From 67c00435cd34930446cd298e746327debc3e9a18 Mon Sep 17 00:00:00 2001 From: killagu Date: Mon, 8 Jul 2024 22:41:35 +0800 Subject: [PATCH 1/3] feat: add hostnameExceptionList for ssrf --- README.md | 5 +++ app/extend/context.js | 2 +- config/config.default.js | 1 + lib/utils.js | 9 +++++- .../config/config.default.js | 15 +++++++++ .../ssrf-hostname-exception-list/package.json | 3 ++ test/ssrf.test.js | 31 +++++++++++++++++++ 7 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 test/fixtures/apps/ssrf-hostname-exception-list/config/config.default.js create mode 100644 test/fixtures/apps/ssrf-hostname-exception-list/package.json diff --git a/README.md b/README.md index 74d5e21..7bcdeca 100644 --- a/README.md +++ b/README.md @@ -523,6 +523,7 @@ In a [Server-Side Request Forgery (SSRF)](https://www.owasp.org/index.php/Server - ipBlackList(Array) - specific which IP addresses are illegal when requested with `safeCurl`. - ipExceptionList(Array) - specific which IP addresses are legal within ipBlackList. +- hostnameExceptionList(Array) - specific which hostname are legal within ipBlackList. - checkAddress(Function) - determine the ip by the function's return value, `false` means illegal ip. ```js @@ -540,6 +541,10 @@ exports.security = { '10.1.1.1', '10.10.0.1/24', ], + // legal hostname + hostnameExceptionList: [ + 'example.com', + ], // checkAddress has higher priority than ipBlackList checkAddress(ip) { return ip !== '127.0.0.1'; diff --git a/app/extend/context.js b/app/extend/context.js index 6086c44..0a87ff1 100644 --- a/app/extend/context.js +++ b/app/extend/context.js @@ -209,7 +209,7 @@ module.exports = { }, [CSRF_REFERER_CHECK]() { - const { refererWhiteList } = this.app.config.security.csrf; + const { refererWhiteList } = this.app.config.security.csrf.refererWhiteList; const referer = (this.headers.referer || '').toLowerCase(); if (!referer) { debug('missing csrf referer'); diff --git a/config/config.default.js b/config/config.default.js index 508d01a..e6e4520 100644 --- a/config/config.default.js +++ b/config/config.default.js @@ -103,6 +103,7 @@ module.exports = () => { ssrf: { ipBlackList: null, ipExceptionList: null, + hostnameExceptionList: null, checkAddress: null, }, }; diff --git a/lib/utils.js b/lib/utils.js index e451406..c013cf1 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -111,7 +111,14 @@ exports.preprocessConfig = function(config) { if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) { const containsList = ssrf.ipBlackList.map(getContains); const exceptionList = (ssrf.ipExceptionList || []).map(getContains); - ssrf.checkAddress = ipAddresses => { + const hostnameExceptionList = ssrf.hostnameExceptionList; + ssrf.checkAddress = (ipAddresses, family, hostname) => { + // Check hostname first + if (hostname && hostnameExceptionList) { + if (hostnameExceptionList.includes(hostname)) { + return true; + } + } // ipAddresses will be array address on Node.js >= 20 // [ // { address: '220.181.125.241', family: 4 }, diff --git a/test/fixtures/apps/ssrf-hostname-exception-list/config/config.default.js b/test/fixtures/apps/ssrf-hostname-exception-list/config/config.default.js new file mode 100644 index 0000000..f88cc14 --- /dev/null +++ b/test/fixtures/apps/ssrf-hostname-exception-list/config/config.default.js @@ -0,0 +1,15 @@ +'use strict'; + +exports.security = { + ssrf: { + ipBlackList: [ + '10.0.0.0/8', + '127.0.0.1', + '0.0.0.0/32', + ], + hostnameExceptionList: [ + 'registry.npmjs.org', + 'registry.npmmirror.com', + ], + }, +}; diff --git a/test/fixtures/apps/ssrf-hostname-exception-list/package.json b/test/fixtures/apps/ssrf-hostname-exception-list/package.json new file mode 100644 index 0000000..868fb2c --- /dev/null +++ b/test/fixtures/apps/ssrf-hostname-exception-list/package.json @@ -0,0 +1,3 @@ +{ + "name": "ssrf-ip-black-list" +} \ No newline at end of file diff --git a/test/ssrf.test.js b/test/ssrf.test.js index 2840731..dbe5277 100644 --- a/test/ssrf.test.js +++ b/test/ssrf.test.js @@ -171,6 +171,37 @@ describe('test/ssrf.test.js', () => { assert(count === 3); }); }); + + describe('hostnameExceptionList', () => { + before(() => { + app = mm.app({ baseDir: 'apps/ssrf-hostname-exception-list' }); + return app.ready(); + }); + + it('should safeCurl work', async () => { + const ctx = app.createAnonymousContext(); + const host = process.env.CI ? 'registry.npmjs.org' : 'registry.npmmirror.com'; + const url = `https://${host}`; + let count = 0; + + mm(app, 'curl', async (url, options) => { + options.checkAddress('10.0.0.1', 4, host) && count++; + return 'response'; + }); + mm(app.agent, 'curl', async (url, options) => { + options.checkAddress('10.0.0.1', 4, host) && count++; + return 'response'; + }); + mm(ctx, 'curl', async (url, options) => { + options.checkAddress('10.0.0.1', 4, host) && count++; + return 'response'; + }); + + await app.safeCurl(url, { dataType: 'json' }); + await app.agent.safeCurl(url, { dataType: 'json' }); + await ctx.safeCurl(url, { dataType: 'json' }); + }); + }); }); async function checkIllegalAddressError(instance, url) { From 99938a93c691f7e00e156ecefbb6d9f3d8d3e46e Mon Sep 17 00:00:00 2001 From: killagu Date: Mon, 8 Jul 2024 22:52:08 +0800 Subject: [PATCH 2/3] f --- app/extend/context.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/extend/context.js b/app/extend/context.js index 0a87ff1..6086c44 100644 --- a/app/extend/context.js +++ b/app/extend/context.js @@ -209,7 +209,7 @@ module.exports = { }, [CSRF_REFERER_CHECK]() { - const { refererWhiteList } = this.app.config.security.csrf.refererWhiteList; + const { refererWhiteList } = this.app.config.security.csrf; const referer = (this.headers.referer || '').toLowerCase(); if (!referer) { debug('missing csrf referer'); From cedf1738bfee6d812c278df65e0a500527f228fd Mon Sep 17 00:00:00 2001 From: killa Date: Mon, 8 Jul 2024 22:53:03 +0800 Subject: [PATCH 3/3] Update README.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7bcdeca..b921d2e 100644 --- a/README.md +++ b/README.md @@ -523,7 +523,7 @@ In a [Server-Side Request Forgery (SSRF)](https://www.owasp.org/index.php/Server - ipBlackList(Array) - specific which IP addresses are illegal when requested with `safeCurl`. - ipExceptionList(Array) - specific which IP addresses are legal within ipBlackList. -- hostnameExceptionList(Array) - specific which hostname are legal within ipBlackList. +hostnameExceptionList(Array) - specifies which hostnames are legal within ipBlackList. - checkAddress(Function) - determine the ip by the function's return value, `false` means illegal ip. ```js