Feature add http deny list

* feat: add http deny list env variable * feat: add http deny list in HTTP node * feat: use generic error message for denied hosts in HTTP node
2025-07-21 20:30:42 +08:00 · 2025-07-21 20:30:42 +08:00 · efc9ac222f
parent dca91b979b
commit efc9ac222f
4 changed files with 99 additions and 48 deletions
--- a/packages/components/nodes/agentflow/HTTP/HTTP.ts
+++ b/packages/components/nodes/agentflow/HTTP/HTTP.ts
@ -3,6 +3,8 @@ import axios, { AxiosRequestConfig, Method, ResponseType } from 'axios'
 import FormData from 'form-data'
 import * as querystring from 'querystring'
 import { getCredentialData, getCredentialParam } from '../../../src/utils'
+import * as ipaddr from 'ipaddr.js'
+import dns from 'dns/promises'

 class HTTP_Agentflow implements INode {
    label: string
@ -230,6 +232,44 @@ class HTTP_Agentflow implements INode {
        ]
    }

+    private isDeniedIP(ip: string, denyList: string[]): void {
+        const parsedIp = ipaddr.parse(ip)
+        for (const entry of denyList) {
+            if (entry.includes('/')) {
+                try {
+                    const [range, _] = entry.split('/')
+                    const parsedRange = ipaddr.parse(range)
+                    if (parsedIp.kind() === parsedRange.kind()) {
+                        if (parsedIp.match(ipaddr.parseCIDR(entry))) {
+                            throw new Error('Access to this host is denied by policy.')
+                        }
+                    }
+                } catch (error) {
+                    throw new Error(`isDeniedIP: ${error}`)
+                }
+            } else if (ip === entry) throw new Error('Access to this host is denied by policy.')
+        }
+    }
+
+    private async checkDenyList(url: string) {
+        const httpDenyListString: string | undefined = process.env.HTTP_DENY_LIST
+        if (!httpDenyListString) return url
+        const httpDenyList = httpDenyListString.split(',').map((ip) => ip.trim())
+
+        const urlObj = new URL(url)
+
+        const hostname = urlObj.hostname
+
+        if (ipaddr.isValid(hostname)) {
+            this.isDeniedIP(hostname, httpDenyList)
+        } else {
+            const addresses = await dns.lookup(hostname, { all: true })
+            for (const address of addresses) {
+                this.isDeniedIP(address.address, httpDenyList)
+            }
+        }
+    }
+
    async run(nodeData: INodeData, _: string, options: ICommonObject): Promise<any> {
        const method = nodeData.inputs?.method as 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH'
        const url = nodeData.inputs?.url as string
@ -292,6 +332,8 @@ class HTTP_Agentflow implements INode {
            // Build final URL with query parameters
            const finalUrl = queryString ? `${url}${url.includes('?') ? '&' : '?'}${queryString}` : url

+            await this.checkDenyList(finalUrl)
+
            // Prepare request config
            const requestConfig: AxiosRequestConfig = {
                method: method as Method,
--- a/packages/components/package.json
+++ b/packages/components/package.json
@ -98,6 +98,7 @@
        "graphql": "^16.6.0",
        "html-to-text": "^9.0.5",
        "ioredis": "^5.3.2",
+        "ipaddr.js": "^2.2.0",
        "jsdom": "^22.1.0",
        "jsonpointer": "^5.0.1",
        "jsonrepair": "^3.11.1",
--- a/packages/server/.env.example
+++ b/packages/server/.env.example
@ -162,4 +162,11 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # REDIS_KEY=
 # REDIS_CA=
 # REDIS_KEEP_ALIVE=
-# ENABLE_BULLMQ_DASHBOARD=
+# ENABLE_BULLMQ_DASHBOARD=
+
+
+############################################################################################################
+############################################## SECURITY ####################################################
+############################################################################################################
+
+# HTTP_DENY_LIST=
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml