feat: support SSRF check on useHttpClientNext = true

[fengmk2]

Summary by CodeRabbit

• New Features

  • Introduced a new workflow for publishing any commit.
  • Added SSRF protection configurations and a new HTTP client instance in config.default.js.

• Bug Fixes

  • Updated Node.js version requirements to >=14.20.0 in workflow and package.json.

• Documentation

  • Updated contributors and license sections in README.md and README.zh-CN.md.

• Refactor

  • Renamed safeCurl function to safeCurlForApplication and safeCurlForContext.

• Tests

  • Added new test cases for SSRF protection configurations in ssrf.test.js.

• Chores

  • Updated egg dependency to version ^3.26.0.
  • Removed git-contributor dependency.

[coderabbitai]

Walkthrough

The project update involves enhancing configurations and functionalities. Node.js version specifications in workflows are updated, and a new workflow for publishing commits is introduced. The README files are revised to provide better license and contributor information. In core application files, several functions related to safe HTTP requests are renamed and restructured. Furthermore, Node.js version requirements are tightened, and the SSRF protection mechanism is refined. Finally, additional security configurations and test cases are added to improve the application robustness.

Changes

Files	Change Summaries
.github/workflows/nodejs.yml	Updated Node.js versions from '14, 16, 18, 20, 22' to '14.20.0, 14, 16, 18, 20, 22'.
.github/workflows/pkg.pr.new.yml	Introduced a new workflow for publishing any commit.
README.md, README.zh-CN.md	Updated contributor display and license information to include visual links and stats.
app/extend/agent.js, app/extend/application.js, app/extend/context.js	Renamed safeCurl function to safeCurlForApplication and safeCurlForContext.
lib/extend/safe_curl.js	Renamed functions, refactored SSRF protection logic, and added new symbols and exported functions.
package.json	Changed Node.js version requirement to >=14.20.0, updated egg dependency, modified CI script.
test/fixtures/apps/ssrf-check-address-useHttpClientNext/config/config.default.js	Introduced security configurations for SSRF protection.
test/fixtures/apps/ssrf-check-address-useHttpClientNext/package.json	Included "name" field.
test/ssrf.test.js	Added test case for checkAddress with useHttpClientNext = true and modified assertion style.

Poem

In the code where Rabbit scrolled,
Functions renamed, more stories told,
Node.js versions, raised so high,
Security strengthened, watch it fly.
Contributors now in visual glee,
Egg security, as it should be.
Celebrate, with keystrokes bright,
In the code, we find delight.

---

Tip

Early access features: enabled

We are currently testing the following features in early access:

• OpenAI gpt-4o model for code reviews and chat: OpenAI claims that this model is better at understanding and generating code than the previous models. We seek your feedback over the next few weeks before making it generally available.

Note:

• You can enable or disable early access features from the CodeRabbit UI or by updating the CodeRabbit configuration file.
• Please join our Discord Community to provide feedback and report issues.
• OSS projects are currently opted into early access features by default.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[socket-security]

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/[email protected]

View full report↗︎

[pkg-pr-new]

Run & review this pull request in StackBlitz Codeflow.

commit: f0a17c5

egg-security

npm i https://pkg.pr.new/eggjs/egg-security@96

---

templates

• default

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.25%. Comparing base (5e3ee95) to head (f0a17c5).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master      #96      +/-   ##
==========================================
+ Coverage   97.23%   97.25%   +0.02%     
==========================================
  Files          32       32              
  Lines        1338     1349      +11     
  Branches      337      340       +3     
==========================================
+ Hits         1301     1312      +11     
  Misses         37       37              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 1

Outside diff range and nitpick comments (17)

app/extend/context.js (2)

Line range hint 1-1: Remove the redundant 'use strict' directive.

The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.

- 'use strict';

---

Line range hint 116-116: Use optional chaining.

Change to an optional chain for better readability and safety.

- const token = findToken(this.query, queryName) || findToken(this.request.body, bodyName) ||
-  (headerName && this.get(headerName));
+ const token = findToken(this.query, queryName) || findToken(this.request.body, bodyName) ||
+  this.get?.(headerName);

README.zh-CN.md (2)

Line range hint 92-92: Avoid using emphasis instead of a heading.

Use proper headings instead of emphasis for better readability.

- __使用__
+ ### 使用

Also applies to: 118-118, 124-124, 331-331

---

Line range hint 257-257: Use underscores for strong style.

Use underscores instead of asterisks for strong style.

- **注意**
+ __注意__

README.md (13)

Line range hint 99-99: Fix grammar: Use base form of the verb

The modal verb ‘will’ requires the verb’s base form. Change ‘will overrides’ to ‘will override’.

- the current request configuration will overrides the default configuration
+ the current request configuration will override the default configuration

---

Line range hint 140-140: Fix grammar: Use base form of the verb

The modal verb ‘will’ requires the verb’s base form. Change ‘will overrides’ to ‘will override’.

- the current request configuration will overrides the default configuration
+ the current request configuration will override the default configuration

---

Line range hint 146-146: Simplify phrase: Use ‘whether’

The phrase ‘whether or not’ can be shortened to ‘whether’.

- Whether or not the domain is in the whitelist of the configuration.
+ Whether the domain is in the whitelist of the configuration.

---

Line range hint 149-149: Simplify phrase: Use ‘whether’

The phrase ‘whether or not’ can be shortened to ‘whether’.

- whether or not send back an `Access-Control-Allow-Origin` response header
+ whether to send back an `Access-Control-Allow-Origin` response header

---

Line range hint 248-248: Fix misspelling: Use hyphenated form

The word ‘case insensitive’ should be hyphenated to ‘case-insensitive’.

- `domainWhiteList` and `url` are case insensitive.
+ `domainWhiteList` and `url` are case-insensitive.

---

Line range hint 347-347: Fix misspelling: Use ‘affect’

The word ‘effect’ should be ‘affect’ as it means to have an effect upon.

- it will effect server performance
+ it will affect server performance

---

Line range hint 381-381: Fix typographical error: Add comma

A comma is usually used after the phrase ‘for example’.

- For example `html` tag is not in the whitelist.
+ For example, `html` tag is not in the whitelist.

---

Line range hint 424-424: Fix grammar: Use base form of the verb

The modal verb ‘will’ requires the verb’s base form. Change ‘will lost’ to ‘will lose’.

- it will lost performance
+ it will lose performance

---

Line range hint 436-436: Fix grammar: Use third-person verb form

The verb form should match the singular noun ‘user’. Change ‘user submit’ to ‘user submits’.

- when user submit the implementation
+ when user submits the implementation

---

Line range hint 503-503: Simplify phrase: Remove ‘by mistake’

The phrase ‘by mistake’ might be wordy. Consider removing it.

- take `text/plain` as `text/html` by mistake and render it
+ take `text/plain` as `text/html` and render it

---

Line range hint 161-161: Fix markdownlint issue: Use heading instead of emphasis

Emphasis is used instead of a heading. Change the line to use a heading.

- __mention：`match` has higher priority than `ignore`__
+ ### Mention
+ `match` has higher priority than `ignore`

---

Line range hint 424-424: Fix markdownlint issue: Use heading instead of emphasis

Emphasis is used instead of a heading. Change the line to use a heading.

- __it has a very complex process and will lost performance, so avoid the use as far as possible__
+ ### Note
+ It has a very complex process and will lose performance, so avoid the use as far as possible.

---

Line range hint 286-286: Fix markdownlint issue: Use underscores for strong style

Strong style should use underscores instead of asterisks.

- **Mention: Particular attention, if you need to resolve URL use `surl`，`surl` need warpped in quotes, Otherwise will lead to XSS vulnerability.**
+ __Mention: Particular attention, if you need to resolve URL use `surl`，`surl` need warpped in quotes, Otherwise will lead to XSS vulnerability.__

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 3f225df and 232bf07.

Files selected for processing (12)

• .github/workflows/nodejs.yml (1 hunks)
• .github/workflows/pkg.pr.new.yml (1 hunks)
• README.md (1 hunks)
• README.zh-CN.md (1 hunks)
• app/extend/agent.js (1 hunks)
• app/extend/application.js (2 hunks)
• app/extend/context.js (2 hunks)
• lib/extend/safe_curl.js (1 hunks)
• package.json (2 hunks)
• test/fixtures/apps/ssrf-check-address-useHttpClientNext/config/config.default.js (1 hunks)
• test/fixtures/apps/ssrf-check-address-useHttpClientNext/package.json (1 hunks)
• test/ssrf.test.js (2 hunks)

Files skipped from review due to trivial changes (3)

• .github/workflows/nodejs.yml
• .github/workflows/pkg.pr.new.yml
• test/fixtures/apps/ssrf-check-address-useHttpClientNext/package.json

Additional context used

Biome

lib/extend/safe_curl.js

[error] 10-10: This aliasing of this is unnecessary.

Arrow functions inherits this from their enclosing scope.
Safe fix: Use this instead of an alias.

(lint/complexity/noUselessThisAlias)

app/extend/context.js

[error] 1-1: Redundant use strict directive.

The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.

(lint/suspicious/noRedundantUseStrict)

---

[error] 116-116: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

Markdownlint

README.zh-CN.md

92-92: null
Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

118-118: null
Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

124-124: null
Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

331-331: null
Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

257-257: Expected: underscore; Actual: asterisk
Strong style

(MD050, strong-style)

---

257-257: Expected: underscore; Actual: asterisk
Strong style

(MD050, strong-style)

README.md

161-161: null
Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

424-424: null
Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

286-286: Expected: underscore; Actual: asterisk
Strong style

(MD050, strong-style)

---

286-286: Expected: underscore; Actual: asterisk
Strong style

(MD050, strong-style)

---

347-347: Expected: underscore; Actual: asterisk
Strong style

(MD050, strong-style)

---

347-347: Expected: underscore; Actual: asterisk
Strong style

(MD050, strong-style)

LanguageTool

README.md

[style] ~56-~56: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ... }, }; ``` ### match & ignore If you want to set security config open for a certain ...

(REP_WANT_TO_VB)

---

[style] ~74-~74: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ... //... }, }, }; ``` If you want to set security config disable for a certa...

(REP_WANT_TO_VB)

---

[grammar] ~99-~99: The modal verb ‘will’ requires the verb’s base form.
Context: ... the current request configuration will overrides the default configuration (new configur...

(MD_BASEFORM)

---

[grammar] ~140-~140: The modal verb ‘will’ requires the verb’s base form.
Context: ... the current request configuration will overrides the default configuration, but it does ...

(MD_BASEFORM)

---

[style] ~146-~146: Consider shortening this phrase to just ‘whether’, unless you mean ‘regardless of whether’.
Context: ... ## API ### ctx.isSafeDomain(domain) Whether or not the domain is in the whitelist of the c...

(WHETHER)

---

[style] ~149-~149: Consider shortening this phrase to just ‘whether’, unless you mean ‘regardless of whether’.
Context: ...s this function internally to determine whether or not send back an `Access-Control-Allow-Orig...

(WHETHER)

---

[misspelling] ~248-~248: This word is normally spelled with a hyphen.
Context: ...(url). domainWhiteListandurl` are case insensitive. ### jsonp Based on [jsonp-body](http...

(EN_COMPOUNDS_CASE_INSENSITIVE)

---

[misspelling] ~347-~347: Did you mean “affect” (have an effect upon)?
Context: ...html is a very complex process, it will effect server performance, so if you do not ne...

(AFFECT_EFFECT)

---

[typographical] ~381-~381: After the expression ‘for example’ a comma is usually used.
Context: .../lib/default.js) will be filtered. For example html tag is not in the whitelist. ``...

(COMMA_FOR_EXAMPLE)

---

[grammar] ~424-~424: The modal verb ‘will’ requires the verb’s base form.
Context: ..._it has a very complex process and will lost performance, so avoid the use as far as...

(MD_BASEFORM)

---

[grammar] ~436-~436: Consider using third-person verb forms for singular and mass nouns.
Context: ...mand execution vulnerability, when user submit the implementation of the command by br...

(MASS_AGREEMENT)

---

[style] ~503-~503: ‘by mistake’ might be wordy. Consider a shorter alternative.
Context: .... E.g: take text/plain as text/html by mistake and render it, especially when there's ...

(EN_WORDINESS_PREMIUM_BY_MISTAKE)

Additional comments not posted (12)

app/extend/agent.js (1)

1-4: LGTM! The function renaming aligns with the PR objectives.

The renaming of safeCurl to safeCurlForApplication is consistent with the new SSRF protection logic.

test/fixtures/apps/ssrf-check-address-useHttpClientNext/config/config.default.js (1)

1-16: LGTM! The SSRF protection configurations are well-defined.

The IP blacklist and custom checkAddress function are appropriate for SSRF protection. Enabling useHttpClientNext aligns with the PR objectives.

lib/extend/safe_curl.js (1)

9-29: LGTM! The SSRF protection logic is well-implemented.

The safeCurlForApplication function effectively integrates SSRF protection. The safeCurlForContext function correctly delegates to safeCurlForApplication.

Tools

Biome

[error] 10-10: This aliasing of this is unnecessary.

Arrow functions inherits this from their enclosing scope.
Safe fix: Use this instead of an alias.

(lint/complexity/noUselessThisAlias)

app/extend/application.js (1)

Line range hint 1-34: LGTM! The function renaming aligns with the PR objectives.

The renaming of safeCurl to safeCurlForApplication is consistent with the new SSRF protection logic.

package.json (1)

36-36: Dependency update approved.

The egg dependency has been updated to ^3.26.0.

However, ensure that this update does not introduce any compatibility issues.

test/ssrf.test.js (1)

91-110: New test case for SSRF protection approved.

The new test case for checkAddress with useHttpClientNext = true ensures that the SSRF protection works correctly with the new HTTP client.

However, ensure that this test case covers all necessary scenarios.

Verification successful

---

New test case for SSRF protection approved.

The new test case for checkAddress with useHttpClientNext = true ensures that the SSRF protection works correctly with the new HTTP client. The checkIllegalAddressError function includes the necessary assertions to validate the SSRF protection.

• The assertions within checkIllegalAddressError confirm that the SSRF protection is functioning as expected.

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify that the new test case covers all necessary scenarios.

# Test: Run the tests to ensure everything works correctly.
npm test

Length of output: 81

---

---

Script:

#!/bin/bash
# Search for test cases related to `checkAddress` with `useHttpClientNext = true`
# and list the assertions within those test cases.

# Find the test file
test_file=$(fd ssrf.test.js)

# Print the test cases related to `checkAddress` with `useHttpClientNext = true`
rg -A 10 "describe\('checkAddress with useHttpClientNext = true'" $test_file

# List the assertions within those test cases
rg "assert" $test_file

Length of output: 1113

---

---

Script:

#!/bin/bash
# List the lines within the `checkAddress with useHttpClientNext = true` block to verify the presence of assertions.

# Find the test file
test_file=$(fd ssrf.test.js)

# Print the lines within the `checkAddress with useHttpClientNext = true` block
rg -A 50 "describe\('checkAddress with useHttpClientNext = true'" $test_file

Length of output: 1849

---

---

Script:

#!/bin/bash
# Search for the definition of the `checkIllegalAddressError` function and inspect its contents.

# Find the definition of the `checkIllegalAddressError` function
rg "function checkIllegalAddressError" -A 20

Length of output: 475

app/extend/context.js (1)

231-231: LGTM!

The safeCurl function has been correctly assigned to safeCurlForContext.

README.zh-CN.md (2)

429-431: Update approved.

The license section has been updated to include a link to the MIT license.

---

433-437: Update approved.

The contributors section has been updated to include a link to contributor statistics.

README.md (3)

556-556: LGTM: License section update

The change to include a link to the MIT license on GitHub enhances the documentation.

---

560-560: LGTM: Contributors section update

The change to include a link to view contributors visually using contributors-img enhances the documentation.

---

562-562: LGTM: Contributors section addition

The new line indicating that the contributors section is made with contributors-img provides additional context.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 232bf07 and f0a17c5.

Files selected for processing (2)

• .github/workflows/nodejs.yml (1 hunks)
• package.json (2 hunks)

Files skipped from review due to trivial changes (1)

• .github/workflows/nodejs.yml

Additional comments not posted (3)

package.json (3)

53-53: LGTM! The ci script update aligns with best practices.

The update ensures that linting and coverage checks are performed in the CI pipeline.

---

39-39: Verify compatibility with egg version ^3.26.0.

Ensure that the codebase is compatible with the updated egg version and run the tests to confirm this.

---

5-5: Verify compatibility with Node.js >=14.20.0.

Ensure that all dependencies and the codebase are compatible with the updated minimum Node.js version.