Files
santifer--career-ops/liveness-browser.mjs
T
wehub-resource-sync d083df1fdb
CodeQL Analysis / Analyze (javascript-typescript) (push) Failing after 2s
Web CI / web typecheck + build (push) Failing after 1s
Release Please / release-please (push) Failing after 1s
CodeQL Analysis / Analyze (go) (push) Failing after 16s
chore: import upstream snapshot with attribution
2026-07-13 12:02:43 +08:00

254 lines
9.9 KiB
JavaScript

/**
* liveness-browser.mjs — Playwright-driven liveness check for a single URL.
*
* Shared by check-liveness.mjs (CLI tool) and scan.mjs (--verify flag).
* Returns the same shape as classifyLiveness: { result, reason }.
*/
import { classifyLiveness } from './liveness-core.mjs';
const NAVIGATE_TIMEOUT_MS = 15_000;
const HYDRATION_WAIT_MS = 2_000;
// The default Playwright headless UA contains "HeadlessChrome", which Cloudflare
// and similar WAFs flag — portals like pracuj.pl then serve a 403 challenge page
// instead of the posting. Presenting a normal desktop Chrome UA clears the wall
// headlessly (the scan parser scripts/parsers/pracuj-jobs.mjs relies on the same
// trick), so the common case never needs the slower headed-browser fallback.
export const LIVENESS_CONTEXT_OPTIONS = {
userAgent:
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
locale: 'en-US',
};
// Open a page in a context that already presents a realistic UA. Both callers use
// this instead of browser.newPage() so headless checks aren't instantly bot-walled.
export async function newLivenessPage(browser) {
const context = await browser.newContext(LIVENESS_CONTEXT_OPTIONS);
return context.newPage();
}
export const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
// Throttle delay with jitter: a value in [baseMs, 2*baseMs). Spacing requests out
// (and randomizing the gap) keeps a bulk run under rate-based WAF thresholds —
// pracuj.pl's Cloudflare flags the session after ~2 rapid hits, after which even
// headed retries are blocked. A randomized gap also avoids a fixed-cadence
// fingerprint. Returns 0 for a non-positive base (throttling disabled).
export function jitteredDelayMs(baseMs) {
if (!baseMs || baseMs <= 0) return 0;
return baseMs + Math.floor(Math.random() * baseMs);
}
// Defensive guards: URLs come from ATS feeds (mostly trusted) but a misconfigured
// portals.yml entry or a hijacked feed shouldn't be able to point Playwright at
// internal infrastructure. Only allow http(s) and reject loopback/private/link-local.
//
// The hostname coming out of `new URL(...)` needs normalization before the regex
// pass, because the WHATWG URL parser surfaces several encodings that bypass a
// naive match against `parsed.hostname`:
// 1. IPv6 hosts are serialized with brackets — `new URL('http://[::1]/').hostname`
// is `'[::1]'`, so a regex like `/^::1$/` never fires unless brackets are stripped.
// 2. FQDN trailing dot is preserved — `localhost.` reaches the network as
// localhost, but `/^localhost$/` doesn't match it.
// 3. IPv4-mapped IPv6 (`::ffff:127.0.0.1` or the hex form `::ffff:7f00:1`)
// routes to the embedded IPv4 in Chromium, so the embedded address must
// also be matched against the IPv4 block list.
// `0.0.0.0` and the all-zeros IPv6 `::` both reach loopback on Linux and need
// explicit entries; the original list omitted them.
const PRIVATE_HOST_PATTERNS = [
/^localhost$/,
/^localhost\.localdomain$/,
/^0\.0\.0\.0$/,
/^127\./,
/^10\./,
/^192\.168\./,
/^172\.(1[6-9]|2\d|3[01])\./,
/^169\.254\./,
/^::1$/,
/^::$/,
/^fc[0-9a-f]{2}:/,
/^fe80:/,
];
// Lowercase, strip IPv6 brackets, strip FQDN trailing dot. The `hostname`
// returned by `new URL(...)` is already percent-decoded and IDNA-normalized,
// but it preserves brackets around IPv6 hosts and trailing dots on FQDNs.
function normalizeHost(rawHostname) {
if (!rawHostname) return '';
let h = String(rawHostname).toLowerCase();
if (h.startsWith('[') && h.endsWith(']')) h = h.slice(1, -1);
if (h.endsWith('.')) h = h.slice(0, -1);
return h;
}
// IPv4-mapped IPv6 (RFC 4291 §2.5.5.2): `::ffff:0:0/96` routes to the embedded
// IPv4 address. Two textual forms — dotted (`::ffff:127.0.0.1`) and pure-hex
// (`::ffff:7f00:1`). Return the embedded IPv4 in dotted-decimal form, or null
// if `host` is not an IPv4-mapped IPv6.
function extractMappedIPv4(host) {
const dotted = host.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
if (dotted) return dotted[1];
const hex = host.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
if (hex) {
const a = parseInt(hex[1], 16);
const b = parseInt(hex[2], 16);
return `${(a >> 8) & 0xff}.${a & 0xff}.${(b >> 8) & 0xff}.${b & 0xff}`;
}
return null;
}
// Returns null when the URL is safe to fetch, otherwise a structured guard
// result with a stable `code` (used for routing in scan.mjs) plus a human
// `reason`. Stable codes — not regex on reason strings — drive downstream
// dispatch so the wording can change freely without breaking callers.
//
// Exported for unit tests; the main entry point is checkUrlLiveness.
export function rejectPrivateOrInvalid(url) {
let parsed;
try {
parsed = new URL(url);
} catch {
return { code: 'invalid_url', reason: 'invalid URL' };
}
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
return { code: 'unsupported_protocol', reason: `unsupported protocol ${parsed.protocol}` };
}
const host = normalizeHost(parsed.hostname);
const mappedIPv4 = extractMappedIPv4(host);
const candidates = mappedIPv4 ? [host, mappedIPv4] : [host];
for (const candidate of candidates) {
if (PRIVATE_HOST_PATTERNS.some((pattern) => pattern.test(candidate))) {
return { code: 'blocked_host', reason: `blocked host ${parsed.hostname}` };
}
}
return null;
}
export async function checkUrlLiveness(page, url, { extraSettleMs = 0 } = {}) {
const guardError = rejectPrivateOrInvalid(url);
if (guardError) {
return { result: 'uncertain', code: guardError.code, reason: guardError.reason };
}
try {
const response = await page.goto(url, { waitUntil: 'domcontentloaded', timeout: NAVIGATE_TIMEOUT_MS });
const status = response?.status() ?? 0;
// Give SPAs (Ashby, Lever, Workday) time to hydrate. extraSettleMs adds slack
// for the headed retry, where a JS anti-bot interstitial needs a moment to clear.
await page.waitForTimeout(HYDRATION_WAIT_MS + extraSettleMs);
const finalUrl = page.url();
const bodyText = await page.evaluate(() => document.body?.innerText ?? '');
const applyControls = await page.evaluate(() => {
const candidates = Array.from(
document.querySelectorAll('a, button, input[type="submit"], input[type="button"], [role="button"]')
);
return candidates
.filter((element) => {
if (element.closest('nav, header, footer')) return false;
if (element.closest('[aria-hidden="true"]')) return false;
const style = window.getComputedStyle(element);
if (style.display === 'none' || style.visibility === 'hidden') return false;
if (!element.getClientRects().length) return false;
return Array.from(element.getClientRects()).some((rect) => rect.width > 0 && rect.height > 0);
})
.map((element) => {
const label = [
element.innerText,
element.value,
element.getAttribute('aria-label'),
element.getAttribute('title'),
]
.filter(Boolean)
.join(' ')
.replace(/\s+/g, ' ')
.trim();
return label;
})
.filter(Boolean);
});
return classifyLiveness({ status, requestedUrl: url, finalUrl, bodyText, applyControls });
} catch (err) {
// Transient failures (timeout, DNS, TLS, 5xx) shouldn't be treated as expired —
// doing so would cause scan --verify to drop the URL and write it to scan-history,
// permanently filtering it out on subsequent scans.
return {
result: 'uncertain',
code: 'navigation_error',
reason: `navigation error: ${err.message.split('\n')[0]}`,
};
}
}
// Anti-bot results that a headed browser may be able to get past. A real (headed)
// Chromium clears the JS/Cloudflare challenge that headless trips on (e.g. pracuj.pl).
const CHALLENGE_CODES = new Set(['bot_challenge', 'access_blocked']);
export function isChallengeResult(result) {
return result?.result === 'uncertain' && CHALLENGE_CODES.has(result.code);
}
// Lazily owns a single headed browser/page, created only on first use and reused
// across URLs. Headed Chromium needs a display, so launch can fail in headless/CI
// environments — in that case get() returns null and callers degrade to the
// headless result (challenge stays uncertain, never falsely expired).
export function createHeadedPageProvider(chromium) {
let browser = null;
let page = null;
let launchFailed = false;
return {
async get() {
if (page) return page;
if (launchFailed) return null;
try {
browser = await chromium.launch({ headless: false });
const context = await browser.newContext(LIVENESS_CONTEXT_OPTIONS);
page = await context.newPage();
return page;
} catch {
launchFailed = true;
browser = null;
page = null;
return null;
}
},
async close() {
if (browser) {
try {
await browser.close();
} catch {
// best-effort teardown
}
}
browser = null;
page = null;
},
};
}
// Runs the headless check, then retries once in a headed browser if the page was
// blocked by an anti-bot wall. The headed result wins when it actually sees the
// page; if the retry is still blocked (or no headed page is available) the
// original uncertain result is kept — we never upgrade a block to expired.
export async function checkUrlLivenessWithFallback(page, url, { getHeadedPage } = {}) {
const first = await checkUrlLiveness(page, url);
if (!getHeadedPage || !isChallengeResult(first)) {
return first;
}
const headedPage = await getHeadedPage();
if (!headedPage) {
return first;
}
const second = await checkUrlLiveness(headedPage, url, { extraSettleMs: 3_000 });
if (isChallengeResult(second)) {
return { ...second, reason: `${second.reason} (headed retry also blocked)` };
}
return second;
}