summaryrefslogtreecommitdiff
path: root/packages/backend/src/core/HttpRequestService.ts
diff options
context:
space:
mode:
Diffstat (limited to 'packages/backend/src/core/HttpRequestService.ts')
-rw-r--r--packages/backend/src/core/HttpRequestService.ts136
1 files changed, 122 insertions, 14 deletions
diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts
index bea5dee6ab..0ad5667049 100644
--- a/packages/backend/src/core/HttpRequestService.ts
+++ b/packages/backend/src/core/HttpRequestService.ts
@@ -6,6 +6,7 @@
import * as http from 'node:http';
import * as https from 'node:https';
import * as net from 'node:net';
+import ipaddr from 'ipaddr.js';
import CacheableLookup from 'cacheable-lookup';
import fetch from 'node-fetch';
import { HttpProxyAgent, HttpsProxyAgent } from 'hpagent';
@@ -25,9 +26,103 @@ export type HttpRequestSendOptions = {
validators?: ((res: Response) => void)[];
};
+declare module 'node:http' {
+ interface Agent {
+ createConnection(options: net.NetConnectOpts, callback?: (err: unknown, stream: net.Socket) => void): net.Socket;
+ }
+}
+
+class HttpRequestServiceAgent extends http.Agent {
+ constructor(
+ private config: Config,
+ options?: http.AgentOptions,
+ ) {
+ super(options);
+ }
+
+ @bindThis
+ public createConnection(options: net.NetConnectOpts, callback?: (err: unknown, stream: net.Socket) => void): net.Socket {
+ const socket = super.createConnection(options, callback)
+ .on('connect', () => {
+ const address = socket.remoteAddress;
+ if (process.env.NODE_ENV === 'production') {
+ if (address && ipaddr.isValid(address)) {
+ if (this.isPrivateIp(address)) {
+ socket.destroy(new Error(`Blocked address: ${address}`));
+ }
+ }
+ }
+ });
+ return socket;
+ };
+
+ @bindThis
+ private isPrivateIp(ip: string): boolean {
+ const parsedIp = ipaddr.parse(ip);
+
+ for (const net of this.config.allowedPrivateNetworks ?? []) {
+ const cidr = ipaddr.parseCIDR(net);
+ if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
+ return false;
+ }
+ }
+
+ return parsedIp.range() !== 'unicast';
+ }
+}
+
+class HttpsRequestServiceAgent extends https.Agent {
+ constructor(
+ private config: Config,
+ options?: https.AgentOptions,
+ ) {
+ super(options);
+ }
+
+ @bindThis
+ public createConnection(options: net.NetConnectOpts, callback?: (err: unknown, stream: net.Socket) => void): net.Socket {
+ const socket = super.createConnection(options, callback)
+ .on('connect', () => {
+ const address = socket.remoteAddress;
+ if (process.env.NODE_ENV === 'production') {
+ if (address && ipaddr.isValid(address)) {
+ if (this.isPrivateIp(address)) {
+ socket.destroy(new Error(`Blocked address: ${address}`));
+ }
+ }
+ }
+ });
+ return socket;
+ };
+
+ @bindThis
+ private isPrivateIp(ip: string): boolean {
+ const parsedIp = ipaddr.parse(ip);
+
+ for (const net of this.config.allowedPrivateNetworks ?? []) {
+ const cidr = ipaddr.parseCIDR(net);
+ if (cidr[0].kind() === parsedIp.kind() && parsedIp.match(ipaddr.parseCIDR(net))) {
+ return false;
+ }
+ }
+
+ return parsedIp.range() !== 'unicast';
+ }
+}
+
@Injectable()
export class HttpRequestService {
/**
+ * Get http non-proxy agent (without local address filtering)
+ */
+ private httpNative: http.Agent;
+
+ /**
+ * Get https non-proxy agent (without local address filtering)
+ */
+ private httpsNative: https.Agent;
+
+ /**
* Get http non-proxy agent
*/
private http: http.Agent;
@@ -57,19 +152,20 @@ export class HttpRequestService {
lookup: false, // nativeのdns.lookupにfallbackしない
});
- this.http = new http.Agent({
+ const agentOption = {
keepAlive: true,
keepAliveMsecs: 30 * 1000,
lookup: cache.lookup as unknown as net.LookupFunction,
localAddress: config.outgoingAddress,
- });
+ };
- this.https = new https.Agent({
- keepAlive: true,
- keepAliveMsecs: 30 * 1000,
- lookup: cache.lookup as unknown as net.LookupFunction,
- localAddress: config.outgoingAddress,
- });
+ this.httpNative = new http.Agent(agentOption);
+
+ this.httpsNative = new https.Agent(agentOption);
+
+ this.http = new HttpRequestServiceAgent(config, agentOption);
+
+ this.https = new HttpsRequestServiceAgent(config, agentOption);
const maxSockets = Math.max(256, config.deliverJobConcurrency ?? 128);
@@ -104,16 +200,22 @@ export class HttpRequestService {
* @param bypassProxy Allways bypass proxy
*/
@bindThis
- public getAgentByUrl(url: URL, bypassProxy = false): http.Agent | https.Agent {
+ public getAgentByUrl(url: URL, bypassProxy = false, isLocalAddressAllowed = false): http.Agent | https.Agent {
if (bypassProxy || (this.config.proxyBypassHosts ?? []).includes(url.hostname)) {
+ if (isLocalAddressAllowed) {
+ return url.protocol === 'http:' ? this.httpNative : this.httpsNative;
+ }
return url.protocol === 'http:' ? this.http : this.https;
} else {
+ if (isLocalAddressAllowed && (!this.config.proxy)) {
+ return url.protocol === 'http:' ? this.httpNative : this.httpsNative;
+ }
return url.protocol === 'http:' ? this.httpAgent : this.httpsAgent;
}
}
@bindThis
- public async getActivityJson(url: string): Promise<IObject> {
+ public async getActivityJson(url: string, isLocalAddressAllowed = false): Promise<IObject> {
const res = await this.send(url, {
method: 'GET',
headers: {
@@ -121,6 +223,7 @@ export class HttpRequestService {
},
timeout: 5000,
size: 1024 * 256,
+ isLocalAddressAllowed: isLocalAddressAllowed,
}, {
throwErrorWhenResponseNotOk: true,
validators: [validateContentTypeSetAsActivityPub],
@@ -129,13 +232,13 @@ export class HttpRequestService {
const finalUrl = res.url; // redirects may have been involved
const activity = await res.json() as IObject;
- assertActivityMatchesUrls(activity, [url, finalUrl]);
+ assertActivityMatchesUrls(activity, [finalUrl]);
return activity;
}
@bindThis
- public async getJson<T = unknown>(url: string, accept = 'application/json, */*', headers?: Record<string, string>): Promise<T> {
+ public async getJson<T = unknown>(url: string, accept = 'application/json, */*', headers?: Record<string, string>, isLocalAddressAllowed = false): Promise<T> {
const res = await this.send(url, {
method: 'GET',
headers: Object.assign({
@@ -143,19 +246,21 @@ export class HttpRequestService {
}, headers ?? {}),
timeout: 5000,
size: 1024 * 256,
+ isLocalAddressAllowed: isLocalAddressAllowed,
});
return await res.json() as T;
}
@bindThis
- public async getHtml(url: string, accept = 'text/html, */*', headers?: Record<string, string>): Promise<string> {
+ public async getHtml(url: string, accept = 'text/html, */*', headers?: Record<string, string>, isLocalAddressAllowed = false): Promise<string> {
const res = await this.send(url, {
method: 'GET',
headers: Object.assign({
Accept: accept,
}, headers ?? {}),
timeout: 5000,
+ isLocalAddressAllowed: isLocalAddressAllowed,
});
return await res.text();
@@ -170,6 +275,7 @@ export class HttpRequestService {
headers?: Record<string, string>,
timeout?: number,
size?: number,
+ isLocalAddressAllowed?: boolean,
} = {},
extra: HttpRequestSendOptions = {
throwErrorWhenResponseNotOk: true,
@@ -183,6 +289,8 @@ export class HttpRequestService {
controller.abort();
}, timeout);
+ const isLocalAddressAllowed = args.isLocalAddressAllowed ?? false;
+
const res = await fetch(url, {
method: args.method ?? 'GET',
headers: {
@@ -191,7 +299,7 @@ export class HttpRequestService {
},
body: args.body,
size: args.size ?? 10 * 1024 * 1024,
- agent: (url) => this.getAgentByUrl(url),
+ agent: (url) => this.getAgentByUrl(url, false, isLocalAddressAllowed),
signal: controller.signal,
});
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-03 19:18:56 +0000