tijs.org
simple list of pds servers with open registration
Add SSRF protection and XSS hardening for ingestion pipeline
Validate PDS URLs on ingest (https-only, no private IPs, no bare IPs,
no single-label hostnames). Guard enrichment against DNS rebinding by
checking resolved IPs. Sanitize href attributes to block javascript:
URIs and harden esc() with single-quote escaping.
+6
-3
backend/routes/pages.ts
+6
-3
backend/routes/pages.ts
···
6
6
} from "../database/queries.ts";
7
7
import { countryFlag } from "../../shared/constants.ts";
8
8
import type { PdsServer } from "../../shared/types.ts";
9
+
import { isSafeHref } from "../../shared/url-validation.ts";
9
10
10
11
const pages = new Hono();
11
12
···
257
258
): string {
258
259
const { score, breakdown } = trust;
259
260
const hostname = new URL(s.url).hostname;
260
-
const flag = s.country_code ? countryFlag(s.country_code) + " " : "";
261
+
const safeUrl = isSafeHref(s.url) ? s.url : "#";
262
+
const flag = s.country_code ? esc(countryFlag(s.country_code)) + " " : "";
261
263
const country = s.country_name || "";
262
264
263
265
let versionClass = "version-outdated";
···
287
289
esc(breakdown)
288
290
}">${score}%</span></td>
289
291
<td class="hostname"><a href="${
290
-
esc(s.url)
292
+
esc(safeUrl)
291
293
}" target="_blank" rel="noopener">${esc(hostname)}</a></td>
292
294
<td class="hide-mobile">${flag}${esc(country)}</td>
293
295
<td><span class="version-badge ${versionClass}">${
···
306
308
.replace(/&/g, "&")
307
309
.replace(/</g, "<")
308
310
.replace(/>/g, ">")
309
-
.replace(/"/g, """);
311
+
.replace(/"/g, """)
312
+
.replace(/'/g, "'");
310
313
}
311
314
312
315
export { pages };
+10
-1
backend/services/pds-enricher.ts
+10
-1
backend/services/pds-enricher.ts
···
4
4
HealthResponse,
5
5
ServerToEnrich,
6
6
} from "../../shared/types.ts";
7
+
import { isPrivateIp, isValidPdsUrl } from "../../shared/url-validation.ts";
7
8
import { batchGeoLookup, resolveIp } from "./geo-resolver.ts";
8
9
9
10
export type EnrichmentResult = {
···
100
101
url: string,
101
102
existingIp?: string | null,
102
103
): Promise<EnrichmentResult> {
104
+
if (!isValidPdsUrl(url)) {
105
+
throw new Error(`Refusing to enrich invalid URL: ${url}`);
106
+
}
107
+
103
108
const result = emptyResult(url);
104
109
105
-
// Reuse existing IP or resolve fresh
110
+
// Reuse existing IP or resolve fresh, then verify it's not private
106
111
if (existingIp) {
107
112
result.ipAddress = existingIp;
108
113
} else {
109
114
const hostname = new URL(url).hostname;
110
115
result.ipAddress = await resolveIp(hostname);
116
+
}
117
+
118
+
if (result.ipAddress && isPrivateIp(result.ipAddress)) {
119
+
throw new Error(`Refusing to contact private IP for ${url}`);
111
120
}
112
121
113
122
// Fetch health, describeServer, and listRepos concurrently
+9
backend/services/pds-fetcher.ts
+9
backend/services/pds-fetcher.ts
···
1
1
import { STATE_JSON_URL } from "../../shared/constants.ts";
2
2
import type { StateJson } from "../../shared/types.ts";
3
+
import { isValidPdsUrl } from "../../shared/url-validation.ts";
3
4
4
5
export type FilteredPds = {
5
6
url: string;
···
37
38
const data: StateJson = await resp.json();
38
39
const results: FilteredPds[] = [];
39
40
41
+
let skipped = 0;
40
42
for (const [url, entry] of Object.entries(data.pdses)) {
43
+
if (!isValidPdsUrl(url)) {
44
+
skipped++;
45
+
continue;
46
+
}
41
47
const isOpen = !entry.inviteCodeRequired && !entry.errorAt;
42
48
results.push({
43
49
url,
···
46
52
errorAt: entry.errorAt ?? null,
47
53
isOpen,
48
54
});
55
+
}
56
+
if (skipped > 0) {
57
+
console.warn(`Skipped ${skipped} PDS URLs that failed validation`);
49
58
}
50
59
51
60
return { pdsList: results, etag: etag ?? null };