File tree 2 files changed +20
-7
lines changed
2 files changed +20
-7
lines changed Original file line number Diff line number Diff line change @@ -8,6 +8,15 @@ Version 0.9.3
88
99To be released.
1010
11+ - Fixed a vulnerability of SSRF via DNS rebinding in the built-in document
12+ loader. [[ CVE-2024 -39687]]
13+
14+ - The ` fetchDocumentLoader() ` function now throws an error when the given
15+ domain name has any records referring to a private network address.
16+ - The ` getAuthenticatedDocumentLoader() ` function now returns a document
17+ loader that throws an error when the given domain name has any records
18+ referring to a private network address.
19+
1120
1221Version 0.9.2
1322-------------
Original file line number Diff line number Diff line change @@ -30,13 +30,17 @@ export async function validatePublicUrl(url: string): Promise<void> {
3030 const netPermission = await Deno . permissions . query ( { name : "net" } ) ;
3131 if ( netPermission . state !== "granted" ) return ;
3232 }
33- const { address, family } = await lookup ( hostname ) ;
34- if (
35- family === 4 && ! isValidPublicIPv4Address ( address ) ||
36- family === 6 && ! isValidPublicIPv6Address ( address ) ||
37- family < 4 || family === 5 || family > 6
38- ) {
39- throw new UrlError ( `Invalid or private address: ${ address } ) ;
33+ // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
34+ // and ensure that they are all public:
35+ const addresses = await lookup ( hostname , { all : true } ) ;
36+ for ( const { address, family } of addresses ) {
37+ if (
38+ family === 4 && ! isValidPublicIPv4Address ( address ) ||
39+ family === 6 && ! isValidPublicIPv6Address ( address ) ||
40+ family < 4 || family === 5 || family > 6
41+ ) {
42+ throw new UrlError ( `Invalid or private address: ${ address } ) ;
43+ }
4044 }
4145}
4246
You can’t perform that action at this time.
0 commit comments