From 16b7f6532dc60ad1e57bb83e449042c443d102d8 Mon Sep 17 00:00:00 2001 From: Nazar Kovtun Date: Fri, 16 May 2025 18:03:12 +0300 Subject: [PATCH 1/2] HCK-10586: add ipv6 escaping --- package-lock.json | 7 +++++ package.json | 3 +- reverse_engineering/gremlinHelper.js | 3 +- .../helpers/escapeV6IPForURL.js | 30 +++++++++++++++++++ 4 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 reverse_engineering/helpers/escapeV6IPForURL.js diff --git a/package-lock.json b/package-lock.json index 7f3b3bd..24d5069 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,6 +11,7 @@ "dependencies": { "async": "3.2.5", "gremlin": "3.7.3", + "ip": "2.0.1", "lodash": "4.17.21" }, "devDependencies": { @@ -2775,6 +2776,12 @@ "node": ">= 0.4" } }, + "node_modules/ip": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.1.tgz", + "integrity": "sha512-lJUL9imLTNi1ZfXT+DU6rBBdbiKGBuay9B6xGSPVjUeQwaH1RIGqef8RZkUtHioLmSNpPR5M4HVKJGm1j8FWVQ==", + "license": "MIT" + }, "node_modules/is-array-buffer": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/is-array-buffer/-/is-array-buffer-3.0.4.tgz", diff --git a/package.json b/package.json index d93738c..6ed762d 100644 --- a/package.json +++ b/package.json @@ -48,6 +48,7 @@ "dependencies": { "async": "3.2.5", "gremlin": "3.7.3", + "ip": "2.0.1", "lodash": "4.17.21" }, "lint-staged": { @@ -80,4 +81,4 @@ "prettier": "3.2.5", "simple-git-hooks": "2.11.1" } -} \ No newline at end of file +} diff --git a/reverse_engineering/gremlinHelper.js b/reverse_engineering/gremlinHelper.js index b23e228..d86c950 100644 --- a/reverse_engineering/gremlinHelper.js +++ b/reverse_engineering/gremlinHelper.js @@ -41,6 +41,7 @@ const { getGraphTraversalSourceScriptFromConfiguredGraphFactory, checkGraphTraversalSourceScriptFromConfiguredGraphFactory, } = require('./helpers/gremlinScriptsHelper'); +const { escapeV6IpForURL } = require('./helpers/escapeV6IPForURL'); let sshTunnel; let client; @@ -92,7 +93,7 @@ const connect = async (info, logger, sshService) => { const connectToInstance = (info, logger) => { return new Promise((resolve, reject) => { - const host = (info.ssh && info.escapedHostForUrl) || info.host; + const host = (info.ssh && info.escapedHostForUrl) || escapeV6IpForURL({ host: info.host }); const port = info.port; const username = info.username; const password = info.password; diff --git a/reverse_engineering/helpers/escapeV6IPForURL.js b/reverse_engineering/helpers/escapeV6IPForURL.js new file mode 100644 index 0000000..c2e0ccf --- /dev/null +++ b/reverse_engineering/helpers/escapeV6IPForURL.js @@ -0,0 +1,30 @@ +const ip = require('ip'); + +//@see https://en.wikipedia.org/wiki/IPv6_address +// Literal IPv6 addresses in resources (URLs): +// ------------------------------------------------ +// Colon (:) characters in IPv6 addresses may conflict with the established syntax of resource identifiers, +// such as URIs and URLs. The colon is conventionally used to terminate the host path before a port number.[10] +// To alleviate this conflict, literal IPv6 addresses are enclosed in square brackets in such resource identifiers; +// When the URL doesn't conatoin the port the notation is +// http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/ +// When the URL also contains a port number the notation is: +// https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/ +function escapeV6IpForURL({ host }) { + // If the host is already URL compatible then the ip lib will return false + // > ip.isV6Format('[::1]') + // false + // If the host is a proper ipv6 ip then the `new URL(host)` will fail with Uncaught TypeError: Invalid URL + // code: 'ERR_INVALID_URL', + // !ip.isV4Format(host) check required because isV6Format returns true for ipv4 address because of backward compatibility + + if (ip.isV6Format(host) && !ip.isV4Format(host)) { + return `[${host}]`; + } + + return host; +} + +module.exports = { + escapeV6IpForURL, +}; From 253b22491643a7d975fb23460652eaadbb755d33 Mon Sep 17 00:00:00 2001 From: Nazar Kovtun Date: Mon, 19 May 2025 13:04:44 +0300 Subject: [PATCH 2/2] HCK-10586: enchanced ipv6 escaping logic --- .../helpers/escapeV6IPForURL.js | 70 ++++++++++++++----- 1 file changed, 52 insertions(+), 18 deletions(-) diff --git a/reverse_engineering/helpers/escapeV6IPForURL.js b/reverse_engineering/helpers/escapeV6IPForURL.js index c2e0ccf..6ee75ef 100644 --- a/reverse_engineering/helpers/escapeV6IPForURL.js +++ b/reverse_engineering/helpers/escapeV6IPForURL.js @@ -1,28 +1,62 @@ const ip = require('ip'); -//@see https://en.wikipedia.org/wiki/IPv6_address -// Literal IPv6 addresses in resources (URLs): -// ------------------------------------------------ -// Colon (:) characters in IPv6 addresses may conflict with the established syntax of resource identifiers, -// such as URIs and URLs. The colon is conventionally used to terminate the host path before a port number.[10] -// To alleviate this conflict, literal IPv6 addresses are enclosed in square brackets in such resource identifiers; -// When the URL doesn't conatoin the port the notation is -// http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/ -// When the URL also contains a port number the notation is: -// https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/ +/** + * @see https://en.wikipedia.org/wiki/IPv6_address + * Literal IPv6 addresses in resources (URLs): +------------------------------------------------ + * Colon (:) characters in IPv6 addresses may conflict with the established syntax of resource identifiers, + * such as URIs and URLs. The colon is conventionally used to terminate the host path before a port number.[10] + * To alleviate this conflict, literal IPv6 addresses are enclosed in square brackets in such resource identifiers; + * When the URL doesn't conatoin the port the notation is http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/ + * When the URL also contains a port number the notation is: https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/ + * + * @param {{ +* host: string +* }} param +* @returns {string} +*/ function escapeV6IpForURL({ host }) { - // If the host is already URL compatible then the ip lib will return false - // > ip.isV6Format('[::1]') - // false - // If the host is a proper ipv6 ip then the `new URL(host)` will fail with Uncaught TypeError: Invalid URL - // code: 'ERR_INVALID_URL', - // !ip.isV4Format(host) check required because isV6Format returns true for ipv4 address because of backward compatibility - + /** + * If the host is already URL compatible then the ip lib will return false > ip.isV6Format('[::1]') false + * If the host is a proper ipv6 ip then the `new URL(host)` will fail with Uncaught TypeError: Invalid URL code: 'ERR_INVALID_URL', + * !ip.isV4Format(host) check required because isV6Format returns true for ipv4 address because of backward compatibility + */ if (ip.isV6Format(host) && !ip.isV4Format(host)) { return `[${host}]`; } - return host; + const isUrlValid = isValidURL(host); + if (isUrlValid) { + return host; + } + + const urlWithIpV6HostRegExp = new RegExp(/^http(s)?:\/\/(?([a-z0-9]{0,4}:?)+)/gim); + const { unescapedIpWithPort } = urlWithIpV6HostRegExp.exec(host)?.groups ?? {}; + + if (!unescapedIpWithPort) { + return host; + } + + const separatedIpPortionsAndPort = unescapedIpWithPort.split(':'); + const ipPortions = separatedIpPortionsAndPort.slice(0, separatedIpPortionsAndPort.length - 1); + const port = separatedIpPortionsAndPort.at(-1); + const escapedIpWithPort = `[${ipPortions.join(':')}]:${port}`; + + return host.replace(unescapedIpWithPort, escapedIpWithPort); +} + +/** + * @param {string} url + * @returns {boolean} + */ +function isValidURL(url) { + try { + new URL(url); + + return true; + } catch { + return false; + } } module.exports = {