-
Notifications
You must be signed in to change notification settings - Fork 8
Expand file tree
/
Copy pathUtil.js
More file actions
250 lines (215 loc) · 7.65 KB
/
Util.js
File metadata and controls
250 lines (215 loc) · 7.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
import { platform, release } from 'os'
import regionHostMap from '../assets/regions.json'
const HOST_REGEX = /^(?!(?:(?:https?|ftp):\/\/|internal|localhost|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)))(?:[\w-]+\.contentstack\.(?:io|com)(?::[^\/\s:]+)?|[\w-]+(?:\.[\w-]+)*(?::[^\/\s:]+)?)(?![\/?#])$/ // eslint-disable-line
export function isHost (host) {
if (!host) return false
return HOST_REGEX.test(host)
}
export function isNode () {
return typeof process !== 'undefined' && !process.browser
}
export function getNodeVersion () {
return process.versions.node ? `v${process.versions.node}` : process.version
}
function isReactNative () {
return typeof window !== 'undefined' && 'navigator' in window && 'product' in window.navigator && window.navigator.product === 'ReactNative'
}
function getBrowserOS () {
if (!window) {
return null
}
const userAgent = window.navigator.userAgent
const platform = window.navigator.platform
const macosPlatforms = ['Macintosh', 'MacIntel', 'MacPPC', 'Mac68K']
const windowsPlatforms = ['Win32', 'Win64', 'Windows', 'WinCE']
const iosPlatforms = ['iPhone', 'iPad', 'iPod']
let os = null
if (macosPlatforms.indexOf(platform) !== -1) {
os = 'macOS'
} else if (iosPlatforms.indexOf(platform) !== -1) {
os = 'iOS'
} else if (windowsPlatforms.indexOf(platform) !== -1) {
os = 'Windows'
} else if (/Android/.test(userAgent)) {
os = 'Android'
} else if (/Linux/.test(platform)) {
os = 'Linux'
}
return os
}
function getNodeOS () {
const os = platform() || 'linux'
const version = release() || '0.0.0'
const osMap = {
android: 'Android',
aix: 'Linux',
darwin: 'macOS',
freebsd: 'Linux',
linux: 'Linux',
openbsd: 'Linux',
sunos: 'Linux',
win32: 'Windows'
}
if (os in osMap) {
return `${osMap[os] || 'Linux'}/${version}`
}
return null
}
export default function getUserAgent (sdk, application, integration, feature) {
const headerParts = []
if (application) {
headerParts.push(`app ${application}`)
}
if (integration) {
headerParts.push(`integration ${integration}`)
}
if (feature) {
headerParts.push('feature ' + feature)
}
headerParts.push(`sdk ${sdk}`)
let os = null
try {
if (isReactNative()) {
os = getBrowserOS()
headerParts.push('platform ReactNative')
} else if (isNode()) {
os = getNodeOS()
headerParts.push(`platform node.js/${getNodeVersion()}`)
} else {
os = getBrowserOS()
headerParts.push(`platform browser`)
}
} catch (e) {
os = null
}
if (os) {
headerParts.push(`os ${os}`)
}
return `${headerParts.filter((item) => item !== '').join('; ')};`
}
// URL validation functions to prevent SSRF attacks
const isValidURL = (url) => {
try {
// Reject obviously malicious patterns early
if (url.includes('@') || url.includes('file://') || url.includes('ftp://')) {
return false
}
// Allow relative URLs (they are safe as they use the same origin)
if (url.startsWith('/') || url.startsWith('./') || url.startsWith('../')) {
return true
}
// Only validate absolute URLs for SSRF protection
const parsedURL = new URL(url)
// Reject non-HTTP(S) protocols
if (!['http:', 'https:'].includes(parsedURL.protocol)) {
return false
}
const officialDomains = [
'api.contentstack.io',
'eu-api.contentstack.com',
'azure-na-api.contentstack.com',
'azure-eu-api.contentstack.com',
'gcp-na-api.contentstack.com',
'gcp-eu-api.contentstack.com'
]
const isContentstackDomain = officialDomains.some(domain =>
parsedURL.hostname === domain || parsedURL.hostname.endsWith('.' + domain)
)
if (isContentstackDomain && parsedURL.protocol !== 'https:') {
return false
}
// Prevent IP addresses in URLs to avoid internal network access
const ipv4Regex = /^(\d{1,3}\.){3}\d{1,3}$/
const ipv6Regex = /^\[?([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}\]?$/
if (ipv4Regex.test(parsedURL.hostname) || ipv6Regex.test(parsedURL.hostname)) {
// Only allow localhost IPs in development
const isDevelopment = process.env.NODE_ENV === 'development' ||
process.env.NODE_ENV === 'test' ||
!process.env.NODE_ENV
const localhostIPs = ['127.0.0.1', '0.0.0.0', '::1', 'localhost']
if (!isDevelopment || !localhostIPs.includes(parsedURL.hostname)) {
return false
}
}
return isAllowedHost(parsedURL.hostname)
} catch {
// If URL parsing fails, it might be a relative URL without protocol
// Allow it if it doesn't contain protocol indicators or suspicious patterns
return !url?.includes('://') && !url?.includes('\\') && !url?.includes('@')
}
}
const isAllowedHost = (hostname) => {
// Define allowed domains for Contentstack API
// Official Contentstack domains
const allowedDomains = [
'api.contentstack.io',
'eu-api.contentstack.com',
'azure-na-api.contentstack.com',
'azure-eu-api.contentstack.com',
'gcp-na-api.contentstack.com',
'gcp-eu-api.contentstack.com'
]
// Check for localhost/development environments
const localhostPatterns = [
'localhost',
'127.0.0.1',
'0.0.0.0'
]
// Only allow localhost in development environments to prevent SSRF in production
const isDevelopment = process.env.NODE_ENV === 'development' ||
process.env.NODE_ENV === 'test' ||
!process.env.NODE_ENV // Default to allowing in non-production if NODE_ENV is not set
if (isDevelopment && localhostPatterns.includes(hostname)) {
return true
}
// Check if hostname is in allowed domains or is a subdomain of allowed domains
const isContentstackDomain = allowedDomains.some(domain => {
return hostname === domain || hostname.endsWith('.' + domain)
})
// If it's not a Contentstack domain, validate custom hostname
if (!isContentstackDomain) {
// Prevent internal/reserved IP ranges and localhost variants
const ipv4Regex = /^(\d{1,3}\.){3}\d{1,3}$/
if (hostname?.match(ipv4Regex)) {
const parts = hostname.split('.')
const firstOctet = parseInt(parts[0])
// Only block private IP ranges
if (firstOctet === 10 || firstOctet === 192 || firstOctet === 127) {
return false
}
}
// Allow custom domains that don't match dangerous patterns
return !hostname.includes('file://') &&
!hostname.includes('\\') &&
!hostname.includes('@') &&
hostname !== 'localhost'
}
return isContentstackDomain
}
export const validateAndSanitizeConfig = (config) => {
if (!config?.url || typeof config?.url !== 'string') {
throw new Error('Invalid request configuration: missing or invalid URL')
}
// Validate the URL to prevent SSRF attacks
if (!isValidURL(config.url)) {
throw new Error(`SSRF Prevention: URL "${config.url}" is not allowed`)
}
// Additional validation for baseURL if present
if (config.baseURL && typeof config.baseURL === 'string' && !isValidURL(config.baseURL)) {
throw new Error(`SSRF Prevention: Base URL "${config.baseURL}" is not allowed`)
}
return {
...config,
url: config.url.trim() // Sanitize URL by removing whitespace
}
}
export const getRegionEndpoint = (region, service = 'contentManagement') => {
const regionData = regionHostMap.regions.find(r =>
r.id === region ||
r.alias.some(alias => alias === region)
)
if (!regionData) {
throw new Error(`Invalid region '${region}' provided. Allowed regions are: ${regionHostMap.regions.map(r => r.id).join(', ')}`)
}
return regionData.endpoints[service]?.replace(/^https?:\/\//, '')
}