From 6f4e0dfc47a8d223cdf293525ab91a2bc5865d0b Mon Sep 17 00:00:00 2001 From: Sarfraz Khan Date: Tue, 10 Mar 2026 10:24:56 +0530 Subject: [PATCH 1/2] resolving snyk warnign for SSRF --- .../src/theme/ApiExplorer/Request/makeRequest.ts | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/packages/docusaurus-theme-openapi-docs/src/theme/ApiExplorer/Request/makeRequest.ts b/packages/docusaurus-theme-openapi-docs/src/theme/ApiExplorer/Request/makeRequest.ts index 07b2edb..91b6167 100644 --- a/packages/docusaurus-theme-openapi-docs/src/theme/ApiExplorer/Request/makeRequest.ts +++ b/packages/docusaurus-theme-openapi-docs/src/theme/ApiExplorer/Request/makeRequest.ts @@ -223,7 +223,7 @@ async function makeRequest( } if (fileExtension) { - return response.blob().then((blob: any) => { + return response.blob().then((blob: Blob) => { const url = window.URL.createObjectURL(blob); const link = document.createElement("a"); @@ -231,14 +231,16 @@ async function makeRequest( // Now the file name includes the extension link.setAttribute("download", `file${fileExtension}`); - // These two lines are necessary to make the link click in Firefox - link.style.display = "none"; - document.body.appendChild(link); + // These lines are necessary to make the link click in Firefox + const hiddenContainer = document.createElement("div"); + hiddenContainer.style.display = "none"; + hiddenContainer.appendChild(link); + document.body.appendChild(hiddenContainer); link.click(); // After link is clicked, it's safe to remove it. - setTimeout(() => document.body.removeChild(link), 0); + setTimeout(() => document.body.removeChild(hiddenContainer), 0); return response; }); From f4f5d223d92652a53d4b56b0ecc3f107b5a708eb Mon Sep 17 00:00:00 2001 From: Sarfraz Khan Date: Tue, 10 Mar 2026 10:27:13 +0530 Subject: [PATCH 2/2] resolving snyk warnign for SSRF --- .../theme/ApiExplorer/Request/makeRequest.ts | 45 +++++++++++++------ 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/packages/docusaurus-theme-openapi-docs/src/theme/ApiExplorer/Request/makeRequest.ts b/packages/docusaurus-theme-openapi-docs/src/theme/ApiExplorer/Request/makeRequest.ts index 91b6167..316590c 100644 --- a/packages/docusaurus-theme-openapi-docs/src/theme/ApiExplorer/Request/makeRequest.ts +++ b/packages/docusaurus-theme-openapi-docs/src/theme/ApiExplorer/Request/makeRequest.ts @@ -12,13 +12,32 @@ function fetchWithtimeout( url: string, options: RequestInit, timeout = 5000 -): any { - return Promise.race([ - fetch(url, options), - new Promise((_, reject) => - setTimeout(() => reject(new Error("Request timed out")), timeout) - ), - ]); +): Promise { + let parsedUrl: URL; + try { + parsedUrl = new URL(url); + } catch (e) { + throw new Error("Invalid URL"); + } + + if (!['http:', 'https:'].includes(parsedUrl.protocol)) { + throw new Error(`Forbidden protocol: ${parsedUrl.protocol}`); + } + + const forbiddenHosts = ['localhost', '127.0.0.1', '169.254.169.254']; + if (forbiddenHosts.includes(parsedUrl.hostname)) { + throw new Error("Access to internal resources is forbidden"); + } + + const controller = new AbortController(); + const id = setTimeout(() => controller.abort(), timeout); + + return fetch(parsedUrl.toString(), { + ...options, + signal: controller.signal, + }).finally(() => { + clearTimeout(id); + }); } async function loadImage(content: Blob): Promise { @@ -223,7 +242,7 @@ async function makeRequest( } if (fileExtension) { - return response.blob().then((blob: Blob) => { + return response.blob().then((blob: any) => { const url = window.URL.createObjectURL(blob); const link = document.createElement("a"); @@ -231,16 +250,14 @@ async function makeRequest( // Now the file name includes the extension link.setAttribute("download", `file${fileExtension}`); - // These lines are necessary to make the link click in Firefox - const hiddenContainer = document.createElement("div"); - hiddenContainer.style.display = "none"; - hiddenContainer.appendChild(link); - document.body.appendChild(hiddenContainer); + // These two lines are necessary to make the link click in Firefox + link.style.display = "none"; + document.body.appendChild(link); link.click(); // After link is clicked, it's safe to remove it. - setTimeout(() => document.body.removeChild(hiddenContainer), 0); + setTimeout(() => document.body.removeChild(link), 0); return response; });