4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/packages/smart-ide-http-utils/dist/proxy.js
Nicolas Cantu 255acbaf97 fix: harden claw-harness-proxy and complete HTTP utils centralization (0.0.7) 
Initial state:
- claw-harness-proxy accepted absolute-form / scheme-relative request targets, allowing proxying to arbitrary hosts.
- claw-harness-proxy forwarded client Authorization headers upstream.
- @4nk/smart-ide-http-utils did not provide helpers for Node http.request-based proxies.
- docs/repo/ia-dev-smart-ide-integration.md still documented the old IA_DEV_ROOT default resolution order.

Motivation:
- Ensure safe proxy behavior for every HTTP relay in the monorepo.
- Keep the IA_DEV_ROOT contract consistent across code and docs.

Resolution:
- Extend @4nk/smart-ide-http-utils with copyOutgoingHeadersForProxy() for http.request.
- Harden claw-harness-proxy: reject absolute URLs and '//' targets, validate safe proxy paths, avoid forwarding Authorization, and avoid leaking internal error details.
- Align ia-dev-smart-ide-integration doc default order to ./services/ia_dev then ./ia_dev.

Root cause:
- Proxy implementation treated req.url as a URL to be resolved and allowed absolute inputs.
- Cross-proxy utilities were only implemented for fetch-based proxies.

Impacted features:
- claw-harness-proxy HTTP forwarding.
- shared HTTP utility package.
- IA_DEV_ROOT documentation.

Code modified:
- packages/smart-ide-http-utils/src/* + dist/*
- services/claw-harness-api/proxy/src/server.ts

Documentation modified:
- docs/repo/ia-dev-smart-ide-integration.md
- CHANGELOG.md

Configurations modified:
- services/claw-harness-api/proxy/package.json

Files in deploy modified:
- None

Files in logs impacted:
- None

Databases and other sources modified:
- None

Off-project modifications:
- None

Files in .smartIde modified:
- None

Files in .secrets modified:
- None

New patch version in VERSION:
- 0.0.7

CHANGELOG.md updated:
- yes
2026-04-04 20:48:11 +02:00

103 lines
2.6 KiB
JavaScript
Raw Blame History

export const REQUEST_HOP_BY_HOP_HEADERS = new Set([
"connection",
"keep-alive",
"proxy-authenticate",
"proxy-authorization",
"te",
"trailers",
"transfer-encoding",
"upgrade",
"host",
]);
export const RESPONSE_HOP_BY_HOP_HEADERS = new Set([
"connection",
"keep-alive",
"transfer-encoding",
"content-encoding",
]);
export const readBearer = (req) => {
const raw = req.headers.authorization ?? "";
const m = /^Bearer\s+(.+)$/i.exec(raw);
return m?.[1]?.trim() ?? null;
};
export const readBodyBuffer = async (req, maxBytes) => {
const chunks = [];
let total = 0;
for await (const chunk of req) {
const b = typeof chunk === "string" ? Buffer.from(chunk) : chunk;
total += b.length;
if (total > maxBytes) {
throw new Error(`Request body exceeds ${maxBytes} bytes`);
}
chunks.push(b);
}
return Buffer.concat(chunks);
};
export const copyHeadersForProxy = (req, opts) => {
const out = new Headers();
for (const [k, v] of Object.entries(req.headers)) {
if (!v) {
continue;
}
const lk = k.toLowerCase();
if (REQUEST_HOP_BY_HOP_HEADERS.has(lk)) {
continue;
}
if (lk === "authorization") {
continue;
}
if (opts?.skipLowercase?.has(lk)) {
continue;
}
out.set(k, Array.isArray(v) ? v.join(", ") : v);
}
return out;
};
export const copyOutgoingHeadersForProxy = (req, opts) => {
const out = {};
for (const [k, v] of Object.entries(req.headers)) {
if (v === undefined) {
continue;
}
const lk = k.toLowerCase();
if (REQUEST_HOP_BY_HOP_HEADERS.has(lk)) {
continue;
}
if (lk === "authorization") {
continue;
}
if (opts?.skipLowercase?.has(lk)) {
continue;
}
out[k] = v;
}
return out;
};
export const isSafeProxyPath = (p) => {
if (!p.startsWith("/")) {
return false;
}
for (const rawSeg of p.split("/")) {
if (rawSeg.length === 0) {
continue;
}
if (rawSeg === "." || rawSeg === "..") {
return false;
}
let seg;
try {
seg = decodeURIComponent(rawSeg);
}
catch {
return false;
}
if (seg === "." || seg === "..") {
return false;
}
if (seg.includes("/") || seg.includes("\\")) {
return false;
}
}
return true;
};
Reference in New Issue View Git Blame Copy Permalink