From 27261fd5751c4c072b17b96dbf9e30be0898d62e Mon Sep 17 00:00:00 2001
From: Luke Karrys <luke@lukekarrys.com>
Date: Fri, 6 Dec 2024 12:49:05 -0700
Subject: [PATCH] Only overwrite servername in tls connect when host is not an
 IP address

---
 packages/https-proxy-agent/src/index.ts | 32 +++++++++++++++----------
 packages/pac-proxy-agent/src/index.ts   | 19 +++++++++++----
 packages/socks-proxy-agent/src/index.ts | 26 +++++++++++++-------
 3 files changed, 52 insertions(+), 25 deletions(-)

diff --git a/packages/https-proxy-agent/src/index.ts b/packages/https-proxy-agent/src/index.ts
index 272f7790..0930b77d 100644
--- a/packages/https-proxy-agent/src/index.ts
+++ b/packages/https-proxy-agent/src/index.ts
@@ -10,6 +10,17 @@ import type { OutgoingHttpHeaders } from 'http';
 
 const debug = createDebug('https-proxy-agent');
 
+const setServernameFromNonIpHost = <
+	T extends { host?: string; servername?: string }
+>(
+	options: T
+) => {
+	if (options.host && !net.isIP(options.host)) {
+		options.servername = options.host;
+	}
+	return options;
+};
+
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 type Protocol<T> = T extends `${infer Protocol}:${infer _}` ? Protocol : never;
 
@@ -92,12 +103,9 @@ export class HttpsProxyAgent<Uri extends string> extends Agent {
 		let socket: net.Socket;
 		if (proxy.protocol === 'https:') {
 			debug('Creating `tls.Socket`: %o', this.connectOpts);
-			const servername =
-				this.connectOpts.servername || this.connectOpts.host;
-			socket = tls.connect({
-				...this.connectOpts,
-				servername,
-			});
+			socket = tls.connect(
+				setServernameFromNonIpHost({ ...this.connectOpts })
+			);
 		} else {
 			debug('Creating `net.Socket`: %o', this.connectOpts);
 			socket = net.connect(this.connectOpts);
@@ -146,12 +154,12 @@ export class HttpsProxyAgent<Uri extends string> extends Agent {
 				// The proxy is connecting to a TLS server, so upgrade
 				// this socket connection to a TLS connection.
 				debug('Upgrading socket connection to TLS');
-				const servername = opts.servername || opts.host;
-				return tls.connect({
-					...omit(opts, 'host', 'path', 'port'),
-					socket,
-					servername,
-				});
+				return tls.connect(
+					setServernameFromNonIpHost({
+						...omit(opts, 'host', 'path', 'port'),
+						socket,
+					})
+				);
 			}
 
 			return socket;
diff --git a/packages/pac-proxy-agent/src/index.ts b/packages/pac-proxy-agent/src/index.ts
index 585249ff..72aeb0d8 100644
--- a/packages/pac-proxy-agent/src/index.ts
+++ b/packages/pac-proxy-agent/src/index.ts
@@ -24,6 +24,17 @@ import { getQuickJS } from '@tootallnate/quickjs-emscripten';
 
 const debug = createDebug('pac-proxy-agent');
 
+const setServernameFromNonIpHost = <
+	T extends { host?: string; servername?: string }
+>(
+	options: T
+) => {
+	if (options.host && !net.isIP(options.host)) {
+		options.servername = options.host;
+	}
+	return options;
+};
+
 type Protocols = keyof typeof gProtocols;
 
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -238,11 +249,9 @@ export class PacProxyAgent<Uri extends string> extends Agent {
 			if (type === 'DIRECT') {
 				// Direct connection to the destination endpoint
 				if (secureEndpoint) {
-					const servername = opts.servername || opts.host;
-					socket = tls.connect({
-						...opts,
-						servername,
-					});
+					socket = tls.connect(
+						setServernameFromNonIpHost({ ...opts })
+					);
 				} else {
 					socket = net.connect(opts);
 				}
diff --git a/packages/socks-proxy-agent/src/index.ts b/packages/socks-proxy-agent/src/index.ts
index 7a911d20..86d608be 100644
--- a/packages/socks-proxy-agent/src/index.ts
+++ b/packages/socks-proxy-agent/src/index.ts
@@ -9,6 +9,17 @@ import { URL } from 'url';
 
 const debug = createDebug('socks-proxy-agent');
 
+const setServernameFromNonIpHost = <
+	T extends { host?: string; servername?: string }
+>(
+	options: T
+) => {
+	if (options.host && !net.isIP(options.host)) {
+		options.servername = options.host;
+	}
+	return options;
+};
+
 function parseSocksURL(url: URL): { lookup: boolean; proxy: SocksProxy } {
 	let lookup = false;
 	let type: SocksProxy['type'] = 5;
@@ -79,8 +90,7 @@ export type SocksProxyAgentOptions = Omit<
 	'ipaddress' | 'host' | 'port' | 'type' | 'userId' | 'password'
 > & {
 	socketOptions?: SocksSocketOptions;
-} &
-	http.AgentOptions;
+} & http.AgentOptions;
 
 export class SocksProxyAgent extends Agent {
 	static protocols = [
@@ -171,12 +181,12 @@ export class SocksProxyAgent extends Agent {
 			// The proxy is connecting to a TLS server, so upgrade
 			// this socket connection to a TLS connection.
 			debug('Upgrading socket connection to TLS');
-			const servername = opts.servername || opts.host;
-			const tlsSocket = tls.connect({
-				...omit(opts, 'host', 'path', 'port'),
-				socket,
-				servername,
-			});
+			const tlsSocket = tls.connect(
+				setServernameFromNonIpHost({
+					...omit(opts, 'host', 'path', 'port'),
+					socket,
+				})
+			);
 
 			tlsSocket.once('error', (error) => {
 				debug('Socket TLS error', error.message);