refactor(net): unify proxy env checks and guarded fetch modes

2026-05-11 03:24:32 +00:00 · 2026-03-02 16:24:20 +00:00
parent a229ae6c3e
commit c973b053a5
12 changed files with 129 additions and 117 deletions
--- a/src/slack/send.ts
+++ b/src/slack/send.ts
@@ -8,7 +8,10 @@ import { isSilentReplyText } from "../auto-reply/tokens.js";
 import { loadConfig } from "../config/config.js";
 import { resolveMarkdownTableMode } from "../config/markdown-tables.js";
 import { logVerbose } from "../globals.js";
-import { fetchWithSsrFGuard } from "../infra/net/fetch-guard.js";
+import {
+  fetchWithSsrFGuard,
+  withTrustedEnvProxyGuardedFetchMode,
+} from "../infra/net/fetch-guard.js";
 import { loadWebMedia } from "../web/media.js";
 import type { SlackTokenSource } from "./accounts.js";
 import { resolveSlackAccount } from "./accounts.js";
@@ -211,18 +214,18 @@ async function uploadSlackFile(params: {

  // Upload the file content to the presigned URL
  const uploadBody = new Uint8Array(buffer) as BodyInit;
-  const { response: uploadResp, release } = await fetchWithSsrFGuard({
-    url: uploadUrlResp.upload_url,
-    init: {
-      method: "POST",
-      ...(contentType ? { headers: { "Content-Type": contentType } } : {}),
-      body: uploadBody,
-    },
-    policy: SLACK_UPLOAD_SSRF_POLICY,
-    proxy: "env",
-    dangerouslyAllowEnvProxyWithoutPinnedDns: true,
-    auditContext: "slack-upload-file",
-  });
+  const { response: uploadResp, release } = await fetchWithSsrFGuard(
+    withTrustedEnvProxyGuardedFetchMode({
+      url: uploadUrlResp.upload_url,
+      init: {
+        method: "POST",
+        ...(contentType ? { headers: { "Content-Type": contentType } } : {}),
+        body: uploadBody,
+      },
+      policy: SLACK_UPLOAD_SSRF_POLICY,
+      auditContext: "slack-upload-file",
+    }),
+  );
  try {
    if (!uploadResp.ok) {
      throw new Error(`Failed to upload file: HTTP ${uploadResp.status}`);
--- a/src/slack/send.upload.test.ts
+++ b/src/slack/send.upload.test.ts
@@ -16,6 +16,10 @@ const fetchWithSsrFGuard = vi.fn(
 vi.mock("../infra/net/fetch-guard.js", () => ({
  fetchWithSsrFGuard: (...args: unknown[]) =>
    fetchWithSsrFGuard(...(args as [params: { url: string; init?: RequestInit }])),
+  withTrustedEnvProxyGuardedFetchMode: (params: Record<string, unknown>) => ({
+    ...params,
+    mode: "trusted_env_proxy",
+  }),
 }));

 vi.mock("../web/media.js", () => ({
@@ -167,8 +171,7 @@ describe("sendMessageSlack file upload with user IDs", () => {
    expect(fetchWithSsrFGuard).toHaveBeenCalledWith(
      expect.objectContaining({
        url: "https://uploads.slack.test/upload",
-        proxy: "env",
-        dangerouslyAllowEnvProxyWithoutPinnedDns: true,
+        mode: "trusted_env_proxy",
        auditContext: "slack-upload-file",
      }),
    );