Merge pull request #713 from AikidoSec/warn-if-bundled

hansott · web-flow · commit 29ec19e6a970 · 2025-08-28T13:34:49.000+02:00
Print warning if lib is bundled
diff --git a/docs/bundler.md b/docs/bundler.md
@@ -0,0 +1,20 @@
+# Installing Zen in a Node.js Application that uses a bundler
+
+⚠️ Note: Zen runs only on the server side, it does not run in the browser.
+
+Zen might not work out of the box with bundlers, depending on how they are configured.
+To ensure that Zen can properly instrument your code and protect your application, you may need to adjust your bundler settings.
+
+In order to be compatible with Zen, your bundler needs to be configured to exclude all external packages from the bundle.
+You can also choose to only exclude Zen and all the packages that should be protected.
+In this case, your production environment still needs the `node_modules` folder.
+
+If you are using esbuild, you can find [more information here](./esbuild.md).
+
+If it is not possible to exclude all packages from bundling, Zen provides the following helper function to get a list of all the packages that need to be excluded:
+
+```javascript
+const { externals } = require("@aikidosec/firewall/bundler");
+
+externals(); // Returns an array of package names
+```
diff --git a/end2end/tests/express-postgres.test.js b/end2end/tests/express-postgres.test.js
@@ -15,6 +15,14 @@ t.before(() => {
   if (stderr && stderr.toString().length > 0) {
     throw new Error(`Failed to build: ${stderr.toString()}`);
   }
+
+  const { stderr2 } = spawnSync("node", ["esbuild-wrong.js"], {
+    cwd: directory,
+  });
+
+  if (stderr2 && stderr2.toString().length > 0) {
+    throw new Error(`Failed to build: ${stderr2.toString()}`);
+  }
 });
 
 entrypoints.forEach((entrypoint) => {
@@ -77,6 +85,10 @@ entrypoints.forEach((entrypoint) => {
           t.equal(normalSearch.status, 200);
           t.match(stdout, /Starting agent/);
           t.match(stderr, /Zen has blocked an SQL injection/);
+          t.notMatch(
+            stderr,
+            /Your application seems to be using a bundler without externalizing Zen/
+          );
         }
       )
       .catch((error) => {
@@ -229,3 +241,34 @@ t.test("it blocks in blocking mode (with dd-trace)", (t) => {
       server.kill();
     });
 });
+
+t.test("it prints warning before crashing if bundled", (t) => {
+  const server = spawn(`node`, ["compiled-bundled.js", "4003"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCKING: "true" },
+    cwd: directory,
+  });
+
+  server.on("close", () => {
+    t.match(
+      stderr,
+      /Your application seems to be using a bundler without externalizing Zen/
+    );
+    t.match(stderr, /ENOENT: no such file or directory/); // Can't load wasm
+
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err.message);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+});
diff --git a/library/helpers/isLibBundled.ts b/library/helpers/isLibBundled.ts
@@ -0,0 +1,10 @@
+// Detect at runtime if the library is bundled inside an application
+export function isLibBundled(): boolean {
+  // Replace Windows backslashes with forward slashes
+  const normalizedDirName = __dirname.replace(/\\/g, "/");
+
+  return (
+    !normalizedDirName.includes("node_modules/@aikidosec/firewall/helpers") &&
+    !normalizedDirName.includes("firewall-node/build/helpers") // In case of e2e tests
+  );
+}
diff --git a/library/index.ts b/library/index.ts
@@ -13,6 +13,7 @@ import { addRestifyMiddleware } from "./middleware/restify";
 import { isESM } from "./helpers/isESM";
 import { checkIndexImportGuard } from "./helpers/indexImportGuard";
 import { setRateLimitGroup } from "./ratelimiting/group";
+import { isLibBundled } from "./helpers/isLibBundled";
 
 const supported = isFirewallSupported();
 const shouldEnable = shouldEnableFirewall();
@@ -25,6 +26,12 @@ if (supported && shouldEnable && notAlreadyImported) {
     );
   }
 
+  if (isLibBundled()) {
+    console.warn(
+      "AIKIDO: Your application seems to be using a bundler without externalizing Zen and the packages that should be protected. Zen will not function as intended. See https://github.com/AikidoSec/firewall-node/blob/main/docs/bundler.md for more information."
+    );
+  }
+
   require("./agent/protect").protect();
 }
 
diff --git a/sample-apps/express-postgres/.gitignore b/sample-apps/express-postgres/.gitignore
@@ -1 +1,2 @@
 /compiled.js
+/compiled-bundled.js
diff --git a/sample-apps/express-postgres/esbuild-wrong.js b/sample-apps/express-postgres/esbuild-wrong.js
@@ -0,0 +1,9 @@
+const { build } = require("esbuild");
+
+build({
+  entryPoints: ["./app.js"],
+  bundle: true,
+  platform: "node",
+  target: "node18",
+  outfile: "./compiled-bundled.js",
+});

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`/compiled.js`
	`2`	`+/compiled-bundled.js`