From 5b6e8cc11032a29cb7945428f1dc08f233b39261 Mon Sep 17 00:00:00 2001 From: eternal-flame-AD Date: Thu, 21 Nov 2024 03:12:47 -0600 Subject: [PATCH] reject all non TLSv1.2 AP queries Signed-off-by: eternal-flame-AD --- .../backend/src/core/HttpRequestService.ts | 42 +++++-------------- 1 file changed, 10 insertions(+), 32 deletions(-) diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts index 60ecc03e4a..8a6d978232 100644 --- a/packages/backend/src/core/HttpRequestService.ts +++ b/packages/backend/src/core/HttpRequestService.ts @@ -27,21 +27,11 @@ export type HttpRequestSendOptions = { @Injectable() export class HttpRequestService { - /** - * Get http non-proxy agent - */ - private http: http.Agent; - /** * Get https non-proxy agent */ private https: https.Agent; - /** - * Get http proxy or non-proxy agent - */ - public httpAgent: http.Agent; - /** * Get https proxy or non-proxy agent */ @@ -57,34 +47,16 @@ export class HttpRequestService { lookup: false, // nativeのdns.lookupにfallbackしない }); - this.http = new http.Agent({ - keepAlive: true, - keepAliveMsecs: 30 * 1000, - lookup: cache.lookup as unknown as net.LookupFunction, - localAddress: config.outgoingAddress, - }); - this.https = new https.Agent({ keepAlive: true, keepAliveMsecs: 30 * 1000, lookup: cache.lookup as unknown as net.LookupFunction, localAddress: config.outgoingAddress, + minVersion: 'TLSv1.2', }); const maxSockets = Math.max(256, config.deliverJobConcurrency ?? 128); - this.httpAgent = config.proxy - ? new HttpProxyAgent({ - keepAlive: true, - keepAliveMsecs: 30 * 1000, - maxSockets, - maxFreeSockets: 256, - scheduling: 'lifo', - proxy: config.proxy, - localAddress: config.outgoingAddress, - }) - : this.http; - this.httpsAgent = config.proxy ? new HttpsProxyAgent({ keepAlive: true, @@ -104,11 +76,17 @@ export class HttpRequestService { * @param bypassProxy Allways bypass proxy */ @bindThis - public getAgentByUrl(url: URL, bypassProxy = false): http.Agent | https.Agent { + public getAgentByUrl(url: URL, bypassProxy = false): https.Agent { + if (url.protocol !== 'https:') { + throw new Error('Invalid protocol'); + } + if (url.port && url.port !== '443') { + throw new Error('Invalid port'); + } if (bypassProxy || (this.config.proxyBypassHosts ?? []).includes(url.hostname)) { - return url.protocol === 'http:' ? this.http : this.https; + return this.https; } else { - return url.protocol === 'http:' ? this.httpAgent : this.httpsAgent; + return this.httpsAgent; } }