feat: add hostnameExceptionList for ssrf

Author: killagu

README.md

@@ -523,6 +523,7 @@ In a [Server-Side Request Forgery (SSRF)](https://www.owasp.org/index.php/Server
 
 - ipBlackList(Array) - specific which IP addresses are illegal when requested with `safeCurl`.
 - ipExceptionList(Array) - specific which IP addresses are legal within ipBlackList.
+- hostnameExceptionList(Array) - specific which hostname are legal within ipBlackList.
 - checkAddress(Function) - determine the ip by the function's return value, `false` means illegal ip.
 
 ```js
@@ -540,6 +541,10 @@ exports.security = {
       '10.1.1.1',
       '10.10.0.1/24',
     ],
+    // legal hostname
+    hostnameExceptionList: [
+      'example.com',
+    ],
     // checkAddress has higher priority than ipBlackList
     checkAddress(ip) {
       return ip !== '127.0.0.1';

app/extend/context.js

@@ -209,7 +209,7 @@ module.exports = {
   },
 
   [CSRF_REFERER_CHECK]() {
-    const { refererWhiteList } = this.app.config.security.csrf;
+    const { refererWhiteList } = this.app.config.security.csrf.refererWhiteList;
     const referer = (this.headers.referer || '').toLowerCase();
     if (!referer) {
       debug('missing csrf referer');

config/config.default.js

@@ -103,6 +103,7 @@ module.exports = () => {
     ssrf: {
       ipBlackList: null,
       ipExceptionList: null,
+      hostnameExceptionList: null,
       checkAddress: null,
     },
   };

lib/utils.js

@@ -111,7 +111,14 @@ exports.preprocessConfig = function(config) {
   if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) {
     const containsList = ssrf.ipBlackList.map(getContains);
     const exceptionList = (ssrf.ipExceptionList || []).map(getContains);
-    ssrf.checkAddress = ipAddresses => {
+    const hostnameExceptionList = ssrf.hostnameExceptionList;
+    ssrf.checkAddress = (ipAddresses, family, hostname) => {
+      // Check hostname first
+      if (hostname && hostnameExceptionList) {
+        if (hostnameExceptionList.includes(hostname)) {
+          return true;
+        }
+      }
       // ipAddresses will be array address on Node.js >= 20
       // [
       //   { address: '220.181.125.241', family: 4 },

test/fixtures/apps/ssrf-hostname-exception-list/config/config.default.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.security = {
+  ssrf: {
+    ipBlackList: [
+      '10.0.0.0/8',
+      '127.0.0.1',
+      '0.0.0.0/32',
+    ],
+    hostnameExceptionList: [
+      'registry.npmjs.org',
+      'registry.npmmirror.com',
+    ],
+  },
+};

test/fixtures/apps/ssrf-hostname-exception-list/package.json

@@ -0,0 +1,3 @@
+{
+  "name": "ssrf-ip-black-list"
+}

test/ssrf.test.js

@@ -171,6 +171,37 @@ describe('test/ssrf.test.js', () => {
       assert(count === 3);
     });
   });
+
+  describe('hostnameExceptionList', () => {
+    before(() => {
+      app = mm.app({ baseDir: 'apps/ssrf-hostname-exception-list' });
+      return app.ready();
+    });
+
+    it('should safeCurl work', async () => {
+      const ctx = app.createAnonymousContext();
+      const host = process.env.CI ? 'registry.npmjs.org' : 'registry.npmmirror.com';
+      const url = `https://${host}`;
+      let count = 0;
+
+      mm(app, 'curl', async (url, options) => {
+        options.checkAddress('10.0.0.1', 4, host) && count++;
+        return 'response';
+      });
+      mm(app.agent, 'curl', async (url, options) => {
+        options.checkAddress('10.0.0.1', 4, host) && count++;
+        return 'response';
+      });
+      mm(ctx, 'curl', async (url, options) => {
+        options.checkAddress('10.0.0.1', 4, host) && count++;
+        return 'response';
+      });
+
+      await app.safeCurl(url, { dataType: 'json' });
+      await app.agent.safeCurl(url, { dataType: 'json' });
+      await ctx.safeCurl(url, { dataType: 'json' });
+    });
+  });
 });
 
 async function checkIllegalAddressError(instance, url) {