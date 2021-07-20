An http(s).Agent class block the request to Private IP addresses and Reserved IP addresses.

It helps to prevent server-side request forgery (SSRF) attack.

This library depended on ipaddr.js definitions. This library block the request to these IP addresses by default.

So, This library block the request to non- unicast IP addresses.

Support http.Agent libraries

This library provides Node.js's http.Agent implementation. http.Agent is supported by popular library.

Node.js's built-in http and https

and node-fetch

Request

node-http-proxy

axios

got

request-filtering-agent works with these libraries!

Install

Install with npm:

npm install request-filtering-agent

Usage

useAgent(url) return an agent for the url.

The agent blocks the request to Private network and Reserved IP addresses by default.

const fetch = require ( "node-fetch" ); const { useAgent } = require ( "request-filtering-agent" ); const url = 'http://127.0.0.1:8080/' ; fetch(url, { agent : useAgent(url) }).catch( err => { console .err(err); });

request-filtering-agent support loopback domain like nip.io. This library detects the IP address that is dns lookup-ed.

$ dig 127.0 .0 .1 .nip.io ;127.0.0.1.nip.io. IN A ;; ANSWER SECTION: 127.0 .0 .1 .nip.io. 300 IN A 127.0 .0 .1

Example code:

const fetch = require ( "node-fetch" ); const { useAgent } = require ( "request-filtering-agent" ); const url = 'http://127.0.0.1.nip.io:8080/' ; fetch(url, { agent : useAgent(url) }).catch( err => { console .err(err); });

It will prevent DNS rebinding

API

export interface RequestFilteringAgentOptions { allowPrivateIPAddress?: boolean ; allowMetaIPAddress?: boolean ; allowIPAddressList?: string []; denyIPAddressList?: string [] } export declare function applyRequestFilter < T extends http . Agent | https . Agent >( agent: T, options?: RequestFilteringAgentOptions ): T ; export declare class RequestFilteringHttpAgent extends http.Agent { constructor ( options?: http.AgentOptions & RequestFilteringAgentOptions ); } export declare class RequestFilteringHttpsAgent extends https.Agent { constructor ( options?: https.AgentOptions & RequestFilteringAgentOptions ); } export declare const globalHttpAgent: RequestFilteringHttpAgent; export declare const globalHttpsAgent: RequestFilteringHttpsAgent; export declare const useAgent: ( url: string ) => RequestFilteringHttpAgent | RequestFilteringHttpsAgent;

Example: Create an Agent with options

An agent that allow requesting 127.0.0.1 , but it disallows other Private IP.

const fetch = require ( "node-fetch" ); const { RequestFilteringHttpAgent } = require ( "request-filtering-agent" ); const agent = new RequestFilteringHttpAgent({ allowIPAddressList : [ "127.0.0.1" ], allowPrivateIPAddress : false , }); const url = 'http://127.0.0.1:8080/' ; fetch(url, { agent : agent }).then( res => { console .log(res); });

Example: Apply request filtering to excising http.Agent

You can apply request filtering to http.Agent or https.Agent using applyRequestFilter method.

const http = require ( "http" ) const fetch = require ( "node-fetch" ); const { applyRequestFilter } = require ( "request-filtering-agent" ); const agent = new http.Agent({ keepAlive : true , }); const agentWithFiltering = applyRequestFilter(agent, { allowPrivateIPAddress : false }); const url = 'http://169.254.169.254/' ; fetch(url, { agent : agentWithFiltering }).catch( error => { console .error(error); });

Related

welefen/ssrf-agent: make http(s) request to prevent SSRF It provides only high level wrapper It only handles Private IP address that is definition in node-ip Missing Meta IP Address like 0.0.0.0



