feat: add http deny list in HTTP node

2025-07-21 19:52:51 +08:00 · 2025-07-21 19:52:51 +08:00 · 97db0f7b15
parent 5fbb9985f8
commit 97db0f7b15
1 changed files with 37 additions and 0 deletions
--- a/packages/components/nodes/agentflow/HTTP/HTTP.ts
+++ b/packages/components/nodes/agentflow/HTTP/HTTP.ts
@ -3,6 +3,8 @@ import axios, { AxiosRequestConfig, Method, ResponseType } from 'axios'
 import FormData from 'form-data'
 import * as querystring from 'querystring'
 import { getCredentialData, getCredentialParam } from '../../../src/utils'
+import * as ipaddr from 'ipaddr.js'
+import dns from 'dns/promises'

 class HTTP_Agentflow implements INode {
    label: string
@ -230,6 +232,39 @@ class HTTP_Agentflow implements INode {
        ]
    }

+    private isDeniedIP(ip: string, denyList: string[]): void {
+        for (const entry of denyList) {
+            if (entry.includes('/')) {
+                try {
+                    if (ipaddr.parse(ip).match(ipaddr.parseCIDR(entry))) throw new Error(`IP given is in deny list: ${ip}`)
+                } catch (error) {
+                    throw new Error(`isDeniedIP: ${error}`)
+                }
+            } else if (ip === entry) throw new Error(`IP given is in deny list: ${ip}`)
+        }
+    }
+
+    private async checkDenyList(url: string) {
+        const httpDenyListString: string | undefined = process.env.HTTP_DENY_LIST
+        if (!httpDenyListString) return url
+        const httpDenyList = httpDenyListString.split(',').map((ip) => ip.trim())
+
+        const urlObj = new URL(url)
+
+        const hostname = urlObj.hostname
+
+        if (httpDenyList.includes(hostname)) throw new Error(`Hostname given is in deny list: ${hostname}`)
+
+        if (ipaddr.isValid(hostname)) {
+            this.isDeniedIP(hostname, httpDenyList)
+        } else {
+            const addresses = await dns.lookup(hostname, { all: true })
+            for (const address of addresses) {
+                this.isDeniedIP(address.address, httpDenyList)
+            }
+        }
+    }
+
    async run(nodeData: INodeData, _: string, options: ICommonObject): Promise<any> {
        const method = nodeData.inputs?.method as 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH'
        const url = nodeData.inputs?.url as string
@ -292,6 +327,8 @@ class HTTP_Agentflow implements INode {
            // Build final URL with query parameters
            const finalUrl = queryString ? `${url}${url.includes('?') ? '&' : '?'}${queryString}` : url

+            await this.checkDenyList(finalUrl)
+
            // Prepare request config
            const requestConfig: AxiosRequestConfig = {
                method: method as Method,