Improve undici perf

Author: hansott

library/sinks/Fetch.ts

@@ -17,13 +17,13 @@ export class Fetch implements Wrapper {
 
   private inspectHostname(
     agent: Agent,
-    hostname: URL,
+    hostname: Hostname,
     port: number | undefined
   ): InterceptorResult {
     // Let the agent know that we are connecting to this hostname
     // This is to build a list of all hostnames that the application is connecting to
     if (typeof port === "number" && port > 0) {
-      agent.onConnectHostname(hostname.hostname, port);
+      agent.onConnectHostname(hostname.asString(), port);
     }
     const context = getContext();
 
@@ -32,7 +32,7 @@ export class Fetch implements Wrapper {
     }
 
     return checkContextForSSRF({
-      hostname: Hostname.fromURL(hostname),
+      hostname: hostname,
       operation: "fetch",
       context: context,
       port: port,
@@ -45,7 +45,11 @@ export class Fetch implements Wrapper {
       if (typeof args[0] === "string" && args[0].length > 0) {
         const url = tryParseURL(args[0]);
         if (url) {
-          const attack = this.inspectHostname(agent, url, getPortFromURL(url));
+          const attack = this.inspectHostname(
+            agent,
+            Hostname.fromURL(url),
+            getPortFromURL(url)
+          );
           if (attack) {
             return attack;
           }
@@ -59,7 +63,11 @@ export class Fetch implements Wrapper {
       if (Array.isArray(args[0])) {
         const url = tryParseURL(args[0].toString());
         if (url) {
-          const attack = this.inspectHostname(agent, url, getPortFromURL(url));
+          const attack = this.inspectHostname(
+            agent,
+            Hostname.fromURL(url),
+            getPortFromURL(url)
+          );
           if (attack) {
             return attack;
           }
@@ -70,7 +78,7 @@ export class Fetch implements Wrapper {
       if (args[0] instanceof URL && args[0].hostname.length > 0) {
         const attack = this.inspectHostname(
           agent,
-          args[0],
+          Hostname.fromURL(args[0]),
           getPortFromURL(args[0])
         );
         if (attack) {
@@ -82,7 +90,11 @@ export class Fetch implements Wrapper {
       if (args[0] instanceof Request) {
         const url = tryParseURL(args[0].url);
         if (url) {
-          const attack = this.inspectHostname(agent, url, getPortFromURL(url));
+          const attack = this.inspectHostname(
+            agent,
+            Hostname.fromURL(url),
+            getPortFromURL(url)
+          );
           if (attack) {
             return attack;
           }

library/sinks/Undici.ts

@@ -27,28 +27,24 @@ const methods = [
 export class Undici implements Wrapper {
   private inspectHostname(
     agent: Agent,
-    hostname: string,
+    hostname: Hostname,
     port: number | undefined,
     method: string
   ): InterceptorResult {
     // Let the agent know that we are connecting to this hostname
     // This is to build a list of all hostnames that the application is connecting to
     if (typeof port === "number" && port > 0) {
-      agent.onConnectHostname(hostname, port);
+      agent.onConnectHostname(hostname.asString(), port);
     }
+
     const context = getContext();
 
     if (!context) {
       return undefined;
     }
 
-    const hostnameURL = tryParseURL(`http://${hostname}`);
-    if (!hostnameURL) {
-      return undefined;
-    }
-
     return checkContextForSSRF({
-      hostname: Hostname.fromURL(hostnameURL),
+      hostname: hostname,
       operation: `undici.${method}`,
       context,
       port,

library/sinks/undici/getHostnameAndPortFromArgs.test.ts

@@ -1,78 +1,79 @@
 import * as t from "tap";
+import { Hostname } from "../../vulnerabilities/ssrf/Hostname";
 import { getHostnameAndPortFromArgs as get } from "./getHostnameAndPortFromArgs";
 import { parse as parseUrl } from "url";
 
 t.test("it works with url string", async (t) => {
   t.same(get(["http://localhost:4000"]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 4000,
   });
   t.same(get(["http://localhost?test=1"]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 80,
   });
   t.same(get(["https://localhost"]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 443,
   });
 });
 
 t.test("it works with url object", async (t) => {
   t.same(get([new URL("http://localhost:4000")]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 4000,
   });
   t.same(get([new URL("http://localhost?test=1")]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 80,
   });
   t.same(get([new URL("https://localhost")]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 443,
   });
 });
 
 t.test("it works with an array of strings", async (t) => {
   t.same(get([["http://localhost:4000"]]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 4000,
   });
   t.same(get([["http://localhost?test=1"]]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 80,
   });
   t.same(get([["https://localhost"]]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 443,
   });
 });
 
 t.test("it works with an legacy url object", async (t) => {
   t.same(get([parseUrl("http://localhost:4000")]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 4000,
   });
   t.same(get([parseUrl("http://localhost?test=1")]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 80,
   });
   t.same(get([parseUrl("https://localhost")]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 443,
   });
 });
 
 t.test("it works with an options object containing origin", async (t) => {
   t.same(get([{ origin: "http://localhost:4000" }]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 4000,
   });
   t.same(get([{ origin: "http://localhost?test=1" }]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 80,
   });
   t.same(get([{ origin: "https://localhost" }]), {
-    hostname: "localhost",
+    hostname: Hostname.fromString("localhost"),
     port: 443,
   });
 });
@@ -81,15 +82,15 @@ t.test(
   "it works with an options object containing protocol, hostname and port",
   async (t) => {
     t.same(get([{ protocol: "http:", hostname: "localhost", port: 4000 }]), {
-      hostname: "localhost",
+      hostname: Hostname.fromString("localhost"),
       port: 4000,
     });
     t.same(get([{ hostname: "localhost", port: 4000 }]), {
-      hostname: "localhost",
+      hostname: Hostname.fromString("localhost"),
       port: 4000,
     });
     t.same(get([{ protocol: "https:", hostname: "localhost" }]), {
-      hostname: "localhost",
+      hostname: Hostname.fromString("localhost"),
       port: 443,
     });
   }
@@ -104,3 +105,11 @@ t.test("without hostname", async (t) => {
   t.same(get([{}]), undefined);
   t.same(get([{ protocol: "https:", port: 4000 }]), undefined);
 });
+
+t.test("invalid hostname", async (t) => {
+  t.same(get([{ protocol: "https:", hostname: " " }]), undefined);
+});
+
+t.test("empty args", async (t) => {
+  t.same(get([]), undefined);
+});

library/sinks/undici/getHostnameAndPortFromArgs.ts

@@ -1,9 +1,10 @@
 import { getPortFromURL } from "../../helpers/getPortFromURL";
 import { tryParseURL } from "../../helpers/tryParseURL";
+import { Hostname } from "../../vulnerabilities/ssrf/Hostname";
 import { isOptionsObject } from "../http-request/isOptionsObject";
 
 type HostnameAndPort = {
-  hostname: string;
+  hostname: Hostname;
   port: number | undefined;
 };
 
@@ -36,7 +37,7 @@ export function getHostnameAndPortFromArgs(
     // If url is not undefined, extract the hostname and port
     if (url && url.hostname.length > 0) {
       return {
-        hostname: url.hostname,
+        hostname: Hostname.fromURL(url),
         port: getPortFromURL(url),
       };
     }
@@ -60,7 +61,7 @@ function parseOptionsObject(obj: any): HostnameAndPort | undefined {
     const url = tryParseURL(obj.origin);
     if (url) {
       return {
-        hostname: url.hostname,
+        hostname: Hostname.fromURL(url),
         port: getPortFromURL(url),
       };
     }
@@ -87,8 +88,13 @@ function parseOptionsObject(obj: any): HostnameAndPort | undefined {
     return undefined;
   }
 
+  const hostname = Hostname.fromString(obj.hostname);
+  if (!hostname) {
+    return undefined;
+  }
+
   return {
-    hostname: obj.hostname,
+    hostname,
     port,
   };
 }