Add e2e tests, fix typo

timokoessler · timokoessler · commit 0cddf7eb0c6b · 2025-04-28T16:52:33.000+02:00
diff --git a/end2end/server/src/handlers/lists.js b/end2end/server/src/handlers/lists.js
@@ -2,6 +2,7 @@ const {
   getBlockedIPAddresses,
   getBlockedUserAgents,
   getAllowedIPAddresses,
+  getBotSpoofingData,
 } = require("../zen/config");
 
 module.exports = function lists(req, res) {
@@ -12,6 +13,7 @@ module.exports = function lists(req, res) {
   const blockedIps = getBlockedIPAddresses(req.app);
   const blockedUserAgents = getBlockedUserAgents(req.app);
   const allowedIps = getAllowedIPAddresses(req.app);
+  const botSpoofingData = getBotSpoofingData(req.app);
 
   res.json({
     success: true,
@@ -37,5 +39,6 @@ module.exports = function lists(req, res) {
             },
           ]
         : [],
+    botSpoofingProtection: botSpoofingData,
   });
 };
diff --git a/end2end/server/src/handlers/updateLists.js b/end2end/server/src/handlers/updateLists.js
@@ -2,6 +2,7 @@ const {
   updateBlockedIPAddresses,
   updateBlockedUserAgents,
   updateAllowedIPAddresses,
+  updateBotSpoofingData,
 } = require("../zen/config");
 
 module.exports = function updateIPLists(req, res) {
@@ -46,5 +47,12 @@ module.exports = function updateIPLists(req, res) {
     updateAllowedIPAddresses(req.app, req.body.allowedIPAddresses);
   }
 
+  if (
+    req.body.botSpoofingProtection &&
+    Array.isArray(req.body.botSpoofingProtection)
+  ) {
+    updateBotSpoofingData(req.app, req.body.botSpoofingProtection);
+  }
+
   res.json({ success: true });
 };
diff --git a/end2end/server/src/zen/config.js b/end2end/server/src/zen/config.js
@@ -40,6 +40,7 @@ function updateAppConfig(app, newConfig) {
 const blockedIPAddresses = [];
 const blockedUserAgents = [];
 const allowedIPAddresses = [];
+const botSpoofingData = [];
 
 function updateBlockedIPAddresses(app, ips) {
   let entry = blockedIPAddresses.find((ip) => ip.serviceId === app.serviceId);
@@ -113,6 +114,30 @@ function getBlockedUserAgents(app) {
   return "";
 }
 
+function updateBotSpoofingData(app, data) {
+  let entry = botSpoofingData.find((d) => d.serviceId === app.serviceId);
+
+  if (entry) {
+    entry.data = data;
+  } else {
+    entry = { serviceId: app.serviceId, data: data };
+    botSpoofingData.push(entry);
+  }
+
+  // Bump lastUpdatedAt
+  updateAppConfig(app, {});
+}
+
+function getBotSpoofingData(app) {
+  const entry = botSpoofingData.find((d) => d.serviceId === app.serviceId);
+
+  if (entry) {
+    return entry.data;
+  }
+
+  return [];
+}
+
 module.exports = {
   getAppConfig,
   updateAppConfig,
@@ -122,4 +147,6 @@ module.exports = {
   getBlockedUserAgents,
   getAllowedIPAddresses,
   updateAllowedIPAddresses,
+  updateBotSpoofingData,
+  getBotSpoofingData,
 };
diff --git a/end2end/tests/hono-sqlite3-bot-spoofing.test.js b/end2end/tests/hono-sqlite3-bot-spoofing.test.js
@@ -0,0 +1,148 @@
+const t = require("tap");
+const { spawn } = require("child_process");
+const { resolve } = require("path");
+const timeout = require("../timeout");
+
+const pathToApp = resolve(
+  __dirname,
+  "../../sample-apps/hono-sqlite3",
+  "app.js"
+);
+const testServerUrl = "http://localhost:5874";
+
+let token;
+t.beforeEach(async () => {
+  const response = await fetch(`${testServerUrl}/api/runtime/apps`, {
+    method: "POST",
+  });
+  const body = await response.json();
+  token = body.token;
+
+  const lists = await fetch(`${testServerUrl}/api/runtime/firewall/lists`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: token,
+    },
+    body: JSON.stringify({
+      allowedIPAddresses: [],
+      blockedIPAddresses: [],
+      blockedUserAgents: "",
+      botSpoofingProtection: [
+        {
+          key: "google_test",
+          uaPattern: "Googlebot|GoogleStoreBot",
+          ips: ["1.2.3.4/24", "4.3.2.1"],
+          hostnames: ["google.com", "googlebot.com"],
+        },
+      ],
+    }),
+  });
+  t.same(lists.status, 200);
+});
+
+t.test("it blocks spoofed bots", (t) => {
+  const server = spawn(`node`, [pathToApp, "4012"], {
+    env: {
+      ...process.env,
+      AIKIDO_DEBUG: "true",
+      AIKIDO_BLOCK: "true",
+      AIKIDO_TOKEN: token,
+      AIKIDO_ENDPOINT: testServerUrl,
+    },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err.message);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(4000)
+    .then(async () => {
+      {
+        const response = await fetch("http://127.0.0.1:4012/", {
+          headers: {
+            "user-agent": "Googlebot",
+            "x-forwarded-for": "1.1.1.1",
+          },
+          signal: AbortSignal.timeout(5000),
+        });
+        t.same(response.status, 403);
+        t.same(
+          await response.text(),
+          "You are not allowed to access this resource."
+        );
+      }
+      {
+        const response = await fetch("http://127.0.0.1:4012/", {
+          headers: {
+            "user-agent": "Googlebot",
+            "x-forwarded-for": "127.0.0.1",
+          },
+          signal: AbortSignal.timeout(5000),
+        });
+        t.same(response.status, 200); // localhost is not blocked
+      }
+      {
+        const response = await fetch("http://127.0.0.1:4012/", {
+          headers: {
+            "user-agent":
+              "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15",
+            "x-forwarded-for": "1.1.1.1",
+          },
+          signal: AbortSignal.timeout(5000),
+        });
+        t.same(response.status, 200); // not a protected bot
+      }
+      {
+        const response = await fetch("http://127.0.0.1:4012/", {
+          headers: {
+            "user-agent": "Googlebot",
+            "x-forwarded-for": "66.249.90.77",
+          },
+          signal: AbortSignal.timeout(5000),
+        });
+        t.same(response.status, 200); // Real Googlebot ip
+      }
+      {
+        const response = await fetch("http://127.0.0.1:4012/", {
+          headers: {
+            "user-agent": "Googlebot",
+            "x-forwarded-for": "1.2.3.4",
+          },
+          signal: AbortSignal.timeout(5000),
+        });
+        t.same(response.status, 200); // whitelisted ip
+      }
+      {
+        const response = await fetch("http://127.0.0.1:4012/", {
+          headers: {
+            "user-agent": "Googlebot",
+            "x-forwarded-for": "4.3.2.1",
+          },
+          signal: AbortSignal.timeout(5000),
+        });
+        t.same(response.status, 200); // whitelisted ip
+      }
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});
diff --git a/library/agent/Agent.ts b/library/agent/Agent.ts
@@ -382,12 +382,12 @@ export class Agent {
         blockedIPAddresses,
         blockedUserAgents,
         allowedIPAddresses,
-        botSpoofingData,
+        botSpoofingProtection,
       } = await fetchBlockedLists(this.token);
       this.serviceConfig.updateBlockedIPAddresses(blockedIPAddresses);
       this.serviceConfig.updateBlockedUserAgents(blockedUserAgents);
       this.serviceConfig.updateAllowedIPAddresses(allowedIPAddresses);
-      this.serviceConfig.updateBotSpoofingData(botSpoofingData);
+      this.serviceConfig.updateBotSpoofingData(botSpoofingProtection);
     } catch (error: any) {
       console.error(`Aikido: Failed to update blocked lists: ${error.message}`);
     }
diff --git a/library/agent/api/fetchBlockedLists.ts b/library/agent/api/fetchBlockedLists.ts
@@ -19,7 +19,7 @@ export async function fetchBlockedLists(token: Token): Promise<{
   blockedIPAddresses: IPList[];
   allowedIPAddresses: IPList[];
   blockedUserAgents: string;
-  botSpoofingData: BotSpoofingData[];
+  botSpoofingProtection: BotSpoofingData[];
 }> {
   const baseUrl = getAPIURL();
   const { body, statusCode } = await fetch({
@@ -46,7 +46,7 @@ export async function fetchBlockedLists(token: Token): Promise<{
     blockedIPAddresses: IPList[];
     allowedIPAddresses: IPList[];
     blockedUserAgents: string;
-    botSpoofingData: BotSpoofingData[];
+    botSpoofingProtection: BotSpoofingData[];
   } = JSON.parse(body);
 
   return {
@@ -63,9 +63,9 @@ export async function fetchBlockedLists(token: Token): Promise<{
       result && typeof result.blockedUserAgents === "string"
         ? result.blockedUserAgents
         : "",
-    botSpoofingData:
-      result && Array.isArray(result.botSpoofingData)
-        ? result.botSpoofingData
+    botSpoofingProtection:
+      result && Array.isArray(result.botSpoofingProtection)
+        ? result.botSpoofingProtection
         : [],
   };
 }
