Refactor webhook endpoint validation by removing isPrivateIP function and related tests. Integrate private IP validation into ipValidator module for improved code organization.

Author: Dobrunia

src/utils/ipValidator.ts

@@ -0,0 +1,45 @@
+/**
+ * Regex patterns matching private/reserved IP ranges:
+ *
+ * IPv4: 0.x (current-network), 10.x, 172.16-31.x, 192.168.x (RFC1918),
+ * 127.x (loopback), 169.254.x (link-local/metadata), 100.64-127.x (CGN/RFC6598),
+ * 255.255.255.255 (broadcast), 224-239.x (multicast),
+ * 192.0.2.x, 198.51.100.x, 203.0.113.x (documentation), 198.18-19.x (benchmarking).
+ *
+ * IPv6: ::1, ::, fe80 (link-local), fc/fd (ULA), ff (multicast).
+ *
+ * Also handles IPv4-mapped IPv6 (::ffff:A.B.C.D) and zone IDs (fe80::1%lo0).
+ */
+const PRIVATE_IP_PATTERNS: RegExp[] = [
+  /^0\./,
+  /^10\./,
+  /^127\./,
+  /^169\.254\./,
+  /^172\.(1[6-9]|2\d|3[01])\./,
+  /^192\.168\./,
+  /^100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\./,
+  /^255\.255\.255\.255$/,
+  /^2(2[4-9]|3\d)\./,
+  /^192\.0\.2\./,
+  /^198\.51\.100\./,
+  /^203\.0\.113\./,
+  /^198\.1[89]\./,
+  /^::1$/,
+  /^::$/,
+  /^fe80/i,
+  /^f[cd]/i,
+  /^ff[0-9a-f]{2}:/i,
+  /^::ffff:(0\.|10\.|127\.|169\.254\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.)/i,
+];
+
+/**
+ * Checks whether an IP address belongs to a private/reserved range.
+ * Strips zone ID before matching (e.g. fe80::1%lo0).
+ *
+ * @param ip - IP address string (v4 or v6)
+ */
+export function isPrivateIP(ip: string): boolean {
+  const bare = ip.split('%')[0];
+
+  return PRIVATE_IP_PATTERNS.some((pattern) => pattern.test(bare));
+}

src/utils/webhookEndpointValidator.ts

@@ -1,38 +1,5 @@
 import dns from 'dns';
-
-/**
- * Regex patterns matching private/reserved IP ranges:
- *
- * IPv4: 0.x (current-network), 10.x, 172.16-31.x, 192.168.x (RFC1918),
- * 127.x (loopback), 169.254.x (link-local/metadata), 100.64-127.x (CGN/RFC6598),
- * 255.255.255.255 (broadcast), 224-239.x (multicast),
- * 192.0.2.x, 198.51.100.x, 203.0.113.x (documentation), 198.18-19.x (benchmarking).
- *
- * IPv6: ::1, ::, fe80 (link-local), fc/fd (ULA), ff (multicast).
- *
- * Also handles IPv4-mapped IPv6 (::ffff:A.B.C.D) and zone IDs (fe80::1%lo0).
- */
-const PRIVATE_IP_PATTERNS: RegExp[] = [
-  /^0\./,
-  /^10\./,
-  /^127\./,
-  /^169\.254\./,
-  /^172\.(1[6-9]|2\d|3[01])\./,
-  /^192\.168\./,
-  /^100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\./,
-  /^255\.255\.255\.255$/,
-  /^2(2[4-9]|3\d)\./,
-  /^192\.0\.2\./,
-  /^198\.51\.100\./,
-  /^203\.0\.113\./,
-  /^198\.1[89]\./,
-  /^::1$/,
-  /^::$/,
-  /^fe80/i,
-  /^f[cd]/i,
-  /^ff[0-9a-f]{2}:/i,
-  /^::ffff:(0\.|10\.|127\.|169\.254\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.)/i,
-];
+import { isPrivateIP } from './ipValidator';
 
 /**
  * Hostnames blocked regardless of DNS resolution
@@ -53,18 +20,6 @@ const ALLOWED_PORTS: Record<string, number> = {
   'https:': 443,
 };
 
-/**
- * Checks whether an IP address belongs to a private/reserved range.
- * Strips zone ID before matching (e.g. fe80::1%lo0).
- *
- * @param ip - IP address string (v4 or v6)
- */
-export function isPrivateIP(ip: string): boolean {
-  const bare = ip.split('%')[0];
-
-  return PRIVATE_IP_PATTERNS.some((pattern) => pattern.test(bare));
-}
-
 /**
  * Validates a webhook endpoint URL for SSRF safety.
  * Returns null if valid, or an error message string if invalid.

test/utils/ipValidator.test.ts

@@ -0,0 +1,129 @@
+import { isPrivateIP } from '../../src/utils/ipValidator';
+
+describe('isPrivateIP', () => {
+  describe('should block private/reserved IPv4', () => {
+    it.each([
+      ['127.0.0.1'],
+      ['127.255.255.255'],
+      ['10.0.0.1'],
+      ['10.255.255.255'],
+      ['0.0.0.0'],
+      ['172.16.0.1'],
+      ['172.31.255.255'],
+      ['192.168.0.1'],
+      ['192.168.255.255'],
+      ['169.254.1.1'],
+      ['169.254.169.254'],
+      ['100.64.0.1'],
+      ['100.127.255.255'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(true);
+    });
+  });
+
+  describe('should block broadcast and multicast IPv4', () => {
+    it.each([
+      ['255.255.255.255'],
+      ['224.0.0.1'],
+      ['239.255.255.255'],
+      ['230.1.2.3'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(true);
+    });
+  });
+
+  describe('should block documentation and benchmarking IPv4', () => {
+    it.each([
+      ['192.0.2.1'],
+      ['198.51.100.1'],
+      ['203.0.113.1'],
+      ['198.18.0.1'],
+      ['198.19.255.255'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(true);
+    });
+  });
+
+  describe('should block private/reserved IPv6', () => {
+    it.each([
+      ['::1'],
+      ['::'],
+      ['fe80::1'],
+      ['FE80::abc'],
+      ['fc00::1'],
+      ['fd12:3456::1'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(true);
+    });
+  });
+
+  describe('should block IPv6 multicast', () => {
+    it.each([
+      ['ff02::1'],
+      ['ff05::2'],
+      ['FF0E::1'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(true);
+    });
+  });
+
+  describe('should block IPv6 with zone ID', () => {
+    it.each([
+      ['fe80::1%lo0'],
+      ['fe80::1%eth0'],
+      ['::1%lo0'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(true);
+    });
+  });
+
+  describe('should block IPv4-mapped IPv6', () => {
+    it.each([
+      ['::ffff:127.0.0.1'],
+      ['::ffff:10.0.0.1'],
+      ['::ffff:192.168.1.1'],
+      ['::ffff:172.16.0.1'],
+      ['::ffff:169.254.169.254'],
+      ['::ffff:100.64.0.1'],
+      ['::ffff:0.0.0.0'],
+      ['::FFFF:127.0.0.1'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(true);
+    });
+  });
+
+  describe('should allow public IPv4', () => {
+    it.each([
+      ['8.8.8.8'],
+      ['1.1.1.1'],
+      ['93.184.216.34'],
+      ['172.32.0.1'],
+      ['172.15.255.255'],
+      ['192.169.0.1'],
+      ['100.128.0.1'],
+      ['100.63.255.255'],
+      ['169.255.0.1'],
+      ['223.255.255.255'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(false);
+    });
+  });
+
+  describe('should allow public IPv6', () => {
+    it.each([
+      ['2001:db8::1'],
+      ['2606:4700::1'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(false);
+    });
+  });
+
+  describe('should allow public IPv4-mapped IPv6', () => {
+    it.each([
+      ['::ffff:8.8.8.8'],
+      ['::ffff:93.184.216.34'],
+    ])('%s', (ip) => {
+      expect(isPrivateIP(ip)).toBe(false);
+    });
+  });
+});

test/utils/webhookEndpointValidator.test.ts

@@ -1,132 +1,4 @@
-import { isPrivateIP, validateWebhookEndpoint } from '../../src/utils/webhookEndpointValidator';
-
-describe('isPrivateIP', () => {
-  describe('should block private/reserved IPv4', () => {
-    it.each([
-      ['127.0.0.1'],
-      ['127.255.255.255'],
-      ['10.0.0.1'],
-      ['10.255.255.255'],
-      ['0.0.0.0'],
-      ['172.16.0.1'],
-      ['172.31.255.255'],
-      ['192.168.0.1'],
-      ['192.168.255.255'],
-      ['169.254.1.1'],
-      ['169.254.169.254'],
-      ['100.64.0.1'],
-      ['100.127.255.255'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(true);
-    });
-  });
-
-  describe('should block broadcast and multicast IPv4', () => {
-    it.each([
-      ['255.255.255.255'],
-      ['224.0.0.1'],
-      ['239.255.255.255'],
-      ['230.1.2.3'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(true);
-    });
-  });
-
-  describe('should block documentation and benchmarking IPv4', () => {
-    it.each([
-      ['192.0.2.1'],
-      ['198.51.100.1'],
-      ['203.0.113.1'],
-      ['198.18.0.1'],
-      ['198.19.255.255'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(true);
-    });
-  });
-
-  describe('should block private/reserved IPv6', () => {
-    it.each([
-      ['::1'],
-      ['::'],
-      ['fe80::1'],
-      ['FE80::abc'],
-      ['fc00::1'],
-      ['fd12:3456::1'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(true);
-    });
-  });
-
-  describe('should block IPv6 multicast', () => {
-    it.each([
-      ['ff02::1'],
-      ['ff05::2'],
-      ['FF0E::1'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(true);
-    });
-  });
-
-  describe('should block IPv6 with zone ID', () => {
-    it.each([
-      ['fe80::1%lo0'],
-      ['fe80::1%eth0'],
-      ['::1%lo0'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(true);
-    });
-  });
-
-  describe('should block IPv4-mapped IPv6', () => {
-    it.each([
-      ['::ffff:127.0.0.1'],
-      ['::ffff:10.0.0.1'],
-      ['::ffff:192.168.1.1'],
-      ['::ffff:172.16.0.1'],
-      ['::ffff:169.254.169.254'],
-      ['::ffff:100.64.0.1'],
-      ['::ffff:0.0.0.0'],
-      ['::FFFF:127.0.0.1'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(true);
-    });
-  });
-
-  describe('should allow public IPv4', () => {
-    it.each([
-      ['8.8.8.8'],
-      ['1.1.1.1'],
-      ['93.184.216.34'],
-      ['172.32.0.1'],
-      ['172.15.255.255'],
-      ['192.169.0.1'],
-      ['100.128.0.1'],
-      ['100.63.255.255'],
-      ['169.255.0.1'],
-      ['223.255.255.255'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(false);
-    });
-  });
-
-  describe('should allow public IPv6', () => {
-    it.each([
-      ['2001:db8::1'],
-      ['2606:4700::1'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(false);
-    });
-  });
-
-  describe('should allow public IPv4-mapped IPv6', () => {
-    it.each([
-      ['::ffff:8.8.8.8'],
-      ['::ffff:93.184.216.34'],
-    ])('%s', (ip) => {
-      expect(isPrivateIP(ip)).toBe(false);
-    });
-  });
-});
+import { validateWebhookEndpoint } from '../../src/utils/webhookEndpointValidator';
 
 describe('validateWebhookEndpoint', () => {
   it('should reject invalid URL', async () => {