added docs about forbidden chars | moved trim helpers to url parser file

felippe-regazio · Jan 9, 2024 · 68c8b97 · 68c8b97
1 parent 2ed151b
commit 68c8b97
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -125,7 +125,8 @@ npx ssrfcheck ftp://user:pass@localhost:8080/whatever --allowed-protocols=ftp,ht
 The library checks for complete URLs focusing on the protocol and domain structure and tells whether is a possible SSRF attack or not. This library does NOT checks for path traversal attacks. The checks are made in the following order:
 
 - must contain a hostname
-- must not contain login-urls (e.g: https://user:[email protected]) - optionated
+- must not contain login-urls (e.g: https://user:[email protected]) (optionated)
+- cannot contain RFC forbidden chars: "<>\\^\`\{\|\} (optionated)
 - cannot be a dot domain (e.g: https://./../.com) - commonly result of some trick
 - cannot be localhost or loopback domain
 - cannot be a private IP of any range

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ssrfcheck",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "Check if a string contains a potential SSRF attack",
   "main": "./src/index.js",
   "repository": {

diff --git a/src/parse-url.js b/src/parse-url.js
@@ -1,5 +1,12 @@
 const { isIP } = require('net');
-const { trimBrackets } = require('./trim-brackets');
+
+function trimBrackets(hostname) {
+  if (hostname.startsWith('[') && hostname.endsWith(']')) {
+    return hostname.substring(1, hostname.length -1);
+  }
+
+  return hostname;
+}
 
 /**
   when try to create a URL from the arg we take advantage of runtime 
@@ -13,11 +20,8 @@ function normalizeURLStr(str) {
   };
 
   return str
-    .trim()                                 // removed start and end spaces
-    .normalize('NFKD')                      // removed accents and diacrictics, normalize fancy chars
-    .split(' ')                             // breaks it onto parts dividing by spaces to check trailing \
-    .map(item => item.replace(/\\+$/, ""))  // remove all trailing backslaches, e.g: x\ to x
-    .join(' ');                             // reassembling it
+    .trim() // removed start and end spaces
+    .normalize('NFKD'); // removed accents and diacrictics, normalize fancy chars
 }
 
 function startsWithProtocol(input) {

diff --git a/src/trim-brackets.js b/src/trim-brackets.js