Merge aa54fa9a7b9262adffa59fd338e4daaf72d3611b into 5e417b44e1540f528d2ae63e3e20229a902d1db2

2026-03-21 02:35:26 +00:00 · 2026-03-21 02:35:26 +00:00 · b8fac7f128
commit b8fac7f128
parent 5e417b44e1 aa54fa9a7b
2 changed files with 26 additions and 1 deletions
--- a/src/infra/net/ssrf.dispatcher.test.ts
+++ b/src/infra/net/ssrf.dispatcher.test.ts
@ -210,9 +210,29 @@ describe("createPinnedDispatcher", () => {

    expect(proxyAgentCtor).toHaveBeenCalledWith({
      uri: "http://127.0.0.1:7890",
+      requestTls: { lookup },
      proxyTls: {
        autoSelectFamily: false,
      },
    });
  });
+
+  it("passes pinned lookup via requestTls when proxyTls is absent", () => {
+    const lookup = vi.fn() as unknown as PinnedHostname["lookup"];
+    const pinned: PinnedHostname = {
+      hostname: "api.telegram.org",
+      addresses: ["149.154.167.220"],
+      lookup,
+    };
+
+    createPinnedDispatcher(pinned, {
+      mode: "explicit-proxy",
+      proxyUrl: "http://127.0.0.1:7890",
+    });
+
+    expect(proxyAgentCtor).toHaveBeenCalledWith({
+      uri: "http://127.0.0.1:7890",
+      requestTls: { lookup },
+    });
+  });
 });
--- a/src/infra/net/ssrf.ts
+++ b/src/infra/net/ssrf.ts
@ -416,11 +416,16 @@ export function createPinnedDispatcher(
  }

  const proxyUrl = policy.proxyUrl.trim();
+  // Always pass the pinned lookup via requestTls so DNS resolution for the
+  // origin server goes through the SSRF-safe pinned lookup, not the default
+  // resolver.  Without this, ProxyAgent bypasses DNS pinning (#46685).
+  const requestTls = withPinnedLookup(pinned.lookup);
  if (!policy.proxyTls) {
-    return new ProxyAgent(proxyUrl);
+    return new ProxyAgent({ uri: proxyUrl, requestTls });
  }
  return new ProxyAgent({
    uri: proxyUrl,
+    requestTls,
    proxyTls: { ...policy.proxyTls },
  });
 }