refactor: do not depend on undici being part of the bundle

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Author: panva

lib/helpers/fetch_request.js

@@ -1,6 +1,5 @@
 /* eslint-disable no-bitwise, no-plusplus */
-import * as undici from 'undici';
-
+import * as attention from './attention.js';
 import instance from './weak_cache.js';
 
 // IANA IPv4 Special-Purpose Address Space
@@ -178,6 +177,20 @@ function isSpecialUseIP(address) {
   return isSpecialUseIPv6(address);
 }
 
+// Returns the Agent constructor from the global dispatcher symbols that
+// node's built-in undici sets.
+function getAgent() {
+  // Referencing Response triggers node's lazy undici initialization
+  // that sets the global dispatcher symbols
+  // eslint-disable-next-line no-unused-expressions
+  Response;
+  return (
+    globalThis[Symbol.for('undici.globalDispatcher.2')]
+    ?? globalThis[Symbol.for('undici.globalDispatcher.1')]
+  )?.constructor;
+}
+
+// undefined = not yet attempted, null = unavailable, Agent instance = use
 let dispatcher;
 
 export default async function fetchRequest(provider, url, options) {
@@ -190,23 +203,29 @@ export default async function fetchRequest(provider, url, options) {
   // resolving DNS upfront via dns/promises. An upfront lookup is vulnerable to
   // TOCTOU — the HTTP client resolves the hostname again independently, and the
   // result can differ (DNS rebinding, round-robin, short TTL). Checking
-  // socket.remoteAddress in the connector inspects the actual IP the socket is
-  // bound to, which is the only reliable enforcement point.
-  dispatcher ??= new undici.Agent({
-    connect(opts, cb) {
-      undici.buildConnector({})(opts, (err, socket) => {
-        if (err) {
-          cb(err);
-        } else if (isSpecialUseIP(socket.remoteAddress)) {
-          socket.destroy();
-          cb(new Error('hostname resolves to a special-use IP address'));
-        } else {
-          cb(null, socket);
+  // socket.remoteAddress in the connect event inspects the actual IP the socket
+  // is bound to, which is the only reliable enforcement point.
+  if (dispatcher === undefined) {
+    try {
+      dispatcher = new (getAgent())();
+      let kSocket;
+      dispatcher.on('connect', (_origin, targets) => {
+        // targets = [Agent, Pool, Client] — the socket lives on the Client
+        const client = targets[2];
+        kSocket ??= Object.getOwnPropertySymbols(client).find((s) => s.description === 'socket');
+        const socket = client[kSocket];
+        if (socket?.remoteAddress !== undefined && isSpecialUseIP(socket.remoteAddress)) {
+          socket.destroy(new Error('hostname resolves to a special-use IP address'));
         }
       });
-    },
-  });
-  options.dispatcher = dispatcher;
+    } catch {
+      attention.warn('failed to setup SSRF protection for fetch, outgoing requests will not be checked for special-use IP addresses');
+      dispatcher = null;
+    }
+  }
+  if (dispatcher) {
+    options.dispatcher = dispatcher;
+  }
   /* eslint-enable no-param-reassign */
 
   return instance(provider).configuration.fetch(url, options);

package-lock.json

@@ -64,8 +64,7 @@
     "koa": "^3.1.2",
     "nanoid": "^5.1.7",
     "quick-lru": "^7.3.0",
-    "raw-body": "^3.0.2",
-    "undici": "^7.24.4"
+    "raw-body": "^3.0.2"
   },
   "devDependencies": {
     "@fastify/middie": "^9.3.1",
@@ -90,6 +89,7 @@
     "selfsigned": "^5.5.0",
     "sinon": "^21.0.3",
     "supertest": "^7.2.2",
-    "timekeeper": "^2.3.1"
+    "timekeeper": "^2.3.1",
+    "undici": "^8.0.2"
   }
 }

package.json

@@ -10,6 +10,13 @@ import bootstrap, { skipConsent, assertNoPendingInterceptors, mock } from '../te
 
 const sinon = createSandbox();
 
+async function consumeBody(body) {
+  if (typeof body === 'string') return body;
+  const chunks = [];
+  for await (const chunk of body) chunks.push(chunk);
+  return Buffer.concat(chunks).toString();
+}
+
 describe('Back-Channel Logout 1.0', () => {
   before(bootstrap(import.meta.url));
 
@@ -24,20 +31,20 @@ describe('Back-Channel Logout 1.0', () => {
         .intercept({
           path: '/backchannel_logout',
           method: 'POST',
-          body(value) {
-            expect(value).to.match(/^logout_token=(([\w-]+\.?){3})$/);
-            const header = JSON.parse(base64url.decode(RegExp.$1.split('.')[0]));
-            expect(header).to.have.property('typ', 'logout+jwt');
-            const decoded = JSON.parse(base64url.decode(RegExp.$1.split('.')[1]));
-            expect(decoded).to.have.all.keys('sub', 'events', 'iat', 'exp', 'aud', 'iss', 'jti', 'sid');
-            expect(decoded).to.have.property('events').and.eql({ 'http://schemas.openid.net/event/backchannel-logout': {} });
-            expect(decoded).to.have.property('aud', 'client');
-            expect(decoded).to.have.property('sub', 'subject');
-            expect(decoded).to.have.property('sid', 'foo');
-            return true;
-          },
         })
-        .reply(200);
+        .reply(200, async (opts) => {
+          const value = await consumeBody(opts.body);
+          expect(value).to.match(/^logout_token=(([\w-]+\.?){3})$/);
+          const header = JSON.parse(base64url.decode(RegExp.$1.split('.')[0]));
+          expect(header).to.have.property('typ', 'logout+jwt');
+          const decoded = JSON.parse(base64url.decode(RegExp.$1.split('.')[1]));
+          expect(decoded).to.have.all.keys('sub', 'events', 'iat', 'exp', 'aud', 'iss', 'jti', 'sid');
+          expect(decoded).to.have.property('events').and.eql({ 'http://schemas.openid.net/event/backchannel-logout': {} });
+          expect(decoded).to.have.property('aud', 'client');
+          expect(decoded).to.have.property('sub', 'subject');
+          expect(decoded).to.have.property('sid', 'foo');
+          return '';
+        });
 
       return client.backchannelLogout('subject', 'foo');
     });
@@ -49,18 +56,18 @@ describe('Back-Channel Logout 1.0', () => {
         .intercept({
           path: '/backchannel_logout',
           method: 'POST',
-          body(value) {
-            expect(value).to.match(/^logout_token=(([\w-]+\.?){3})$/);
-            const decoded = JSON.parse(base64url.decode(RegExp.$1.split('.')[1]));
-            expect(decoded).to.have.all.keys('sub', 'events', 'iat', 'exp', 'aud', 'iss', 'jti');
-            expect(decoded).to.have.property('events').and.eql({ 'http://schemas.openid.net/event/backchannel-logout': {} });
-            expect(decoded).to.have.property('aud', 'no-sid');
-            expect(decoded).to.have.property('sub', 'subject');
-            expect(decoded).not.to.have.property('sid');
-            return true;
-          },
         })
-        .reply(200);
+        .reply(200, async (opts) => {
+          const value = await consumeBody(opts.body);
+          expect(value).to.match(/^logout_token=(([\w-]+\.?){3})$/);
+          const decoded = JSON.parse(base64url.decode(RegExp.$1.split('.')[1]));
+          expect(decoded).to.have.all.keys('sub', 'events', 'iat', 'exp', 'aud', 'iss', 'jti');
+          expect(decoded).to.have.property('events').and.eql({ 'http://schemas.openid.net/event/backchannel-logout': {} });
+          expect(decoded).to.have.property('aud', 'no-sid');
+          expect(decoded).to.have.property('sub', 'subject');
+          expect(decoded).not.to.have.property('sid');
+          return '';
+        });
 
       return client.backchannelLogout('subject', 'foo');
     });