Hartmut
0e119cfe73
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request #20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch #21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth #22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds #23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request #24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob; run db:migrate:deploy on container start so a fresh checkout boots without manual steps Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap) Co-Authored-By: claude-flow <ruv@ruv.net>
71 lines
2.1 KiB
TypeScript
71 lines
2.1 KiB
TypeScript
/**
|
|
* SSRF guard for outbound webhook URLs.
|
|
*
|
|
* Validates that a target URL is not pointing to internal/private infrastructure
|
|
* before allowing a webhook to be stored or dispatched.
|
|
*/
|
|
import { lookup } from "node:dns/promises";
|
|
import { TRPCError } from "@trpc/server";
|
|
|
|
/** Regex patterns matching IP ranges that must not be targeted. */
|
|
const BLOCKED_IP_PATTERNS: RegExp[] = [
|
|
// Loopback IPv4
|
|
/^127\./,
|
|
// Loopback IPv6
|
|
/^::1$/,
|
|
// RFC 1918 private
|
|
/^10\./,
|
|
/^172\.(1[6-9]|2\d|3[01])\./,
|
|
/^192\.168\./,
|
|
// Link-local
|
|
/^169\.254\./,
|
|
// Cloud metadata (AWS, GCP, Azure)
|
|
/^100\.64\./,
|
|
];
|
|
|
|
/** Hostnames that must never be resolved or contacted. */
|
|
const BLOCKED_HOSTNAMES = new Set([
|
|
"localhost",
|
|
"metadata.google.internal",
|
|
"169.254.169.254",
|
|
]);
|
|
|
|
function isBlockedIp(ip: string): boolean {
|
|
return BLOCKED_IP_PATTERNS.some((re) => re.test(ip));
|
|
}
|
|
|
|
/**
|
|
* Throws a TRPCError if the given URL targets internal/private infrastructure.
|
|
* Performs DNS resolution to catch attempts to bypass hostname checks.
|
|
*/
|
|
export async function assertWebhookUrlAllowed(urlString: string): Promise<void> {
|
|
let parsed: URL;
|
|
try {
|
|
parsed = new URL(urlString);
|
|
} catch {
|
|
throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid webhook URL." });
|
|
}
|
|
|
|
if (parsed.protocol !== "https:") {
|
|
throw new TRPCError({ code: "BAD_REQUEST", message: "Webhook URLs must use HTTPS." });
|
|
}
|
|
|
|
const hostname = parsed.hostname.toLowerCase();
|
|
|
|
if (BLOCKED_HOSTNAMES.has(hostname)) {
|
|
throw new TRPCError({ code: "BAD_REQUEST", message: "Webhook URL target is not allowed." });
|
|
}
|
|
|
|
// Resolve hostname and validate the resulting IP address
|
|
try {
|
|
const { address } = await lookup(hostname);
|
|
if (isBlockedIp(address) || BLOCKED_HOSTNAMES.has(address)) {
|
|
throw new TRPCError({ code: "BAD_REQUEST", message: "Webhook URL target is not allowed." });
|
|
}
|
|
} catch (err) {
|
|
if (err instanceof TRPCError) throw err;
|
|
// DNS resolution failed — block by default (fail-closed)
|
|
throw new TRPCError({ code: "BAD_REQUEST", message: "Webhook URL could not be validated." });
|
|
}
|
|
}
|