ssrf-req-filter
Advanced tools
Comparing version 1.0.0 to 1.0.1
@@ -5,6 +5,6 @@ # Changelog | ||
### [1.0.1](https://github.com/y-mehta/ssrf-req-filter/compare/v1.0.0...v1.0.1) (2020-10-27) | ||
## 1.0.0 (2020-10-26) | ||
# Changelog | ||
All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. | ||
- Bump Release Version | ||
- Minor Bug Fixes |
@@ -12,3 +12,2 @@ const http = require('http'); | ||
const range = addr.range(); | ||
if (range !== 'unicast') { | ||
@@ -15,0 +14,0 @@ return false; // Private IP Range |
{ | ||
"name": "ssrf-req-filter", | ||
"description": "Module to prevent SSRF when making requests", | ||
"version": "1.0.0", | ||
"version": "1.0.1", | ||
"keywords": [ | ||
@@ -34,3 +34,3 @@ "ssrf", | ||
"scripts": { | ||
"test": "node ./node_modules/mocha/bin/mocha --timeout 10000" | ||
"test": "node ./node_modules/mocha/bin/mocha --timeout 50000" | ||
}, | ||
@@ -37,0 +37,0 @@ "repository": { |
@@ -1,1 +0,1 @@ | ||
["http://127.0.0.1:80","http://127.0.0.1:443","http://127.0.0.1:22","http://0.0.0.0:80","http://0.0.0.0:443","http://0.0.0.0:22","http://localhost:80","http://localhost:443","http://localhost:22","http://[::]:80","http://[::]:25/","http://[::]:22/","http://0000::1:80","http://0000::1:25","http://0000::1:22","http://0000::1:3128","http://localtest.me","http://customer1.app.localhost.my.company.127.0.0.1.nip.io","http://mail.ebc.apple.com","http://bugbounty.dod.network","http://spoofed.burpcollaborator.net","http://127.127.127.127","http://127.0.1.3","http://127.0.0.0","http://0177.0.0.1","http://2130706433","http://3232235521","http://3232235777","http://[0:0:0:0:0:ffff:127.0.0.1]","http://0","http://127.1","http://127.0.1","http://127.1.1.1:80@127.2.2.2:80","http://127.1.1.1:80@@127.2.2.2:80","http://127.1.1.1:80:@@127.2.2.2:80","http://127.1.1.1:80#@127.2.2.2:80","http://169.254.169.254","http://169.254.169.254.xip.io","http://1ynrnhl.xip.io","http://www.owasp.org.1ynrnhl.xip.io","http://425.510.425.510","http://2852039166","http://7147006462","http://0xA9.0xFE.0xA9.0xFE","http://0xA9FEA9FE","http://0x41414141A9FEA9FE","http://0251.0376.0251.0376","http://0251.00376.000251.0000376","http://169.254.169.254/latest/meta-data/hostname"] | ||
["http://127.0.0.1:80","http://127.0.0.1:443","http://127.0.0.1:22","http://0.0.0.0:80","http://0.0.0.0:443","http://0.0.0.0:22","http://localhost:80","http://localhost:443","http://localhost:22","http://[::]:80","http://[::]:25/","http://[::]:22/","http://0000::1:80","http://0000::1:25","http://0000::1:22","http://0000::1:3128","http://localtest.me","http://customer1.app.localhost.my.company.127.0.0.1.nip.io","http://mail.ebc.apple.com","http://bugbounty.dod.network","http://spoofed.burpcollaborator.net","http://127.127.127.127","http://127.0.1.3","http://127.0.0.0","http://0177.0.0.1","http://2130706433","http://3232235521","http://3232235777","http://[0:0:0:0:0:ffff:127.0.0.1]","http://0","http://127.1","http://127.0.1","http://127.1.1.1:80@127.2.2.2:80","http://127.1.1.1:80@@127.2.2.2:80","http://127.1.1.1:80:@@127.2.2.2:80","http://127.1.1.1:80#@127.2.2.2:80","http://169.254.169.254","http://169.254.169.254.xip.io","http://1ynrnhl.xip.io","http://www.owasp.org.1ynrnhl.xip.io","http://425.510.425.510","http://2852039166","http://7147006462","http://0xA9.0xFE.0xA9.0xFE","http://0xA9FEA9FE","http://0x41414141A9FEA9FE","http://0251.0376.0251.0376","http://0251.00376.000251.0000376","http://169.254.169.254/latest/meta-data/hostname","https://A.127.0.0.1.1time.10.0.0.1.1time.repeat.8f058b82-4c39-4dfe-91f7-9b07bcd7fbd5.rebind.network"] |
@@ -10,2 +10,3 @@ const ssrfFilter = require('../index'); | ||
// Blocked URLs Test | ||
try { | ||
@@ -24,7 +25,6 @@ blockUrls = JSON.parse(fs.readFileSync(blockUrlsFile)); | ||
check = 1; | ||
// console.log(`Success: ${url}`); | ||
console.log(response); | ||
}) | ||
.catch((error) => { | ||
check = 0; | ||
// console.log('Error'); | ||
}) | ||
@@ -38,2 +38,3 @@ .then(() => { | ||
// Allowed URLs Test | ||
try { | ||
@@ -52,7 +53,5 @@ allowedUrls = JSON.parse(fs.readFileSync(allowedUrlsFile)); | ||
check = 1; | ||
// console.log(`Success: ${url}`); | ||
}) | ||
.catch((error) => { | ||
check = 0; | ||
// console.log(error); | ||
}) | ||
@@ -66,1 +65,23 @@ .then(() => { | ||
// DNS Rebind Test | ||
it(`Test DNS Rebind`, async () => { | ||
let check = 0; | ||
const url = 'http://A.49.44.166.234.1time.10.0.0.1.1time.repeat.'+ new Date().valueOf() +'.rebind.network'; | ||
console.log(url); | ||
const response = await axios.get(url, {httpAgent: ssrfFilter(url), | ||
httpsAgent: ssrfFilter(url)}) | ||
.then((response) => { | ||
check = 1; | ||
}) | ||
.catch((error) => { | ||
if (error.message === 'Request failed with status code 400') { | ||
check = 1; | ||
} else { | ||
check = 0; | ||
} | ||
}) | ||
.then(() => { | ||
return check; | ||
}); | ||
expect(response).to.equal(1); | ||
}); |
8994
132