DNS-aware SSRF check: catches hostnames that resolve to internal IPs (the schema check only catches IP literals).
(endpoint: string | undefined)
| 127 | |
| 128 | /** DNS-aware SSRF check: catches hostnames that resolve to internal IPs (the schema check only catches IP literals). */ |
| 129 | async function assertEndpointIsPublic(endpoint: string | undefined): Promise<void> { |
| 130 | if (!endpoint) return |
| 131 | const result = await validateUrlWithDNS(endpoint, 'endpoint') |
| 132 | if (!result.isValid) { |
| 133 | throw new Error(result.error ?? 'S3 endpoint failed SSRF validation') |
| 134 | } |
| 135 | } |
| 136 | |
| 137 | /** |
| 138 | * Surfaces actionable S3 SDK error codes (`AccessDenied`, `NoSuchBucket`, |