feat: add hostname for checkAddress (#526)

killagu · web-flow · commit 02cad0ecc160 · 2024-07-08T23:08:03.000+08:00
diff --git a/lib/index.d.ts b/lib/index.d.ts
@@ -32,7 +32,7 @@ export interface RequestOptions {
   writeStream?: Writable;
   /** consume the writeStream, invoke the callback after writeStream close. */
   consumeWriteStream?: boolean;
-  /** 
+  /**
     * The files will send with multipart/form-data format, base on formstream.
     * If method not set, will use POST method by default.
     */
@@ -130,7 +130,7 @@ export interface RequestOptions {
    * It receive two arguments(ip and family) and should return true or false to identified the address is legal or not.
    * It rely on lookup and have the same version requirement.
    */
-  checkAddress?: (ip: string, family: number | string) => boolean;
+  checkAddress?: (ip: string, family: number | string, hostname: string) => boolean;
   /**
    * UNIX domain socket path. (Windows is not supported)
    */
diff --git a/lib/urllib.js b/lib/urllib.js
@@ -276,7 +276,7 @@ function requestWithCallback(url, args, callback) {
     lookup = function(host, dnsopts, callback) {
       _lookup(host, dnsopts, function emitLookup(err, ip, family) {
         // add check address logic in custom dns lookup
-        if (!err && !args.checkAddress(ip, family)) {
+        if (!err && !args.checkAddress(ip, family, host)) {
           err = new Error('illegal address');
           err.name = 'IllegalAddressError';
           err.hostname = host;
@@ -1017,7 +1017,7 @@ function requestWithCallback(url, args, callback) {
       family = 6;
     }
     if (family) {
-      if (!args.checkAddress(hostname, family)) {
+      if (!args.checkAddress(hostname, family, hostname)) {
         var err = new Error('illegal address');
         err.name = 'IllegalAddressError';
         err.hostname = hostname;
diff --git a/test/urllib.test.js b/test/urllib.test.js
@@ -2076,6 +2076,22 @@ describe('test/urllib.test.js', function () {
           done();
         });
       });
+
+      it('should work with hostname', function(done) {
+        let hostname;
+        urllib.request('http://check-ssrf-host.com/redirect_to_domain', {
+          checkAddress: function(address, family, aHostname) {
+            hostname = aHostname;
+            return true;
+          },
+          lookup: function(host, options, callback) {
+            callback(null, '10.10.10.10');
+          },
+        }, function () {
+          assert.equal(hostname, 'check-ssrf-host.com');
+          done();
+        });
+      });
     });
   }
 });
