fix: 强化 SSRF 防护、修复代理链路安全漏洞与代码质量问题
基于 Gemini Code Assist 审查建议,对代理链路进行全面安全加固与代码优化。 - [新增] `src/lib/server/ssrf.ts`: 使用 `dns.promises.lookup` 进行真实 IP 解析, 替代原有的正则匹配,防御 DNS 重绑定、非十进制 IP 等绕过手段 - [新增] 为 `proxy/vod/m3u8`、`proxy/vod/key`、`video-proxy` 三个接口补齐 SSRF 校验, 此前仅 `proxy-m3u8` 和 `proxy/vod/segment` 有防护 - [删除] `utils.ts` 中已弃用的 `isValidUrlForProxy` 函数 - 所有代理接口统一强制 SSRF 校验,不再仅限于 `source=directplay` - 修复 `proxy/vod/segment` 中 `isCancelled` 为 `const` 导致流取消信号失效的问题 - 修复 `proxy-m3u8/route.ts` 中导入不存在的函数(`extractResolutionFromM3u8`, `filterAdsFromM3U8Default`, `resolveM3u8Links`)的构建错误 - 修复直链直连模式下 `fetchCurrentSourceVideoInfo` 使用 HLS.js (XHR) 探测视频分辨率 触发 CORS 误报的问题,改为直接跳过探测 - 移除 `proxy/vod/segment` 中未使用的 `NextRequest` 导入 - [新增] `src/lib/server/proxy-headers.ts`: 抽取 CORS 响应头为共享工具函数, 消除 `proxy/vod/segment`、`proxy/vod/key`、`proxy/vod/m3u8` 中重复代码 - 统一使用 `DIRECT_PLAY_SOURCE` 常量替代硬编码 `'directplay'` 字符串 - `src/lib/server/ssrf.ts` - `src/lib/server/proxy-headers.ts` - `/app/api/proxy-m3u8/route` - `/app/api/proxy/vod/key/route` - `/app/api/proxy/vod/m3u8/route` - `/app/api/proxy/vod/segment/route` - `/app/api/video-proxy/route` - `/app/play/page`x - `/lib/utils`
This commit is contained in:
@@ -1,10 +1,12 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
|
||||
import { getConfig } from '@/lib/config';
|
||||
import { isValidUrlForProxy } from '@/lib/utils';
|
||||
import { validateProxyUrlServerSide } from '@/lib/server/ssrf';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
|
||||
export const maxDuration = 60; // 设置最大执行时间为 60 秒
|
||||
|
||||
/**
|
||||
* M3U8 代理接口
|
||||
* 用于外部播放器访问,会执行去广告逻辑并处理相对链接
|
||||
@@ -36,8 +38,9 @@ export async function GET(request: NextRequest) {
|
||||
}
|
||||
|
||||
const DIRECT_PLAY_SOURCE = 'directplay';
|
||||
// 安全校验:防 SSRF,只允许合法的公网 URL
|
||||
if (source === DIRECT_PLAY_SOURCE && !isValidUrlForProxy(m3u8Url)) {
|
||||
// 安全校验:防 SSRF / 域名重绑定,只允许合法的公网 URL。对所有经过 proxy-m3u8 的请求强制校验,不仅限于 directplay
|
||||
const isSafeUrl = await validateProxyUrlServerSide(m3u8Url);
|
||||
if (!isSafeUrl) {
|
||||
return NextResponse.json(
|
||||
{ error: 'Proxy request to local or invalid network is forbidden' },
|
||||
{ status: 403 }
|
||||
@@ -102,7 +105,7 @@ export async function GET(request: NextRequest) {
|
||||
);
|
||||
|
||||
if (!isTextType) {
|
||||
if (source === 'directplay') {
|
||||
if (source === DIRECT_PLAY_SOURCE) {
|
||||
console.log(`[Proxy-M3U8] 检测到非文本媒体流 (Content-Type: ${contentType}), 针对 directplay 直链代理模式,直接透传二进制流, URL: ${m3u8Url}`);
|
||||
// 构造一个新的 Response 对象用于二进制直接透传,确保包含了支持跨域的 header
|
||||
const newHeaders = new Headers(response.headers);
|
||||
@@ -189,7 +192,10 @@ export async function GET(request: NextRequest) {
|
||||
}
|
||||
|
||||
/**
|
||||
* 默认去广告规则
|
||||
* 默认去广告规则(服务端版本)
|
||||
* 注意:前端 page.tsx 中的 filterAdsFromM3U8 是客户端侧的去广告逻辑(用于直连模式下由 HLS.js 的自定义 loader 拦截)。
|
||||
* 本函数用于代理模式下,在服务端对 m3u8 内容进行去广告处理后再返回给客户端。
|
||||
* 两套逻辑需要保持同步更新。
|
||||
*/
|
||||
function filterAdsFromM3U8Default(type: string, m3u8Content: string): string {
|
||||
if (!m3u8Content) return '';
|
||||
@@ -245,7 +251,10 @@ function filterAdsFromM3U8Default(type: string, m3u8Content: string): string {
|
||||
}
|
||||
|
||||
/**
|
||||
* 将 m3u8 中的相对链接转换为绝对链接,并将子 m3u8 链接转为代理链接
|
||||
* 将 m3u8 中的相对链接转换为绝对链接,并将子 m3u8 链接转为代理链接。
|
||||
* 此函数仅在代理模式下由服务端调用。
|
||||
* - 子 m3u8 链接 → 指向 /api/proxy-m3u8(递归代理)
|
||||
* - ts 分片/密钥 → directplay 模式指向 /api/proxy/vod/segment(解决 CORS)
|
||||
*/
|
||||
function resolveM3u8Links(m3u8Content: string, baseUrl: string, source: string, proxyOrigin: string, token: string): string {
|
||||
const lines = m3u8Content.split('\n');
|
||||
|
||||
@@ -3,6 +3,8 @@
|
||||
import { NextResponse } from "next/server";
|
||||
|
||||
import { getConfig } from "@/lib/config";
|
||||
import { validateProxyUrlServerSide } from '@/lib/server/ssrf';
|
||||
import { buildProxyStreamHeaders } from '@/lib/server/proxy-headers';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
|
||||
@@ -33,6 +35,13 @@ export async function GET(request: Request) {
|
||||
|
||||
try {
|
||||
const decodedUrl = decodeURIComponent(url);
|
||||
|
||||
// 安全校验:防 SSRF 拦截请求内网或非法 URL
|
||||
const isSafeUrl = await validateProxyUrlServerSide(decodedUrl);
|
||||
if (!isSafeUrl) {
|
||||
return NextResponse.json({ error: 'Proxy request to local or invalid network is forbidden' }, { status: 403 });
|
||||
}
|
||||
|
||||
const response = await fetch(decodedUrl, {
|
||||
headers: {
|
||||
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
|
||||
@@ -44,12 +53,9 @@ export async function GET(request: Request) {
|
||||
return NextResponse.json({ error: 'Failed to fetch key' }, { status: 500 });
|
||||
}
|
||||
|
||||
const headers = new Headers();
|
||||
headers.set('Content-Type', response.headers.get('Content-Type') || 'application/octet-stream');
|
||||
headers.set('Access-Control-Allow-Origin', '*');
|
||||
headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
|
||||
headers.set('Access-Control-Allow-Headers', 'Content-Type, Range, Origin, Accept');
|
||||
headers.set('Access-Control-Expose-Headers', 'Content-Length, Content-Range');
|
||||
const headers = buildProxyStreamHeaders(
|
||||
response.headers.get('Content-Type') || 'application/octet-stream'
|
||||
);
|
||||
|
||||
return new Response(response.body, { headers });
|
||||
} catch (error) {
|
||||
|
||||
@@ -4,6 +4,8 @@ import { NextResponse } from "next/server";
|
||||
|
||||
import { getConfig } from "@/lib/config";
|
||||
import { getBaseUrl, resolveUrl } from "@/lib/live";
|
||||
import { validateProxyUrlServerSide } from '@/lib/server/ssrf';
|
||||
import { buildProxyM3u8Headers, buildProxyStreamHeaders } from '@/lib/server/proxy-headers';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
|
||||
@@ -38,6 +40,12 @@ export async function GET(request: Request) {
|
||||
try {
|
||||
const decodedUrl = decodeURIComponent(url);
|
||||
|
||||
// 安全校验:防 SSRF 拦截请求内网或非法 URL
|
||||
const isSafeUrl = await validateProxyUrlServerSide(decodedUrl);
|
||||
if (!isSafeUrl) {
|
||||
return NextResponse.json({ error: 'Proxy request to local or invalid network is forbidden' }, { status: 403 });
|
||||
}
|
||||
|
||||
response = await fetch(decodedUrl, {
|
||||
cache: 'no-cache',
|
||||
redirect: 'follow',
|
||||
@@ -66,23 +74,14 @@ export async function GET(request: Request) {
|
||||
// 重写 M3U8 内容
|
||||
const modifiedContent = rewriteM3U8Content(m3u8Content, baseUrl, request, source);
|
||||
|
||||
const headers = new Headers();
|
||||
headers.set('Content-Type', contentType || 'application/vnd.apple.mpegurl');
|
||||
headers.set('Access-Control-Allow-Origin', '*');
|
||||
headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
|
||||
headers.set('Access-Control-Allow-Headers', 'Content-Type, Range, Origin, Accept');
|
||||
headers.set('Cache-Control', 'no-cache');
|
||||
headers.set('Access-Control-Expose-Headers', 'Content-Length, Content-Range');
|
||||
const headers = buildProxyM3u8Headers(contentType || undefined);
|
||||
return new Response(modifiedContent, { headers });
|
||||
}
|
||||
// just proxy
|
||||
const headers = new Headers();
|
||||
headers.set('Content-Type', response.headers.get('Content-Type') || 'application/vnd.apple.mpegurl');
|
||||
headers.set('Access-Control-Allow-Origin', '*');
|
||||
headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
|
||||
headers.set('Access-Control-Allow-Headers', 'Content-Type, Range, Origin, Accept');
|
||||
const headers = buildProxyStreamHeaders(
|
||||
response.headers.get('Content-Type') || 'application/vnd.apple.mpegurl'
|
||||
);
|
||||
headers.set('Cache-Control', 'no-cache');
|
||||
headers.set('Access-Control-Expose-Headers', 'Content-Length, Content-Range');
|
||||
|
||||
// 直接返回视频流
|
||||
return new Response(response.body, {
|
||||
|
||||
@@ -1,9 +1,10 @@
|
||||
/* eslint-disable no-console,@typescript-eslint/no-explicit-any */
|
||||
|
||||
import { NextResponse } from "next/server";
|
||||
import { NextResponse } from 'next/server';
|
||||
|
||||
import { getConfig } from "@/lib/config";
|
||||
import { isValidUrlForProxy } from "@/lib/utils";
|
||||
import { getConfig } from '@/lib/config';
|
||||
import { validateProxyUrlServerSide } from '@/lib/server/ssrf';
|
||||
import { buildProxyStreamHeaders } from '@/lib/server/proxy-headers';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
|
||||
@@ -44,8 +45,9 @@ export async function GET(request: Request) {
|
||||
try {
|
||||
const decodedUrl = decodeURIComponent(url);
|
||||
|
||||
// 安全校验:防 SSRF 拦截请求内网或非法 URL
|
||||
if (source === DIRECT_PLAY_SOURCE && !isValidUrlForProxy(decodedUrl)) {
|
||||
// 安全校验:防 SSRF 拦截请求内网或非法 URL (强制检查所有代理请求)
|
||||
const isSafeUrl = await validateProxyUrlServerSide(decodedUrl);
|
||||
if (!isSafeUrl) {
|
||||
return NextResponse.json({ error: 'Proxy request to local or invalid network is forbidden' }, { status: 403 });
|
||||
}
|
||||
|
||||
@@ -59,19 +61,14 @@ export async function GET(request: Request) {
|
||||
return NextResponse.json({ error: 'Failed to fetch segment' }, { status: 500 });
|
||||
}
|
||||
|
||||
const headers = new Headers();
|
||||
headers.set('Content-Type', response.headers.get('Content-Type') || 'video/mp2t');
|
||||
headers.set('Access-Control-Allow-Origin', '*');
|
||||
headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
|
||||
headers.set('Access-Control-Allow-Headers', 'Content-Type, Range, Origin, Accept');
|
||||
headers.set('Accept-Ranges', 'bytes');
|
||||
headers.set('Access-Control-Expose-Headers', 'Content-Length, Content-Range');
|
||||
const contentLength = response.headers.get('content-length');
|
||||
if (contentLength) {
|
||||
headers.set('Content-Length', contentLength);
|
||||
}
|
||||
const headers = buildProxyStreamHeaders(
|
||||
response.headers.get('Content-Type') || 'video/mp2t',
|
||||
response.headers.get('content-length')
|
||||
);
|
||||
|
||||
// 使用流式传输,避免占用内存
|
||||
let isCancelled = false;
|
||||
|
||||
const stream = new ReadableStream({
|
||||
start(controller) {
|
||||
if (!response?.body) {
|
||||
@@ -80,7 +77,6 @@ export async function GET(request: Request) {
|
||||
}
|
||||
|
||||
reader = response.body.getReader();
|
||||
const isCancelled = false;
|
||||
|
||||
function pump() {
|
||||
if (isCancelled || !reader) {
|
||||
@@ -122,6 +118,7 @@ export async function GET(request: Request) {
|
||||
pump();
|
||||
},
|
||||
cancel() {
|
||||
isCancelled = true;
|
||||
// 当流被取消时,确保释放所有资源
|
||||
if (reader) {
|
||||
try {
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import { NextResponse } from 'next/server';
|
||||
import { validateProxyUrlServerSide } from '@/lib/server/ssrf';
|
||||
|
||||
export const runtime = 'nodejs';
|
||||
|
||||
@@ -11,6 +12,12 @@ export async function GET(request: Request) {
|
||||
return NextResponse.json({ error: 'Missing video URL' }, { status: 400 });
|
||||
}
|
||||
|
||||
// 安全校验:防 SSRF,只允许合法的公网 URL
|
||||
const isSafeUrl = await validateProxyUrlServerSide(videoUrl);
|
||||
if (!isSafeUrl) {
|
||||
return NextResponse.json({ error: 'Proxy request to local or invalid network is forbidden' }, { status: 403 });
|
||||
}
|
||||
|
||||
try {
|
||||
// 获取客户端的Range请求头
|
||||
const range = request.headers.get('range');
|
||||
|
||||
@@ -1452,6 +1452,13 @@ function PlayPageClient() {
|
||||
if (isDirectplayDomainProxied(episodeUrl)) {
|
||||
const tokenParam = proxyToken ? `&token=${encodeURIComponent(proxyToken)}` : '';
|
||||
episodeUrl = `/api/proxy-m3u8?url=${encodeURIComponent(episodeUrl)}&source=directplay${tokenParam}`;
|
||||
} else {
|
||||
// 直链模式且未走代理:跳过 HLS.js 探测。
|
||||
// getVideoResolutionFromM3u8 内部使用 HLS.js (XMLHttpRequest) 加载,
|
||||
// 而 XHR 受 CORS 限制,探测必然失败。实际播放器通过 <video src> 加载不受 CORS 影响。
|
||||
console.log('[视频信息] 直链直连模式,跳过分辨率探测(避免 CORS 误报)');
|
||||
setCurrentSourceVideoInfo(null);
|
||||
return;
|
||||
}
|
||||
} else if (sourceProxyMode && isM3u8) {
|
||||
episodeUrl = `/api/proxy/vod/m3u8?url=${encodeURIComponent(episodeUrl)}&source=${encodeURIComponent(currentSource)}`;
|
||||
|
||||
39
src/lib/server/proxy-headers.ts
Normal file
39
src/lib/server/proxy-headers.ts
Normal file
@@ -0,0 +1,39 @@
|
||||
/**
|
||||
* 代理接口共享工具函数
|
||||
* 用于构建标准化的 CORS 响应头,避免各代理路由中的重复代码。
|
||||
*/
|
||||
|
||||
/**
|
||||
* 构建标准的代理流式响应头 (用于 ts 分片、密钥、二进制流等)
|
||||
* 包含 CORS、Accept-Ranges 和 Content-Length 等标准头。
|
||||
*/
|
||||
export function buildProxyStreamHeaders(
|
||||
contentType: string,
|
||||
contentLength?: string | null
|
||||
): Headers {
|
||||
const headers = new Headers();
|
||||
headers.set('Content-Type', contentType);
|
||||
headers.set('Access-Control-Allow-Origin', '*');
|
||||
headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
|
||||
headers.set('Access-Control-Allow-Headers', 'Content-Type, Range, Origin, Accept');
|
||||
headers.set('Accept-Ranges', 'bytes');
|
||||
headers.set('Access-Control-Expose-Headers', 'Content-Length, Content-Range');
|
||||
if (contentLength) {
|
||||
headers.set('Content-Length', contentLength);
|
||||
}
|
||||
return headers;
|
||||
}
|
||||
|
||||
/**
|
||||
* 构建标准的代理 M3U8 播放列表响应头
|
||||
*/
|
||||
export function buildProxyM3u8Headers(contentType?: string): Headers {
|
||||
const headers = new Headers();
|
||||
headers.set('Content-Type', contentType || 'application/vnd.apple.mpegurl');
|
||||
headers.set('Access-Control-Allow-Origin', '*');
|
||||
headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
|
||||
headers.set('Access-Control-Allow-Headers', 'Content-Type, Range, Origin, Accept');
|
||||
headers.set('Cache-Control', 'no-cache');
|
||||
headers.set('Access-Control-Expose-Headers', 'Content-Length, Content-Range');
|
||||
return headers;
|
||||
}
|
||||
94
src/lib/server/ssrf.ts
Normal file
94
src/lib/server/ssrf.ts
Normal file
@@ -0,0 +1,94 @@
|
||||
import dns from 'dns';
|
||||
|
||||
/**
|
||||
* 判断 IP 地址是否为内网/本地私有地址
|
||||
* 覆盖 IPv4 和 IPv6,彻底杜绝所有变体绕过。
|
||||
*/
|
||||
export function isPrivateIP(ip: string): boolean {
|
||||
// IPv4 私有地址和环回地址
|
||||
if (ip.includes('.')) {
|
||||
const parts = ip.split('.').map(Number);
|
||||
if (parts.length !== 4) return false;
|
||||
|
||||
return (
|
||||
parts[0] === 10 || // 10.x.x.x
|
||||
parts[0] === 127 || // 127.x.x.x (Loopback)
|
||||
(parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) || // 172.16.x.x - 172.31.x.x
|
||||
(parts[0] === 192 && parts[1] === 168) || // 192.168.x.x
|
||||
(parts[0] === 169 && parts[1] === 254) || // 169.254.x.x (Link-local)
|
||||
parts[0] === 0 // 0.x.x.x ("This network")
|
||||
);
|
||||
}
|
||||
|
||||
// IPv6 私有地址和环回地址
|
||||
if (ip.includes(':')) {
|
||||
// ::1 环回地址 (Loopback)
|
||||
if (ip === '::1' || ip === '0:0:0:0:0:0:0:1') return true;
|
||||
|
||||
// 0::0 / :: 未指定地址
|
||||
if (ip === '::' || ip === '0:0:0:0:0:0:0:0') return true;
|
||||
|
||||
const lowerIp = ip.toLowerCase();
|
||||
|
||||
// IPv4 映射到 IPv6 的地址 (例如 ::ffff:127.0.0.1)
|
||||
if (lowerIp.startsWith('::ffff:')) {
|
||||
return isPrivateIP(lowerIp.substring(7));
|
||||
}
|
||||
|
||||
// 唯一本地地址 (Unique Local Addresses, fc00::/7)
|
||||
if (lowerIp.startsWith('fc') || lowerIp.startsWith('fd')) return true;
|
||||
|
||||
// 链路本地地址 (Link-Local Addresses, fe80::/10)
|
||||
if (lowerIp.startsWith('fe8') || lowerIp.startsWith('fe9') || lowerIp.startsWith('fea') || lowerIp.startsWith('feb')) return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* 校验代理 URL 是否安全 (防止 SSRF / DNS 重绑定漏洞)
|
||||
* 只在 Node.js 服务端运行。
|
||||
*/
|
||||
export async function validateProxyUrlServerSide(urlStr: string): Promise<boolean> {
|
||||
if (!urlStr) return false;
|
||||
try {
|
||||
const parsed = new URL(urlStr);
|
||||
|
||||
// 1. 协议检查
|
||||
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
|
||||
return false;
|
||||
}
|
||||
|
||||
// 2. 剥离认证信息防止混淆
|
||||
if (parsed.username || parsed.password) {
|
||||
return false;
|
||||
}
|
||||
|
||||
let { hostname } = parsed;
|
||||
|
||||
// 清洗 IPv6 括号边界
|
||||
if (hostname.startsWith('[') && hostname.endsWith(']')) {
|
||||
hostname = hostname.substring(1, hostname.length - 1);
|
||||
}
|
||||
|
||||
// 3. DNS 真实解析 (获取底层物理 IP)
|
||||
// 这一步能彻底打碎各种形式的短格式 IP (127.1)、八/十六进制 IP (0x7f.0.0.1)、或者指向 127.0.0.1 的恶意外部域名 DNS 重绑定。
|
||||
const lookupResult = await dns.promises.lookup(hostname);
|
||||
|
||||
if (!lookupResult || !lookupResult.address) {
|
||||
return false; // 解析不出 IP 则拒绝
|
||||
}
|
||||
|
||||
// 4. 对物理 IP 进行内网校验
|
||||
if (isPrivateIP(lookupResult.address)) {
|
||||
console.warn(`[SSRF 防护] 拦截到尝试访问内部网络的请求 URL: ${urlStr} (解析出的底层 IP: ${lookupResult.address})`);
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
} catch (error) {
|
||||
// 凡是报错(无论是 URL 解析失败,还是 DNS 解析失败,还是域名不存在),均作为不安全拒绝
|
||||
console.warn(`[SSRF 防护] URL解析失败或不合法, 拒绝代理请求: ${urlStr}`);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
@@ -407,47 +407,3 @@ export function base58Decode(encoded: string): string {
|
||||
return Buffer.from(bytes).toString('utf-8');
|
||||
}
|
||||
|
||||
/**
|
||||
* 校验提供给代理层的外部 URL 是否安全
|
||||
* 防止 SSRF (服务端请求伪造) 访问内网私有地址
|
||||
*/
|
||||
export function isValidUrlForProxy(urlStr: string): boolean {
|
||||
if (!urlStr) return false;
|
||||
try {
|
||||
const parsed = new URL(urlStr);
|
||||
|
||||
// 仅允许 http 和 https
|
||||
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
|
||||
return false;
|
||||
}
|
||||
|
||||
const { hostname } = parsed;
|
||||
|
||||
// 拦截明显的本地或特定地址
|
||||
if (
|
||||
hostname === 'localhost' ||
|
||||
hostname === '127.0.0.1' ||
|
||||
hostname === '0.0.0.0' ||
|
||||
hostname === '[::1]'
|
||||
) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// 通过正则拦截内网 IPv4 (10.x, 172.16-31.x, 192.168.x, 169.254.x)
|
||||
const ipv4Regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
|
||||
const match = hostname.match(ipv4Regex);
|
||||
if (match) {
|
||||
const parts = match.slice(1).map(Number);
|
||||
if (parts[0] === 10) return false;
|
||||
if (parts[0] === 127) return false;
|
||||
if (parts[0] === 192 && parts[1] === 168) return false;
|
||||
if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return false;
|
||||
if (parts[0] === 169 && parts[1] === 254) return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
} catch {
|
||||
// 解析失败直接判定为不安全
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user