v1.0.1) (2020-10-27)
+
 ## 1.0.0 (2020-10-26)
-
-# Changelog
-
-All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+- Bump Release Version
+- Minor Bug Fixes

index.js

@@ -12,3 +12,2 @@ const http = require('http');
     const range = addr.range();
-
     if (range !== 'unicast') {
@@ -15,0 +14,0 @@ return false; // Private IP Range

package.json

 {
   "name": "ssrf-req-filter",
   "description": "Module to prevent SSRF when making requests",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "keywords": [
@@ -34,3 +34,3 @@ "ssrf",
   "scripts": {
-    "test": "node ./node_modules/mocha/bin/mocha --timeout 10000"
+    "test": "node ./node_modules/mocha/bin/mocha --timeout 50000"
   },
@@ -37,0 +37,0 @@ "repository": {

test/blockUrls.txt

@@ -1,1 +0,1 @@
-["http://127.0.0.1:80","http://127.0.0.1:443","http://127.0.0.1:22","http://0.0.0.0:80","http://0.0.0.0:443","http://0.0.0.0:22","http://localhost:80","http://localhost:443","http://localhost:22","http://[::]:80","http://[::]:25/","http://[::]:22/","http://0000::1:80","http://0000::1:25","http://0000::1:22","http://0000::1:3128","http://localtest.me","http://customer1.app.localhost.my.company.127.0.0.1.nip.io","http://mail.ebc.apple.com","http://bugbounty.dod.network","http://spoofed.burpcollaborator.net","http://127.127.127.127","http://127.0.1.3","http://127.0.0.0","http://0177.0.0.1","http://2130706433","http://3232235521","http://3232235777","http://[0:0:0:0:0:ffff:127.0.0.1]","http://0","http://127.1","http://127.0.1","http://127.1.1.1:80@127.2.2.2:80","http://127.1.1.1:80@@127.2.2.2:80","http://127.1.1.1:80:@@127.2.2.2:80","http://127.1.1.1:80#@127.2.2.2:80","http://169.254.169.254","http://169.254.169.254.xip.io","http://1ynrnhl.xip.io","http://www.owasp.org.1ynrnhl.xip.io","http://425.510.425.510","http://2852039166","http://7147006462","http://0xA9.0xFE.0xA9.0xFE","http://0xA9FEA9FE","http://0x41414141A9FEA9FE","http://0251.0376.0251.0376","http://0251.00376.000251.0000376","http://169.254.169.254/latest/meta-data/hostname"]
+["http://127.0.0.1:80","http://127.0.0.1:443","http://127.0.0.1:22","http://0.0.0.0:80","http://0.0.0.0:443","http://0.0.0.0:22","http://localhost:80","http://localhost:443","http://localhost:22","http://[::]:80","http://[::]:25/","http://[::]:22/","http://0000::1:80","http://0000::1:25","http://0000::1:22","http://0000::1:3128","http://localtest.me","http://customer1.app.localhost.my.company.127.0.0.1.nip.io","http://mail.ebc.apple.com","http://bugbounty.dod.network","http://spoofed.burpcollaborator.net","http://127.127.127.127","http://127.0.1.3","http://127.0.0.0","http://0177.0.0.1","http://2130706433","http://3232235521","http://3232235777","http://[0:0:0:0:0:ffff:127.0.0.1]","http://0","http://127.1","http://127.0.1","http://127.1.1.1:80@127.2.2.2:80","http://127.1.1.1:80@@127.2.2.2:80","http://127.1.1.1:80:@@127.2.2.2:80","http://127.1.1.1:80#@127.2.2.2:80","http://169.254.169.254","http://169.254.169.254.xip.io","http://1ynrnhl.xip.io","http://www.owasp.org.1ynrnhl.xip.io","http://425.510.425.510","http://2852039166","http://7147006462","http://0xA9.0xFE.0xA9.0xFE","http://0xA9FEA9FE","http://0x41414141A9FEA9FE","http://0251.0376.0251.0376","http://0251.00376.000251.0000376","http://169.254.169.254/latest/meta-data/hostname","https://A.127.0.0.1.1time.10.0.0.1.1time.repeat.8f058b82-4c39-4dfe-91f7-9b07bcd7fbd5.rebind.network"]

test/index.js

@@ -10,2 +10,3 @@ const ssrfFilter = require('../index');
 
+// Blocked URLs Test
 try {
@@ -24,7 +25,6 @@ blockUrls = JSON.parse(fs.readFileSync(blockUrlsFile));
           check = 1;
-          // console.log(`Success: ${url}`);
+          console.log(response);
         })
         .catch((error) => {
           check = 0;
-          // console.log('Error');
         })
@@ -38,2 +38,3 @@ .then(() => {
 
+// Allowed URLs Test
 try {
@@ -52,7 +53,5 @@ allowedUrls = JSON.parse(fs.readFileSync(allowedUrlsFile));
           check = 1;
-          // console.log(`Success: ${url}`);
         })
         .catch((error) => {
           check = 0;
-          // console.log(error);
         })
@@ -66,1 +65,23 @@ .then(() => {
 
+// DNS Rebind Test
+it(`Test DNS Rebind`, async () => {
+  let check = 0;
+  const url = 'http://A.49.44.166.234.1time.10.0.0.1.1time.repeat.'+ new Date().valueOf() +'.rebind.network';
+  console.log(url);
+  const response = await axios.get(url, {httpAgent: ssrfFilter(url),
+    httpsAgent: ssrfFilter(url)})
+      .then((response) => {
+        check = 1;
+      })
+      .catch((error) => {
+        if (error.message === 'Request failed with status code 400') {
+          check = 1;
+        } else {
+          check = 0;
+        }
+      })
+      .then(() => {
+        return check;
+      });
+  expect(response).to.equal(1);
+});

No alert changes

Improved metrics

Total package byte prevSize

8994

increased by7%

Lines of code

132

increased by18.92%

No dependency changes