254 lines
9.9 KiB
JavaScript
254 lines
9.9 KiB
JavaScript
/**
|
|
* liveness-browser.mjs — Playwright-driven liveness check for a single URL.
|
|
*
|
|
* Shared by check-liveness.mjs (CLI tool) and scan.mjs (--verify flag).
|
|
* Returns the same shape as classifyLiveness: { result, reason }.
|
|
*/
|
|
|
|
import { classifyLiveness } from './liveness-core.mjs';
|
|
|
|
const NAVIGATE_TIMEOUT_MS = 15_000;
|
|
const HYDRATION_WAIT_MS = 2_000;
|
|
|
|
// The default Playwright headless UA contains "HeadlessChrome", which Cloudflare
|
|
// and similar WAFs flag — portals like pracuj.pl then serve a 403 challenge page
|
|
// instead of the posting. Presenting a normal desktop Chrome UA clears the wall
|
|
// headlessly (the scan parser scripts/parsers/pracuj-jobs.mjs relies on the same
|
|
// trick), so the common case never needs the slower headed-browser fallback.
|
|
export const LIVENESS_CONTEXT_OPTIONS = {
|
|
userAgent:
|
|
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
|
|
locale: 'en-US',
|
|
};
|
|
|
|
// Open a page in a context that already presents a realistic UA. Both callers use
|
|
// this instead of browser.newPage() so headless checks aren't instantly bot-walled.
|
|
export async function newLivenessPage(browser) {
|
|
const context = await browser.newContext(LIVENESS_CONTEXT_OPTIONS);
|
|
return context.newPage();
|
|
}
|
|
|
|
export const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
|
|
|
|
// Throttle delay with jitter: a value in [baseMs, 2*baseMs). Spacing requests out
|
|
// (and randomizing the gap) keeps a bulk run under rate-based WAF thresholds —
|
|
// pracuj.pl's Cloudflare flags the session after ~2 rapid hits, after which even
|
|
// headed retries are blocked. A randomized gap also avoids a fixed-cadence
|
|
// fingerprint. Returns 0 for a non-positive base (throttling disabled).
|
|
export function jitteredDelayMs(baseMs) {
|
|
if (!baseMs || baseMs <= 0) return 0;
|
|
return baseMs + Math.floor(Math.random() * baseMs);
|
|
}
|
|
|
|
// Defensive guards: URLs come from ATS feeds (mostly trusted) but a misconfigured
|
|
// portals.yml entry or a hijacked feed shouldn't be able to point Playwright at
|
|
// internal infrastructure. Only allow http(s) and reject loopback/private/link-local.
|
|
//
|
|
// The hostname coming out of `new URL(...)` needs normalization before the regex
|
|
// pass, because the WHATWG URL parser surfaces several encodings that bypass a
|
|
// naive match against `parsed.hostname`:
|
|
// 1. IPv6 hosts are serialized with brackets — `new URL('http://[::1]/').hostname`
|
|
// is `'[::1]'`, so a regex like `/^::1$/` never fires unless brackets are stripped.
|
|
// 2. FQDN trailing dot is preserved — `localhost.` reaches the network as
|
|
// localhost, but `/^localhost$/` doesn't match it.
|
|
// 3. IPv4-mapped IPv6 (`::ffff:127.0.0.1` or the hex form `::ffff:7f00:1`)
|
|
// routes to the embedded IPv4 in Chromium, so the embedded address must
|
|
// also be matched against the IPv4 block list.
|
|
// `0.0.0.0` and the all-zeros IPv6 `::` both reach loopback on Linux and need
|
|
// explicit entries; the original list omitted them.
|
|
const PRIVATE_HOST_PATTERNS = [
|
|
/^localhost$/,
|
|
/^localhost\.localdomain$/,
|
|
/^0\.0\.0\.0$/,
|
|
/^127\./,
|
|
/^10\./,
|
|
/^192\.168\./,
|
|
/^172\.(1[6-9]|2\d|3[01])\./,
|
|
/^169\.254\./,
|
|
/^::1$/,
|
|
/^::$/,
|
|
/^fc[0-9a-f]{2}:/,
|
|
/^fe80:/,
|
|
];
|
|
|
|
// Lowercase, strip IPv6 brackets, strip FQDN trailing dot. The `hostname`
|
|
// returned by `new URL(...)` is already percent-decoded and IDNA-normalized,
|
|
// but it preserves brackets around IPv6 hosts and trailing dots on FQDNs.
|
|
function normalizeHost(rawHostname) {
|
|
if (!rawHostname) return '';
|
|
let h = String(rawHostname).toLowerCase();
|
|
if (h.startsWith('[') && h.endsWith(']')) h = h.slice(1, -1);
|
|
if (h.endsWith('.')) h = h.slice(0, -1);
|
|
return h;
|
|
}
|
|
|
|
// IPv4-mapped IPv6 (RFC 4291 §2.5.5.2): `::ffff:0:0/96` routes to the embedded
|
|
// IPv4 address. Two textual forms — dotted (`::ffff:127.0.0.1`) and pure-hex
|
|
// (`::ffff:7f00:1`). Return the embedded IPv4 in dotted-decimal form, or null
|
|
// if `host` is not an IPv4-mapped IPv6.
|
|
function extractMappedIPv4(host) {
|
|
const dotted = host.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
|
|
if (dotted) return dotted[1];
|
|
const hex = host.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
|
|
if (hex) {
|
|
const a = parseInt(hex[1], 16);
|
|
const b = parseInt(hex[2], 16);
|
|
return `${(a >> 8) & 0xff}.${a & 0xff}.${(b >> 8) & 0xff}.${b & 0xff}`;
|
|
}
|
|
return null;
|
|
}
|
|
|
|
// Returns null when the URL is safe to fetch, otherwise a structured guard
|
|
// result with a stable `code` (used for routing in scan.mjs) plus a human
|
|
// `reason`. Stable codes — not regex on reason strings — drive downstream
|
|
// dispatch so the wording can change freely without breaking callers.
|
|
//
|
|
// Exported for unit tests; the main entry point is checkUrlLiveness.
|
|
export function rejectPrivateOrInvalid(url) {
|
|
let parsed;
|
|
try {
|
|
parsed = new URL(url);
|
|
} catch {
|
|
return { code: 'invalid_url', reason: 'invalid URL' };
|
|
}
|
|
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
|
|
return { code: 'unsupported_protocol', reason: `unsupported protocol ${parsed.protocol}` };
|
|
}
|
|
const host = normalizeHost(parsed.hostname);
|
|
const mappedIPv4 = extractMappedIPv4(host);
|
|
const candidates = mappedIPv4 ? [host, mappedIPv4] : [host];
|
|
for (const candidate of candidates) {
|
|
if (PRIVATE_HOST_PATTERNS.some((pattern) => pattern.test(candidate))) {
|
|
return { code: 'blocked_host', reason: `blocked host ${parsed.hostname}` };
|
|
}
|
|
}
|
|
return null;
|
|
}
|
|
|
|
export async function checkUrlLiveness(page, url, { extraSettleMs = 0 } = {}) {
|
|
const guardError = rejectPrivateOrInvalid(url);
|
|
if (guardError) {
|
|
return { result: 'uncertain', code: guardError.code, reason: guardError.reason };
|
|
}
|
|
try {
|
|
const response = await page.goto(url, { waitUntil: 'domcontentloaded', timeout: NAVIGATE_TIMEOUT_MS });
|
|
const status = response?.status() ?? 0;
|
|
|
|
// Give SPAs (Ashby, Lever, Workday) time to hydrate. extraSettleMs adds slack
|
|
// for the headed retry, where a JS anti-bot interstitial needs a moment to clear.
|
|
await page.waitForTimeout(HYDRATION_WAIT_MS + extraSettleMs);
|
|
|
|
const finalUrl = page.url();
|
|
const bodyText = await page.evaluate(() => document.body?.innerText ?? '');
|
|
const applyControls = await page.evaluate(() => {
|
|
const candidates = Array.from(
|
|
document.querySelectorAll('a, button, input[type="submit"], input[type="button"], [role="button"]')
|
|
);
|
|
|
|
return candidates
|
|
.filter((element) => {
|
|
if (element.closest('nav, header, footer')) return false;
|
|
if (element.closest('[aria-hidden="true"]')) return false;
|
|
|
|
const style = window.getComputedStyle(element);
|
|
if (style.display === 'none' || style.visibility === 'hidden') return false;
|
|
if (!element.getClientRects().length) return false;
|
|
|
|
return Array.from(element.getClientRects()).some((rect) => rect.width > 0 && rect.height > 0);
|
|
})
|
|
.map((element) => {
|
|
const label = [
|
|
element.innerText,
|
|
element.value,
|
|
element.getAttribute('aria-label'),
|
|
element.getAttribute('title'),
|
|
]
|
|
.filter(Boolean)
|
|
.join(' ')
|
|
.replace(/\s+/g, ' ')
|
|
.trim();
|
|
|
|
return label;
|
|
})
|
|
.filter(Boolean);
|
|
});
|
|
|
|
return classifyLiveness({ status, requestedUrl: url, finalUrl, bodyText, applyControls });
|
|
} catch (err) {
|
|
// Transient failures (timeout, DNS, TLS, 5xx) shouldn't be treated as expired —
|
|
// doing so would cause scan --verify to drop the URL and write it to scan-history,
|
|
// permanently filtering it out on subsequent scans.
|
|
return {
|
|
result: 'uncertain',
|
|
code: 'navigation_error',
|
|
reason: `navigation error: ${err.message.split('\n')[0]}`,
|
|
};
|
|
}
|
|
}
|
|
|
|
// Anti-bot results that a headed browser may be able to get past. A real (headed)
|
|
// Chromium clears the JS/Cloudflare challenge that headless trips on (e.g. pracuj.pl).
|
|
const CHALLENGE_CODES = new Set(['bot_challenge', 'access_blocked']);
|
|
|
|
export function isChallengeResult(result) {
|
|
return result?.result === 'uncertain' && CHALLENGE_CODES.has(result.code);
|
|
}
|
|
|
|
// Lazily owns a single headed browser/page, created only on first use and reused
|
|
// across URLs. Headed Chromium needs a display, so launch can fail in headless/CI
|
|
// environments — in that case get() returns null and callers degrade to the
|
|
// headless result (challenge stays uncertain, never falsely expired).
|
|
export function createHeadedPageProvider(chromium) {
|
|
let browser = null;
|
|
let page = null;
|
|
let launchFailed = false;
|
|
return {
|
|
async get() {
|
|
if (page) return page;
|
|
if (launchFailed) return null;
|
|
try {
|
|
browser = await chromium.launch({ headless: false });
|
|
const context = await browser.newContext(LIVENESS_CONTEXT_OPTIONS);
|
|
page = await context.newPage();
|
|
return page;
|
|
} catch {
|
|
launchFailed = true;
|
|
browser = null;
|
|
page = null;
|
|
return null;
|
|
}
|
|
},
|
|
async close() {
|
|
if (browser) {
|
|
try {
|
|
await browser.close();
|
|
} catch {
|
|
// best-effort teardown
|
|
}
|
|
}
|
|
browser = null;
|
|
page = null;
|
|
},
|
|
};
|
|
}
|
|
|
|
// Runs the headless check, then retries once in a headed browser if the page was
|
|
// blocked by an anti-bot wall. The headed result wins when it actually sees the
|
|
// page; if the retry is still blocked (or no headed page is available) the
|
|
// original uncertain result is kept — we never upgrade a block to expired.
|
|
export async function checkUrlLivenessWithFallback(page, url, { getHeadedPage } = {}) {
|
|
const first = await checkUrlLiveness(page, url);
|
|
if (!getHeadedPage || !isChallengeResult(first)) {
|
|
return first;
|
|
}
|
|
const headedPage = await getHeadedPage();
|
|
if (!headedPage) {
|
|
return first;
|
|
}
|
|
const second = await checkUrlLiveness(headedPage, url, { extraSettleMs: 3_000 });
|
|
if (isChallengeResult(second)) {
|
|
return { ...second, reason: `${second.reason} (headed retry also blocked)` };
|
|
}
|
|
return second;
|
|
}
|