sharkord-rss v0.1.1 — security patch over v0.1.0
This PR replaces the previously published v0.1.0 (PR #5) with v0.1.1, which fixes three security issues found shortly after the initial merge. The vulnerable versions/0.1.0.json is removed in the same diff so users can no longer install the buggy version from the marketplace.
- 🌐 Repository: https://github.com/EssekerDev/sharkord-rss
- 📦 Release: https://github.com/EssekerDev/sharkord-rss/releases/tag/v0.1.1
🔒 Security fixes vs v0.1.0
- SSRF bypass — RFC 6598 CGN range.
isPrivateIPv4did not block100.64.0.0/10, leaving cloud-provider metadata endpoints (e.g. Alibaba's100.100.100.200) reachable. Now rejected. - Feed-of-death via giant HTML entity. A feed containing
�triggered an unhandledRangeErrorinString.fromCodePoint, DoS-stopping the article parse. Numeric entities are now clamped to the valid Unicode range (<= 0x10FFFF). - IPv6 loopback in uncompressed form.
0:0:0:0:0:0:0:1and0000::1were not detected as loopback. Added a::-aware expander so every textual form is rejected.
🩹 Reliability / DX improvements
- Channel validity checks in
syncFeedsFromSettingsnow run in parallel viaPromise.all. - Single source of truth for "valid public HTTP(S) URL" shared between settings save and per-redirect checks (
validatePublicHttpUrl). response.on('error')wraps inFeedErrorso everyfetchOncerejection carries a stable.code.- Scheduler tick reduced from 60 s to 10 s so admin dialog saves are picked up much faster (Sharkord's admin dialog does not emit
setting:set, so we rely on the tick).
🧪 Tests
50 unit tests added (bun test) covering the security-critical helpers — including explicit regression cases for the three issues above. Pass on Bun 1.3.x.
🗑 Files changed
plugins/sharkord-rss/versions/0.1.0.json→ removed (vulnerable; no longer reachable from the marketplace)plugins/sharkord-rss/versions/0.1.1.json→ added