update dns monitor type to improve security

2025-01-08 00:39:08 +02:00 · 2024-11-27 12:06:48 +05:00 · 2024-11-27 12:06:48 +05:00 · dabd360016
commit dabd360016
parent 060cc5bfb5
1 changed files with 35 additions and 0 deletions
--- a/server/monitor-types/dns.js
+++ b/server/monitor-types/dns.js
@ -17,10 +17,45 @@ class DnsMonitorType extends MonitorType {
        new ConditionVariable("record", defaultStringOperators ),
    ];

+    /**
+     * Validate hostname to ensure it's a valid domain without protocol or path
+     * @param {string} hostname Hostname to validate
+     * @returns {boolean} True if hostname is valid
+     */
+    validateHostname(hostname) {
+        try {
+            // First check if hostname contains protocol or path
+            if (hostname.includes("/") || hostname.includes(":")) {
+                return false;
+            }
+
+            // Try to construct a URL with a dummy protocol
+            const url = new URL(`http://${hostname}`);
+
+            // Ensure there's no path or query parameters
+            if (url.pathname !== "/" || url.search !== "") {
+                return false;
+            }
+
+            // Ensure the hostname matches the original input
+            // This catches cases where the URL constructor might "fix" invalid hostnames
+            return url.hostname === hostname;
+        } catch (error) {
+            return false;
+        }
+    }
+
    /**
     * @inheritdoc
     */
    async check(monitor, heartbeat, _server) {
+        // Validate hostname before proceeding
+        if (!this.validateHostname(monitor.hostname)) {
+            heartbeat.msg = "Invalid hostname format";
+            heartbeat.status = DOWN;
+            return;
+        }
+
        let startTime = dayjs().valueOf();
        let dnsMessage = "";