chore: Validate and sanitize URL before making request for SSRF prevention

Author: nadeem-cs

lib/core/Util.js

@@ -100,3 +100,63 @@ export default function getUserAgent (sdk, application, integration, feature) {
 
   return `${headerParts.filter((item) => item !== '').join('; ')};`
 }
+
+// URL validation functions to prevent SSRF attacks
+const isValidURL = (url) => {
+  try {
+    // Allow relative URLs (they are safe as they use the same origin)
+    if (url.startsWith('/') || url.startsWith('./') || url.startsWith('../')) {
+      return true
+    }
+
+    // Only validate absolute URLs for SSRF protection
+    const parsedURL = new URL(url)
+    return isAllowedHost(parsedURL.hostname)
+  } catch (error) {
+    // If URL parsing fails, it might be a relative URL without protocol
+    // Allow it if it doesn't contain protocol indicators
+    return !url.includes('://') && !url.includes('\\')
+  }
+}
+
+const isAllowedHost = (hostname) => {
+  // Define allowed domains for Contentstack API
+  const allowedDomains = [
+    'api.contentstack.io',
+    'eu-api.contentstack.com',
+    'azure-na-api.contentstack.com',
+    'azure-eu-api.contentstack.com',
+    'gcp-na-api.contentstack.com',
+    'gcp-eu-api.contentstack.com'
+  ]
+
+  // Check for localhost/development environments
+  const localhostPatterns = [
+    'localhost',
+    '127.0.0.1',
+    '0.0.0.0'
+  ]
+
+  // Allow localhost for development
+  if (localhostPatterns.includes(hostname)) {
+    return true
+  }
+
+  // Check if hostname is in allowed domains or is a subdomain of allowed domains
+  return allowedDomains.some(domain => {
+    return hostname === domain || hostname.endsWith('.' + domain)
+  })
+}
+
+export const validateAndSanitizeConfig = (config) => {
+  if (!config || !config.url) {
+    throw new Error('Invalid request configuration: missing URL')
+  }
+
+  // Validate the URL to prevent SSRF attacks
+  if (!isValidURL(config.url)) {
+    throw new Error(`SSRF Prevention: URL "${config.url}" is not allowed`)
+  }
+
+  return config
+}

lib/core/concurrency-queue.js

@@ -1,5 +1,7 @@
 import Axios from 'axios'
 import OAuthHandler from './oauthHandler'
+import { validateAndSanitizeConfig } from './Util'
+
 const defaultConfig = {
   maxRequests: 5,
   retryLimit: 5,
@@ -129,7 +131,8 @@ export function ConcurrencyQueue ({ axios, config }) {
         }
 
         // Retry the request
-        axios(updateRequestConfig(error, `Network retry ${attempt}`, delay))
+        const sanitizedConfig = validateAndSanitizeConfig(updateRequestConfig(error, `Network retry ${attempt}`, delay))
+        axios(sanitizedConfig)
           .then(resolve)
           .catch((retryError) => {
             // Check if this is still a transient error and we can retry again
@@ -385,8 +388,9 @@ export function ConcurrencyQueue ({ axios, config }) {
       // Cool down the running requests
       delay(wait, response.status === 401)
       error.config.retryCount = networkError
-      // deepcode ignore Ssrf: URL is dynamic
-      return axios(updateRequestConfig(error, retryErrorType, wait))
+      // SSRF Prevention: Validate URL before making request
+      const sanitizedConfig = validateAndSanitizeConfig(updateRequestConfig(error, retryErrorType, wait))
+      return axios(sanitizedConfig)
     }
     if (this.config.retryCondition && this.config.retryCondition(error)) {
       retryErrorType = error.response ? `Error with status: ${response.status}` : `Error Code:${error.code}`
@@ -416,8 +420,9 @@ export function ConcurrencyQueue ({ axios, config }) {
     error.config.retryCount = retryCount
     return new Promise(function (resolve) {
       return setTimeout(function () {
-        // deepcode ignore Ssrf: URL is dynamic
-        return resolve(axios(updateRequestConfig(error, retryErrorType, delaytime)))
+        // SSRF Prevention: Validate URL before making request
+        const sanitizedConfig = validateAndSanitizeConfig(updateRequestConfig(error, retryErrorType, delaytime))
+        return resolve(axios(sanitizedConfig))
       }, delaytime)
     })
   }