fix(security): eliminate all SSRF bypasses, error leaks, and rate limit race

gl0bal01 · claude · gl0bal01 · commit 04a3afe2e174 · 2026-03-18T21:24:30.000Z
SSRF hardening (H1, H2, H3, M4):
- Fix IPv4-mapped IPv6 bypass (::ffff:127.0.0.1 now detected as private)
- Check both A and AAAA DNS records (not just one fallback)
- Add connect-time IP validation via custom http.Agent (eliminates DNS rebinding)
- Re-validate each redirect hop in redirect-chain.js
- Apply safe agents to all axios calls in 7 URL-accepting commands

Error leak fixes (M1, M2, M3):
- aviation.js: stop leaking API error status/data to users
- nike.js: stop leaking err.message in HTML report creation
- jwt.js: stop leaking raw stderr to users

Rate limit fix (M5):
- Make check-and-record atomic to prevent concurrent request bypass
- Remove separate recordUsage call from index.js

Tests: 45 passing (+2 new IPv4-mapped IPv6 tests)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/commands/aviation.js b/commands/aviation.js
@@ -172,13 +172,15 @@ module.exports = {
                         return interaction.editReply('Rate limit exceeded. Please try again later.');
                     }
                     
-                    return interaction.editReply(`API Error (${apiError.response.status}): ${apiError.response.data.error?.info || 'Failed to fetch flight data'}`);
+                    console.error('Aviation API error:', apiError.response?.data);
+                    return interaction.editReply('The aviation API returned an error. Please try again later.');
                 } else if (apiError.request) {
                     // No response received
                     return interaction.editReply('Could not connect to flight data service. Please try again later.');
                 } else {
                     // Other error
-                    return interaction.editReply(`Error fetching flight data: ${apiError.message}`);
+                    console.error('Aviation fetch error:', apiError);
+                    return interaction.editReply('An error occurred while fetching flight data. Please try again later.');
                 }
             }
         } catch (commandError) {
diff --git a/commands/exif.js b/commands/exif.js
@@ -30,7 +30,7 @@ const path = require('path');
 const { URL } = require('url');
 const crypto = require('crypto');
 const { isValidUrl, sanitizeInput } = require('../utils/validation');
-const { validateUrlNotInternal } = require('../utils/ssrf');
+const { validateUrlNotInternal, getSafeAxiosConfig } = require('../utils/ssrf');
 const fsPromises = require('fs').promises;
 
 // Ensure the temp directory exists
@@ -195,7 +195,9 @@ async function downloadImageFromUrl(url, filePath) {
             reject(new Error('Download timeout after 30 seconds'));
         }, 30000);
 
+        const agent = getSafeAxiosConfig().httpsAgent;
         https.get(url, {
+            agent,
             headers: {
                 'User-Agent': 'Discord-OSINT-Assistant/2.0 (Image-Analyzer)'
             }
diff --git a/commands/extract-links.js b/commands/extract-links.js
@@ -23,7 +23,7 @@ const os = require('os');
 const { SlashCommandBuilder, AttachmentBuilder } = require('discord.js');
 const axios = require('axios');
 const cheerio = require('cheerio');
-const { validateUrlNotInternal } = require('../utils/ssrf');
+const { validateUrlNotInternal, getSafeAxiosConfig } = require('../utils/ssrf');
 
 /**
  * Escapes special HTML characters in a string to prevent Cross-Site Scripting (XSS).
@@ -125,7 +125,8 @@ module.exports = {
                 headers: {
                     'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36',
                     'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
-                }
+                },
+                ...getSafeAxiosConfig()
             });
             const html = response.data;
 
diff --git a/commands/favicons.js b/commands/favicons.js
@@ -46,7 +46,7 @@
 
 const { SlashCommandBuilder, AttachmentBuilder, EmbedBuilder } = require('discord.js');
 const axios = require('axios');
-const { validateUrlNotInternal } = require('../utils/ssrf');
+const { validateUrlNotInternal, getSafeAxiosConfig } = require('../utils/ssrf');
 const cheerio = require('cheerio');
 const fs = require('fs').promises;
 const fsSync = require('fs');
@@ -239,7 +239,8 @@ const downloadFavicon = async (faviconUrl) => {
             'User-Agent': CONFIG.USER_AGENT,
             'Accept': 'image/*,*/*;q=0.8'
         },
-        validateStatus: (status) => status >= 200 && status < 400
+        validateStatus: (status) => status >= 200 && status < 400,
+        ...getSafeAxiosConfig()
     });
     
     const contentType = response.headers['content-type'] || '';
@@ -396,7 +397,8 @@ module.exports = {
                     timeout: CONFIG.REQUEST_TIMEOUT,
                     headers: { 'User-Agent': CONFIG.USER_AGENT },
                     maxRedirects: 5,
-                    validateStatus: (status) => status >= 200 && status < 400
+                    validateStatus: (status) => status >= 200 && status < 400,
+                    ...getSafeAxiosConfig()
                 });
                 
                 html = response.data;
diff --git a/commands/jwt.js b/commands/jwt.js
@@ -386,11 +386,7 @@ module.exports = {
             const errorEmbed = createResultEmbed('❌ Error', errorMessage, errorColor);
             
             if (error.stderr) {
-                errorEmbed.addFields({
-                    name: 'Technical Details',
-                    value: `\`\`\`\n${error.stderr.substring(0, 500)}\n\`\`\``,
-                    inline: false
-                });
+                console.error('JWT tool stderr:', error.stderr);
             }
 
             await interaction.editReply({ embeds: [errorEmbed] });
diff --git a/commands/monitor.js b/commands/monitor.js
@@ -26,7 +26,7 @@
 const { SlashCommandBuilder } = require('discord.js');
 const axios = require('axios');
 const crypto = require('crypto');
-const { validateUrlNotInternal } = require('../utils/ssrf');
+const { validateUrlNotInternal, getSafeAxiosConfig } = require('../utils/ssrf');
 
 const MONITOR_CHANNEL_ID = process.env.MONITOR_CHANNEL_ID;
 
@@ -42,7 +42,7 @@ function hashContent(content) {
 async function checkWebsite(url, client) {
     try {
         await validateUrlNotInternal(url);
-        const response = await axios.get(url);
+        const response = await axios.get(url, getSafeAxiosConfig());
         const newHash = hashContent(response.data);
         
         if (monitoredUrls.has(url) && monitoredUrls.get(url) !== newHash) {
diff --git a/commands/nike.js b/commands/nike.js
@@ -337,7 +337,8 @@ module.exports = {
         console.error('Error creating report file:', err);
         
         // Build a fallback text response
-        let replyMessage = `Found ${objects.length} results for "${searchString}", but couldn't create HTML report: ${err.message}\n\n`;
+        console.error('Nike HTML report error:', err);
+        let replyMessage = `Found ${objects.length} results for "${searchString}", but couldn't create HTML report.\n\n`;
         
         objects.forEach((account, i) => {
           const {
diff --git a/commands/recon-web.js b/commands/recon-web.js
@@ -21,7 +21,7 @@
 
 const { SlashCommandBuilder, EmbedBuilder, ActionRowBuilder, ButtonBuilder, ButtonStyle, AttachmentBuilder } = require('discord.js');
 const axios = require('axios');
-const { validateUrlNotInternal } = require('../utils/ssrf');
+const { validateUrlNotInternal, getSafeAxiosConfig } = require('../utils/ssrf');
 const { isValidDomain } = require('../utils/validation');
 const cheerio = require('cheerio');
 const fs = require('fs');
@@ -153,7 +153,7 @@ module.exports = {
                             );
                             await interaction.editReply({ embeds: [embed] });
                             
-                            const crtshResponse = await axios.get(`https://crt.sh/json?q=${domain}`);
+                            const crtshResponse = await axios.get(`https://crt.sh/json?q=${domain}`, getSafeAxiosConfig());
                             const certs = crtshResponse.data;
                             
                             if (certs && certs.length > 0) {
@@ -214,7 +214,7 @@ module.exports = {
                             
                             const waybackResponse = await axios.get(
                                 `https://web.archive.org/cdx/search/cdx?fl=original&collapse=urlkey&url=*.${domain}`,
-                                { responseType: 'text' }
+                                { responseType: 'text', ...getSafeAxiosConfig() }
                             );
                             
                             const urls = waybackResponse.data.trim().split('\n');
@@ -285,7 +285,7 @@ module.exports = {
                             const domainName = sanitizeFilenameComponent(rawDomainName);
 
                             // Fetch the webpage content
-                            const response = await axios.get(targetUrl);
+                            const response = await axios.get(targetUrl, getSafeAxiosConfig());
                             const html = response.data;
 
                             // Use cheerio to parse HTML
@@ -337,7 +337,7 @@ module.exports = {
                             }
                             
                             // Download the favicon
-                            const faviconResponse = await axios.get(faviconData.url, { responseType: 'arraybuffer' });
+                            const faviconResponse = await axios.get(faviconData.url, { responseType: 'arraybuffer', ...getSafeAxiosConfig() });
                             const contentType = faviconResponse.headers['content-type'] || '';
                             
                             // If it's an image, save it
diff --git a/commands/redirect-chain.js b/commands/redirect-chain.js
@@ -11,7 +11,7 @@
 
 const { SlashCommandBuilder, EmbedBuilder, AttachmentBuilder } = require('discord.js');
 const axios = require('axios');
-const { validateUrlNotInternal } = require('../utils/ssrf');
+const { validateUrlNotInternal, getSafeAxiosConfig } = require('../utils/ssrf');
 const { isValidUrl } = require('../utils/validation');
 const fs = require('fs');
 const path = require('path');
@@ -468,8 +468,12 @@ async function analyzeRedirectChain(url, includeHeaders = false, timeout = 10000
                 // It's a redirect
                 const location = response.headers.location;
                 const redirectUrl = new URL(location, currentUrl).href;
+
+                // Re-validate redirect target against SSRF
+                await validateUrlNotInternal(redirectUrl);
+
                 redirectInfo.url = redirectUrl;
-                
+
                 redirectChain.push(redirectInfo);
                 currentUrl = redirectUrl;
                 
@@ -532,7 +536,7 @@ async function robustRequest(url, options, maxRetries = 3) {
     
     for (let i = 0; i < maxRetries; i++) {
         try {
-            return await axios.get(url, options);
+            return await axios.get(url, { ...options, ...getSafeAxiosConfig() });
         } catch (error) {
             lastError = error;
             
@@ -785,7 +789,8 @@ async function analyzeContent(url, headers) {
             maxContentLength: 1024 * 1024, // 1MB limit
             headers: {
                 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
-            }
+            },
+            ...getSafeAxiosConfig()
         });
         
         const html = response.data;
@@ -1060,7 +1065,7 @@ async function notifyWebhook(url, result, suspiciousIndicators) {
             }]
         };
         
-        await axios.post(process.env.SECURITY_WEBHOOK_URL, payload);
+        await axios.post(process.env.SECURITY_WEBHOOK_URL, payload, getSafeAxiosConfig());
     } catch (error) {
         console.error('Failed to send webhook notification:', error);
     }
diff --git a/index.js b/index.js
@@ -16,7 +16,7 @@ const { Client, Collection, GatewayIntentBits, Events, MessageFlags } = require(
 const fs = require('node:fs');
 const path = require('node:path');
 const { checkPermission } = require('./utils/permissions');
-const { checkRateLimit, recordUsage } = require('./utils/ratelimit');
+const { checkRateLimit } = require('./utils/ratelimit');
 
 // Validate environment variables via centralized config
 const { loadConfig } = require('./utils/config');
@@ -114,9 +114,6 @@ client.on(Events.InteractionCreate, async interaction => {
         return interaction.reply({ content: rateLimitReason, flags: MessageFlags.Ephemeral });
     }
 
-    // Record usage immediately to prevent concurrent bypass
-    recordUsage(interaction.user.id, interaction.commandName);
-
     // Log command usage for audit purposes
     const timestamp = new Date().toISOString();
     const userInfo = `${interaction.user.tag} (${interaction.user.id})`;
diff --git a/tests/utils/ratelimit.test.js b/tests/utils/ratelimit.test.js
@@ -10,27 +10,35 @@ beforeEach(async () => {
 });
 
 describe('checkRateLimit', () => {
+    // Use unique user IDs per test to avoid state leaking between tests
+    // (ES module caching means internal Maps persist across beforeEach)
+
     it('allows first command use', () => {
-        const result = checkRateLimit('user1', 'bob-dns');
+        const result = checkRateLimit('user-first', 'bob-dns');
         expect(result.limited).toBe(false);
     });
 
-    it('blocks rapid repeat of same command', () => {
-        recordUsage('user1', 'bob-nuclei');
-        const result = checkRateLimit('user1', 'bob-nuclei');
+    it('blocks rapid repeat of same command (atomic check-and-record)', () => {
+        // First call passes and atomically records usage
+        const first = checkRateLimit('user-repeat', 'bob-nuclei');
+        expect(first.limited).toBe(false);
+        // Second call should be blocked because usage was already recorded
+        const result = checkRateLimit('user-repeat', 'bob-nuclei');
         expect(result.limited).toBe(true);
         expect(result.retryAfter).toBeGreaterThan(0);
     });
 
     it('allows different commands from same user', () => {
-        recordUsage('user1', 'bob-nuclei');
-        const result = checkRateLimit('user1', 'bob-dns');
+        // Records usage for bob-nuclei atomically
+        checkRateLimit('user-diffcmd', 'bob-nuclei');
+        const result = checkRateLimit('user-diffcmd', 'bob-dns');
         expect(result.limited).toBe(false);
     });
 
     it('allows same command from different users', () => {
-        recordUsage('user1', 'bob-nuclei');
-        const result = checkRateLimit('user2', 'bob-nuclei');
+        // Records usage for user-a atomically
+        checkRateLimit('user-a', 'bob-nuclei');
+        const result = checkRateLimit('user-b', 'bob-nuclei');
         expect(result.limited).toBe(false);
     });
 });
diff --git a/tests/utils/ssrf.test.js b/tests/utils/ssrf.test.js
@@ -32,4 +32,16 @@ describe('isPrivateIp', () => {
         expect(isPrivateIp('fe80::1')).toBe(true);
         expect(isPrivateIp('fd00::1')).toBe(true);
     });
+    it('detects IPv4-mapped IPv6 private addresses', () => {
+        expect(isPrivateIp('::ffff:127.0.0.1')).toBe(true);
+        expect(isPrivateIp('::ffff:10.0.0.1')).toBe(true);
+        expect(isPrivateIp('::ffff:192.168.1.1')).toBe(true);
+        expect(isPrivateIp('::ffff:172.16.0.1')).toBe(true);
+        expect(isPrivateIp('::ffff:169.254.169.254')).toBe(true);
+    });
+    it('allows IPv4-mapped IPv6 public addresses', () => {
+        expect(isPrivateIp('::ffff:8.8.8.8')).toBe(false);
+        expect(isPrivateIp('::ffff:1.1.1.1')).toBe(false);
+        expect(isPrivateIp('::ffff:93.184.216.34')).toBe(false);
+    });
 });
diff --git a/utils/ratelimit.js b/utils/ratelimit.js
@@ -50,7 +50,9 @@ const dailyCounts = new Map();
 const MAX_TRACKED_USERS = 10000;
 
 /**
- * Check if a user is rate limited for a command.
+ * Atomically check rate limit AND record usage if not limited.
+ * Returns { limited, retryAfter?, reason? } — if not limited, usage is already recorded.
+ * This prevents TOCTOU races where concurrent requests all pass the check.
  * @param {string} userId
  * @param {string} commandName
  * @returns {{ limited: boolean, retryAfter?: number, reason?: string }}
@@ -78,6 +80,28 @@ function checkRateLimit(userId, commandName) {
         }
     }
 
+    // Record usage atomically with the check to prevent concurrent bypass
+    if (!cooldowns.has(userId)) {
+        cooldowns.set(userId, new Map());
+    }
+    cooldowns.get(userId).set(commandName, now);
+
+    if (daily && daily.date === today) {
+        daily.count++;
+    } else {
+        dailyCounts.set(userId, { date: today, count: 1 });
+    }
+
+    // Prune if too many users tracked
+    if (cooldowns.size > MAX_TRACKED_USERS) {
+        const firstKey = cooldowns.keys().next().value;
+        cooldowns.delete(firstKey);
+    }
+    if (dailyCounts.size > MAX_TRACKED_USERS) {
+        const firstKey = dailyCounts.keys().next().value;
+        dailyCounts.delete(firstKey);
+    }
+
     return { limited: false };
 }
 
diff --git a/utils/ssrf.js b/utils/ssrf.js

Original file line number	Diff line number	Diff line change
`@@ -172,13 +172,15 @@ module.exports = {`
`172`	`172`	`return interaction.editReply('Rate limit exceeded. Please try again later.');`
`173`	`173`	`}`
`174`	`174`
`175`		- return interaction.editReply(`API Error (${apiError.response.status}): ${apiError.response.data.error?.info \|\| 'Failed to fetch flight data'}`);
	`175`	`+ console.error('Aviation API error:', apiError.response?.data);`
	`176`	`+ return interaction.editReply('The aviation API returned an error. Please try again later.');`
`176`	`177`	`} else if (apiError.request) {`
`177`	`178`	`// No response received`
`178`	`179`	`return interaction.editReply('Could not connect to flight data service. Please try again later.');`
`179`	`180`	`} else {`
`180`	`181`	`// Other error`
`181`		- return interaction.editReply(`Error fetching flight data: ${apiError.message}`);
	`182`	`+ console.error('Aviation fetch error:', apiError);`
	`183`	`+ return interaction.editReply('An error occurred while fetching flight data. Please try again later.');`
`182`	`184`	`}`
`183`	`185`	`}`
`184`	`186`	`} catch (commandError) {`