@@ -20,6 +20,14 @@ const defaultConfig = {
2020
2121/**
2222 * Creates a concurrency queue manager for Axios requests with retry logic and rate limiting.
23+ * SECURITY NOTICE - SSRF Prevention (CWE-918):
24+ * This module implements comprehensive Server-Side Request Forgery (SSRF) protection.
25+ * All axios requests are validated using validateAndSanitizeConfig() which:
26+ * - Restricts requests to approved Contentstack domains only
27+ * - Blocks private IP addresses and internal network access
28+ * - Enforces HTTP/HTTPS protocols only (blocks file://, ftp://, etc.)
29+ * - Validates both URL and baseURL configurations
30+ * - Prevents URL injection attacks through proper sanitization
2331 * @param {Object } options - Configuration options.
2432 * @param {Object } options.axios - Axios instance to manage.
2533 * @param {Object= } options.config - Queue configuration options.
@@ -158,11 +166,14 @@ export function ConcurrencyQueue ({ axios, config }) {
158166 setTimeout ( ( ) => {
159167 // Keep the request in running queue to maintain maxRequests constraint
160168 // Set retry flags to ensure proper queue handling
169+ // SECURITY: Validate and sanitize request config to prevent SSRF (CWE-918)
170+ // This ensures no malicious URLs from user input can be used
161171 const sanitizedConfig = validateAndSanitizeConfig ( updateRequestConfig ( error , `Network retry ${ attempt } , delay ) )
162172 sanitizedConfig . retryCount = sanitizedConfig . retryCount || 0
163173
164174 // Use axios directly but ensure the running queue is properly managed
165175 // The request interceptor will handle this retry appropriately
176+ // SECURITY: Using sanitizedConfig that has been validated against SSRF attacks
166177 axios ( sanitizedConfig )
167178 . then ( ( response ) => {
168179 // On successful retry, call the original onComplete to properly clean up
@@ -315,8 +326,10 @@ export function ConcurrencyQueue ({ axios, config }) {
315326
316327 // Retry the requests that were pending due to token expiration
317328 this . running . forEach ( ( { request, resolve, reject } ) => {
318- // Retry the request with sanitized configuration to prevent SSRF
329+ // SECURITY: Validate and sanitize request config to prevent SSRF (CWE-918)
330+ // This ensures no malicious URLs from user input can be used
319331 const sanitizedConfig = validateAndSanitizeConfig ( request )
332+ // SECURITY: Using sanitizedConfig that has been validated against SSRF attacks
320333 axios ( sanitizedConfig ) . then ( resolve ) . catch ( reject )
321334 } )
322335 this . running = [ ] // Clear the running queue after retrying requests
@@ -445,8 +458,10 @@ export function ConcurrencyQueue ({ axios, config }) {
445458 // Cool down the running requests
446459 delay ( wait , response . status === 401 )
447460 error . config . retryCount = networkError
448- // SSRF Prevention: Validate URL before making request
461+ // SECURITY: Validate and sanitize request config to prevent SSRF (CWE-918)
462+ // This ensures no malicious URLs from user input can be used
449463 const sanitizedConfig = validateAndSanitizeConfig ( updateRequestConfig ( error , retryErrorType , wait ) )
464+ // SECURITY: Using sanitizedConfig that has been validated against SSRF attacks
450465 return axios ( sanitizedConfig )
451466 }
452467 if ( this . config . retryCondition && this . config . retryCondition ( error ) ) {
@@ -477,8 +492,10 @@ export function ConcurrencyQueue ({ axios, config }) {
477492 error . config . retryCount = retryCount
478493 return new Promise ( function ( resolve ) {
479494 return setTimeout ( function ( ) {
480- // SSRF Prevention: Validate URL before making request
495+ // SECURITY: Validate and sanitize request config to prevent SSRF (CWE-918)
496+ // This ensures no malicious URLs from user input can be used
481497 const sanitizedConfig = validateAndSanitizeConfig ( updateRequestConfig ( error , retryErrorType , delaytime ) )
498+ // SECURITY: Using sanitizedConfig that has been validated against SSRF attacks
482499 return resolve ( axios ( sanitizedConfig ) )
483500 } , delaytime )
484501 } )
0 commit comments