Merge branch 'main' into cache-forceProtectionOff

Author: timokoessler

.devcontainer/devcontainer.json

@@ -0,0 +1,40 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+{
+  "name": "Zen Node.js",
+  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+  "image": "mcr.microsoft.com/devcontainers/typescript-node:22",
+
+  // Features to add to the dev container. More info: https://containers.dev/features.
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/devcontainers/features/rust:1": {}
+  },
+
+  // Configure tool-specific properties.
+  "customizations": {
+    // Configure properties specific to VS Code.
+    "vscode": {
+      "settings": {},
+      "extensions": [
+        "ms-azuretools.vscode-docker",
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "YoavBls.pretty-ts-errors",
+        "rust-lang.rust-analyzer"
+      ]
+    }
+  },
+
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  "forwardPorts": [3000, 4000],
+
+  // Use 'portsAttributes' to set default properties for specific forwarded ports.
+  // More info: https://containers.dev/implementors/json_reference/#port-attributes
+  "portsAttributes": {},
+
+  // Use 'postCreateCommand' to run commands after the container is created.
+  "postCreateCommand": "./.devcontainer/postCreateCommand.sh"
+
+  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+  // "remoteUser": "root"
+}

.devcontainer/postCreateCommand.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Update
+sudo apt update -y && sudo apt upgrade -y
+rustup update
+source /usr/local/share/nvm/nvm.sh
+nvm install --lts
+nvm use --lts
+npm update -g
+
+# Install WASM pack
+curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
+
+# Install k6
+## k6 installation -- arm machines
+if [ "$(uname -m)" = "aarch64" ]; then
+	K6_TAR_LINK=https://github.com/grafana/k6/releases/download/v0.58.0/k6-v0.58.0-linux-arm64.tar.gz
+	curl -OL $K6_TAR_LINK
+	tar -xzf k6-v0.58.0-linux-arm64.tar.gz
+	sudo mv k6-v0.58.0-linux-arm64/k6 /usr/local/bin/k6
+	rm -rf k6-v0.58.0-linux-arm64*
+else ## k6 installation -- other architectures
+	sudo gpg -k
+	sudo gpg --no-default-keyring --keyring /usr/share/keyrings/k6-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys C5AD17C747E3415A3642D57D77C6C491D6AC1D69
+	echo "deb [signed-by=/usr/share/keyrings/k6-archive-keyring.gpg] https://dl.k6.io/deb stable main" | sudo tee /etc/apt/sources.list.d/k6.list
+	sudo apt-get update -y
+	sudo apt-get install k6 -y
+fi
+
+# Install wrk, sqlite3
+sudo apt install wrk sqlite3 -y
+
+# Install npm packages, build and run containers
+npm i
+npm run build
+npm run containers

benchmarks/hono-pg/benchmark.js

@@ -4,53 +4,55 @@ const { promisify } = require("util");
 const exec = promisify(require("child_process").exec);
 const spawn = require("child_process").spawn;
 
-async function startServer(firewallEnabled) {
-  console.log("Spawning server. Firewall enabled:", firewallEnabled);
+async function runBenchmarks() {
+  console.log("Spawning servers...");
 
   let env = { ...process.env, AIKIDO_CI: "true" };
-  if (firewallEnabled) {
-    env = {
+
+  const serverWithFirewall = spawn("node", ["server.js", "4000"], {
+    env: {
       ...env,
       AIKIDO_BLOCKING: "true",
       NODE_OPTIONS: "-r @aikidosec/firewall",
-    };
-  }
+    },
+    cwd: join(__dirname, "app"),
+  });
 
-  const server = spawn("node", ["server.js", "4000"], {
-    env,
+  const serverWithoutFirewall = spawn("node", ["server.js", "4001"], {
+    env: {
+      ...env,
+    },
     cwd: join(__dirname, "app"),
   });
 
   try {
-    server.on("error", (err) => {
-      throw err;
-    });
-
-    server.on("close", () => {
-      console.log("Closing test server...");
-    });
-
-    server.stderr.on("data", (data) => {
-      throw new Error(data.toString());
-    });
+    for (const server of [serverWithFirewall, serverWithoutFirewall]) {
+      server.on("error", (err) => {
+        throw err;
+      });
+
+      server.stderr.on("data", (data) => {
+        throw new Error(data.toString());
+      });
+    }
 
-    console.log("Waiting for server to start...");
-    await new Promise((resolve) => setTimeout(resolve, 2500));
+    console.log("Waiting for servers to start...");
+    await new Promise((resolve) => setTimeout(resolve, 3000));
 
     console.log("Running k6...");
     const result = await exec("k6 run requests.mjs");
     if (result.stderr) {
       throw new Error(result.stderr);
     }
 
-    server.kill();
-    // Wait for the server to close
-    await new Promise((resolve) => server.on("close", resolve));
+    serverWithFirewall.kill();
+    serverWithoutFirewall.kill();
   } catch (error) {
     console.error(error);
     return false;
   } finally {
-    server.kill();
+    serverWithFirewall.kill();
+    serverWithoutFirewall.kill();
     return true;
   }
 }
@@ -74,69 +76,52 @@ async function getResult() {
     process.exit(1);
   }
 
-  // Start with firewall enabled
-  if (!(await startServer(true))) {
-    process.exit(1);
-  }
-
-  const resultWithFirewall = await getResult();
-
-  // Start with firewall disabled
-  if (!(await startServer(false))) {
+  if (!(await runBenchmarks())) {
     process.exit(1);
   }
 
-  const resultWithoutFirewall = await getResult();
+  const results = await getResult();
 
   console.log("====================================");
-  console.log("Results with firewall enabled:");
-  const customGetFirewall =
-    resultWithFirewall.metrics.custom_get_duration.values;
+  console.log("Results with Zen enabled:");
+  const getResultsWithZen = results.metrics.get_with_zen.values;
   console.log(
-    `GET duration: avg=${customGetFirewall.avg}ms, min=${customGetFirewall.min}ms, max=${customGetFirewall.max}ms`
+    `GET duration: avg=${getResultsWithZen.avg}ms, min=${getResultsWithZen.min}ms, max=${getResultsWithZen.max}ms`
   );
-  const customPostFirewall =
-    resultWithFirewall.metrics.custom_post_duration.values;
+  const postResultsWithZen = results.metrics.post_with_zen.values;
   console.log(
-    `POST duration: avg=${customPostFirewall.avg}ms, min=${customPostFirewall.min}ms, max=${customPostFirewall.max}ms`
-  );
-  console.log(
-    `Total requests: ${resultWithFirewall.metrics.http_reqs.values.count}`
+    `POST duration: avg=${postResultsWithZen.avg}ms, min=${postResultsWithZen.min}ms, max=${postResultsWithZen.max}ms`
   );
 
   console.log("------------------------------------");
-  console.log("Results with firewall disabled:");
-  const customGetNoFirewall =
-    resultWithoutFirewall.metrics.custom_get_duration.values;
-  console.log(
-    `GET duration: avg=${customGetNoFirewall.avg}ms, min=${customGetNoFirewall.min}ms, max=${customGetNoFirewall.max}ms`
-  );
-  const customPostNoFirewall =
-    resultWithoutFirewall.metrics.custom_post_duration.values;
+  console.log("Results with Zen disabled:");
+  const getResultsWithoutZen = results.metrics.get_without_zen.values;
   console.log(
-    `POST duration: avg=${customPostNoFirewall.avg}ms, min=${customPostNoFirewall.min}ms, max=${customPostNoFirewall.max}ms`
+    `GET duration: avg=${getResultsWithoutZen.avg}ms, min=${getResultsWithoutZen.min}ms, max=${getResultsWithoutZen.max}ms`
   );
+  const postResultsWithoutZen = results.metrics.post_without_zen.values;
   console.log(
-    `Total requests: ${resultWithoutFirewall.metrics.http_reqs.values.count}`
+    `POST duration: avg=${postResultsWithoutZen.avg}ms, min=${postResultsWithoutZen.min}ms, max=${postResultsWithoutZen.max}ms`
   );
 
-  const getMedDiff = customGetFirewall.med - customGetNoFirewall.med;
-  const postMedDiff = customPostFirewall.med - customPostNoFirewall.med;
-  const getDiffPercent = (getMedDiff / customGetNoFirewall.med) * 100;
-  const postDiffPercent = (postMedDiff / customPostNoFirewall.med) * 100;
+  const getDiff = results.metrics.get_delta.values.avg;
+  const postDiff = results.metrics.post_delta.values.avg;
+
+  const getDiffPercent = (getDiff / getResultsWithoutZen.avg) * 100;
+  const postDiffPercent = (postDiff / postResultsWithoutZen.avg) * 100;
 
   console.log("------------------------------------");
-  console.log("Firewall performance impact:");
-  console.log(`GET med diff: ${getMedDiff}ms (${getDiffPercent.toFixed(2)}%)`);
+  console.log("Zen performance impact:");
   console.log(
-    `POST med diff: ${postMedDiff}ms (${postDiffPercent.toFixed(2)}%)`
+    `GET avg diff: ${getDiff.toFixed(3)}ms (${getDiffPercent.toFixed(2)}%)`
+  );
+  console.log(
+    `POST avg diff: ${postDiff.toFixed(3)}ms (${postDiffPercent.toFixed(2)}%)`
   );
 
   // Check if difference is larger than 3ms
-  if (getMedDiff > 3 || postMedDiff > 3) {
-    console.log(
-      "Firewall is causing a performance impact thats larger than 3ms"
-    );
+  if (getDiff > 3 || postDiff > 3) {
+    console.log("Zen is causing a performance impact thats larger than 3ms");
     process.exit(1);
   }
 

benchmarks/hono-pg/requests.mjs

@@ -2,8 +2,8 @@ import http from "k6/http";
 import { Trend } from "k6/metrics";
 
 export const options = {
-  vus: 1,
-  duration: "30s",
+  vus: 2,
+  duration: "60s",
 };
 
 http.setResponseCallback(http.expectedStatuses({ min: 200, max: 204 }));
@@ -52,7 +52,6 @@ const headers = {
   "Accept-Language": "en-US,en;q=0.9",
   Dnt: "1",
   Priority: "u=0, i",
-  "Content-Type": "application/json",
   "Sec-Ch-Ua":
     '"Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"',
   "Sec-Ch-Ua-Arch": '"arm"',
@@ -74,25 +73,57 @@ const headers = {
     "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
 };
 
-const GET_TREND = new Trend("custom_get_duration");
-const POST_TREND = new Trend("custom_post_duration");
+function buildTestTrends(prefix) {
+  return {
+    delta: new Trend(`${prefix}_delta`),
+    with_zen: new Trend(`${prefix}_with_zen`),
+    without_zen: new Trend(`${prefix}_without_zen`),
+  };
+}
+
+const getTrends = buildTestTrends("get");
+const postTrends = buildTestTrends("post");
 
 export default function () {
-  const getRes = http.get("http://localhost:4000/api/posts", {
+  const getWithZen = http.get("http://localhost:4000/api/posts", {
+    headers: headers,
+  });
+  const getWithoutZen = http.get("http://localhost:4001/api/posts", {
     headers: headers,
   });
 
-  GET_TREND.add(getRes.timings.waiting);
+  getTrends.with_zen.add(getWithZen.timings.waiting);
+  getTrends.without_zen.add(getWithoutZen.timings.waiting);
+  getTrends.delta.add(
+    getWithZen.timings.waiting - getWithoutZen.timings.waiting
+  );
 
-  const postRes = http.post(
+  const postWithZen = http.post(
     "http://localhost:4000/api/posts",
     JSON.stringify(payload),
     {
-      headers: headers,
+      headers: {
+        ...headers,
+        "Content-Type": "application/json",
+      },
+    }
+  );
+  const postWithoutZen = http.post(
+    "http://localhost:4001/api/posts",
+    JSON.stringify(payload),
+    {
+      headers: {
+        ...headers,
+        "Content-Type": "application/json",
+      },
     }
   );
 
-  POST_TREND.add(postRes.timings.waiting);
+  postTrends.with_zen.add(postWithZen.timings.waiting);
+  postTrends.without_zen.add(postWithoutZen.timings.waiting);
+  postTrends.delta.add(
+    postWithZen.timings.waiting - postWithoutZen.timings.waiting
+  );
 }
 
 export function handleSummary(data) {

end2end/tests/lambda-mark-unsafe.test.js

@@ -0,0 +1,18 @@
+const t = require("tap");
+const { execSync } = require("child_process");
+const { resolve } = require("path");
+
+const pathToApp = resolve(
+  __dirname,
+  "../../sample-apps/lambda-mark-unsafe",
+  "app.js"
+);
+
+t.test(
+  "it does not crash if markUnsafe is used in lambda wrapper",
+  async (t) => {
+    execSync(`node ${pathToApp}`, {
+      env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCKING: "true" },
+    });
+  }
+);

library/agent/Agent.ts

@@ -216,6 +216,10 @@ export class Agent {
       agent: this.getAgentInfo(),
     };
 
+    this.getInspectionStatistics().onDetectedAttack({
+      blocked,
+    });
+
     this.attackLogger.log(attack);
 
     if (this.token) {