chore: improve sanitization on concurreny queue logic

nadeem-cs · nadeem-cs · commit dbb940b5e212 · 2025-07-25T15:19:37.000+05:30
diff --git a/lib/core/Util.js b/lib/core/Util.js
@@ -104,18 +104,43 @@ export default function getUserAgent (sdk, application, integration, feature) {
 // URL validation functions to prevent SSRF attacks
 const isValidURL = (url) => {
   try {
+    // Reject obviously malicious patterns early
+    if (url.includes('@') || url.includes('file://') || url.includes('ftp://')) {
+      return false
+    }
+
     // Allow relative URLs (they are safe as they use the same origin)
     if (url.startsWith('/') || url.startsWith('./') || url.startsWith('../')) {
       return true
     }
 
     // Only validate absolute URLs for SSRF protection
     const parsedURL = new URL(url)
+
+    // Reject non-HTTP(S) protocols
+    if (!['http:', 'https:'].includes(parsedURL.protocol)) {
+      return false
+    }
+
+    // Prevent IP addresses in URLs to avoid internal network access
+    const ipv4Regex = /^(\d{1,3}\.){3}\d{1,3}$/
+    const ipv6Regex = /^\[?([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}\]?$/
+    if (ipv4Regex.test(parsedURL.hostname) || ipv6Regex.test(parsedURL.hostname)) {
+      // Only allow localhost IPs in development
+      const isDevelopment = process.env.NODE_ENV === 'development' ||
+                           process.env.NODE_ENV === 'test' ||
+                           !process.env.NODE_ENV
+      const localhostIPs = ['127.0.0.1', '0.0.0.0', '::1', 'localhost']
+      if (!isDevelopment || !localhostIPs.includes(parsedURL.hostname)) {
+        return false
+      }
+    }
+
     return isAllowedHost(parsedURL.hostname)
   } catch (error) {
     // If URL parsing fails, it might be a relative URL without protocol
-    // Allow it if it doesn't contain protocol indicators
-    return !url.includes('://') && !url.includes('\\')
+    // Allow it if it doesn't contain protocol indicators or suspicious patterns
+    return !url.includes('://') && !url.includes('\\') && !url.includes('@')
   }
 }
 
@@ -137,8 +162,12 @@ const isAllowedHost = (hostname) => {
     '0.0.0.0'
   ]
 
-  // Allow localhost for development
-  if (localhostPatterns.includes(hostname)) {
+  // Only allow localhost in development environments to prevent SSRF in production
+  const isDevelopment = process.env.NODE_ENV === 'development' ||
+                       process.env.NODE_ENV === 'test' ||
+                       !process.env.NODE_ENV // Default to allowing in non-production if NODE_ENV is not set
+
+  if (isDevelopment && localhostPatterns.includes(hostname)) {
     return true
   }
 
diff --git a/lib/core/concurrency-queue.js b/lib/core/concurrency-queue.js
@@ -283,8 +283,9 @@ export function ConcurrencyQueue ({ axios, config }) {
 
       // Retry the requests that were pending due to token expiration
       this.running.forEach(({ request, resolve, reject }) => {
-      // Retry the request
-        axios(request).then(resolve).catch(reject)
+      // Retry the request with sanitized configuration to prevent SSRF
+        const sanitizedConfig = validateAndSanitizeConfig(request)
+        axios(sanitizedConfig).then(resolve).catch(reject)
       })
       this.running = [] // Clear the running queue after retrying requests
     } catch (error) {
