fix(transformation): block ipv6 requests in user transformer (#2618)

* fix(transformation): block ipv6 requests in user transformer

* test cases

* block ips starting with localhost octet

* assign to variable

src/util/utils.js

@@ -10,17 +10,22 @@ const stats = require('./stats');
 
 const resolver = new Resolver();
 
-const LOCALHOST_IP = '127.0.0.1';
-const LOCALHOST_URL = `http://localhost`;
+const BLOCK_HOST_NAMES = process.env.BLOCK_HOST_NAMES || '';
+const BLOCK_HOST_NAMES_LIST = BLOCK_HOST_NAMES.split(',');
+const LOCAL_HOST_NAMES_LIST = ['localhost', '127.0.0.1', '[::]', '[::1]'];
+const LOCALHOST_OCTET = '127.';
 const RECORD_TYPE_A = 4; // ipv4
 
 const staticLookup = (transformerVersionId) => async (hostname, _, cb) => {
   let ips;
   const resolveStartTime = new Date();
   try {
-    ips = await resolver.resolve(hostname);
+    ips = await resolver.resolve4(hostname);
   } catch (error) {
-    stats.timing('fetch_dns_resolve_time', resolveStartTime, { transformerVersionId, error: 'true' });
+    stats.timing('fetch_dns_resolve_time', resolveStartTime, {
+      transformerVersionId,
+      error: 'true',
+    });
     cb(null, `unable to resolve IP address for ${hostname}`, RECORD_TYPE_A);
     return;
   }
@@ -32,8 +37,8 @@ const staticLookup = (transformerVersionId) => async (hostname, _, cb) => {
   }
 
   for (const ip of ips) {
-    if (ip.includes(LOCALHOST_IP)) {
-      cb(null, `cannot use ${LOCALHOST_IP} as IP address`, RECORD_TYPE_A);
+    if (ip.startsWith(LOCALHOST_OCTET)) {
+      cb(null, `cannot use ${ip} as IP address`, RECORD_TYPE_A);
       return;
     }
   }
@@ -47,8 +52,17 @@ const httpAgentWithDnsLookup = (scheme, transformerVersionId) => {
 };
 
 const blockLocalhostRequests = (url) => {
-  if (url.includes(LOCALHOST_URL) || url.includes(LOCALHOST_IP)) {
-    throw new Error('localhost requests are not allowed');
+  try {
+    const parseUrl = new URL(url);
+    const { hostname } = parseUrl;
+    if (LOCAL_HOST_NAMES_LIST.includes(hostname) || hostname.startsWith(LOCALHOST_OCTET)) {
+      throw new Error('localhost requests are not allowed');
+    }
+    if (BLOCK_HOST_NAMES_LIST.includes(hostname)) {
+      throw new Error('blocked host requests are not allowed');
+    }
+  } catch (error) {
+    throw new Error(`invalid url, ${error.message}`);
   }
 };
 
@@ -163,14 +177,14 @@ const extractStackTraceUptoLastSubstringMatch = (trace, stringLiterals) => {
   const traceLines = trace.split('\n');
   let lastRelevantIndex = 0;
 
-  for(let i = traceLines.length - 1; i >= 0; i -= 1) {
-    if (stringLiterals.some(str => traceLines[i].includes(str))) {
+  for (let i = traceLines.length - 1; i >= 0; i -= 1) {
+    if (stringLiterals.some((str) => traceLines[i].includes(str))) {
       lastRelevantIndex = i;
       break;
     }
   }
 
-  return traceLines.slice(0, lastRelevantIndex + 1).join("\n");
+  return traceLines.slice(0, lastRelevantIndex + 1).join('\n');
 };
 
 module.exports = {

test/__tests__/user_transformation_fetch.test.js

@@ -4,8 +4,7 @@ jest.mock("dns", () => {
     promises: {
       Resolver: function() {
         return {
-          resolve: mockResolver,
-          setServers: () => {},
+          resolve4: mockResolver,
         };
       }
     }
@@ -121,7 +120,7 @@ describe("User transformation fetch tests", () => {
       }
       `
     };
-    const errMsg = "localhost requests are not allowed";
+    const errMsg = "invalid url, localhost requests are not allowed";
 
     const output = await userTransformHandler(inputData, versionId, [], trRevCode, true);
 
@@ -278,7 +277,7 @@ describe("User transformation fetch tests", () => {
         }
       `
     };
-    const errMsg = "localhost requests are not allowed";
+    const errMsg = "invalid url, localhost requests are not allowed";
 
     const output = await userTransformHandler(inputData, versionId, [], trRevCode, true);