| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-06-20 | 2.4 kB | |
| v0.44.0 source code.tar.gz | 2026-06-20 | 2.9 MB | |
| v0.44.0 source code.zip | 2026-06-20 | 3.6 MB | |
| Totals: 3 Items | 6.5 MB | 0 | |
A security-hardening release driven by a live black-box red-team engagement
against a running server: a slowloris fix in the Node adapter and an opt-in
SSRF DNS-pinning knob that closes the documented rebinding window for http:.
Added
fetchGuard({ pinDns: true })— DNS-rebinding (TOCTOU) protection forhttp:. The SSRF guard validates a hostname's resolved address and then, by default, hands the originalRequesttofetch, which re-resolves the hostname at connect time — the documented residual rebinding window. WithpinDns: true,http:requests are dispatched through Node's built-innode:httpwith the socket pinned to the validated IP and the originalHostheader preserved (so virtual-host routing still works), so an attacker's TTL=0 rebind to127.0.0.1/169.254.169.254can no longer take effect between validation and connect. Scope:http:only (the prime metadata vector), Node only, opt-in (defaultfalse— zero behavior change for existing callers);https:retains the documented caveat. Covered by new tests intests/fetch-guard.test.tsand a regression that proves re-encoded internal IPs (decimal/hex/octal/short form) are normalized and blocked.
Security
- The Node adapter now enforces
connectionTimeoutMspromptly (slowloris fix).serve()derivedheadersTimeout/requestTimeoutfromconnectionTimeoutMs, but left Node'sconnectionsCheckingIntervalat its 30-second default — so Node only checked for timed-out connections every 30s. A client that stalled (or trickled its request headers a byte at a time) held a socket open until the next sweep, far past the configured timeout. The adapter now lowersconnectionsCheckingIntervalto a fraction ofconnectionTimeoutMs(bounded to 1–5s), so a stalled connection is reaped with408close to its deadline.connectionTimeoutMs: 0still disables the timeouts entirely. This is a setup-time change only (no per-request hot-path cost) and theconnectionTimeoutMscontract is unchanged. New regression tests intests/node-adapter.test.tscover the idle and active-trickle slowloris variants and the disable path. A live attack harness,pnpm red-team:live, reproduces the engagement end-to-end.
Full changelog: https://github.com/daloyjs/daloy/compare/v0.43.0...v0.44.0