CHAI
/
chtech-anythingllm
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
28 Commits
1 Branch
0 Tags
235 MiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
chtech-anythingllm/collector/utils/url/index.js

55 lines
2.3 KiB
Raw Permalink Normal View History

first commit
11 months ago
  1. /** ATTN: SECURITY RESEARCHERS
  2. * To Security researchers about to submit an SSRF report CVE - please don't.
  3. * We are aware that the code below is does not defend against any of the thousands of ways
  4. * you can map a hostname to another IP via tunneling, hosts editing, etc. The code below does not have intention of blocking this
  5. * and is simply to prevent the user from accidentally putting in non-valid websites, which is all this protects
  6. * since _all urls must be submitted by the user anyway_ and cannot be done with authentication and manager or admin roles.
  7. * If an attacker has those roles then the system is already vulnerable and this is not a primary concern.
  8. *
  9. * We have gotten this report may times, marked them as duplicate or information and continue to get them. We communicate
  10. * already that deployment (and security) of an instance is on the deployer and system admin deploying it. This would include
  11. * isolation, firewalls, and the general security of the instance.
  12. */
  14. const VALID_PROTOCOLS = ["https:", "http:"];
  15. const INVALID_OCTETS = [192, 172, 10, 127];
  17. /**
  18. * If an ip address is passed in the user is attempting to collector some internal service running on internal/private IP.
  19. * This is not a security feature and simply just prevents the user from accidentally entering invalid IP addresses.
  20. * @param {URL} param0
  21. * @param {URL['hostname']} param0.hostname
  22. * @returns {boolean}
  23. */
  24. function isInvalidIp({ hostname }) {
  25. const IPRegex = new RegExp(
  26. /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/gi
  27. );
  29. // Not an IP address at all - passthrough
  30. if (!IPRegex.test(hostname)) return false;
  31. const [octetOne, ..._rest] = hostname.split(".");
  33. // If fails to validate to number - abort and return as invalid.
  34. if (isNaN(Number(octetOne))) return true;
  36. // Allow localhost loopback and 0.0.0.0 for scraping convenience
  37. // for locally hosted services or websites
  38. if (["127.0.0.1", "0.0.0.0"].includes(hostname)) return false;
  40. return INVALID_OCTETS.includes(Number(octetOne));
  41. }
  43. function validURL(url) {
  44. try {
  45. const destination = new URL(url);
  46. if (!VALID_PROTOCOLS.includes(destination.protocol)) return false;
  47. if (isInvalidIp(destination)) return false;
  48. return true;
  49. } catch {}
  50. return false;
  51. }
  53. module.exports = {
  54. validURL,
  55. };