Add e2e test

Author: timokoessler

.github/workflows/end-to-end-tests.yml

@@ -66,3 +66,5 @@ jobs:
       - run: npm install
       - run: npm run build
       - run: npm run end2end
+        env:
+          GOOGLE_GENERATIVE_AI_API_KEY: ${{ secrets.GOOGLE_GENERATIVE_AI_API_KEY }}

end2end/tests/hono-sqlite-ai.test.js

@@ -0,0 +1,114 @@
+const t = require("tap");
+const { spawn } = require("child_process");
+const { resolve } = require("path");
+const timeout = require("../timeout");
+
+const pathToApp = resolve(
+  __dirname,
+  "../../sample-apps/hono-sqlite-ai",
+  "app.js"
+);
+
+t.test("it blocks in blocking mode", (t) => {
+  const server = spawn(`node`, [pathToApp, "4006"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCK: "true" },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err.message);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(() => {
+      return Promise.all([
+        fetch(
+          `http://127.0.0.1:4006/weather?prompt=${encodeURIComponent('What is the weather in "Ghent\'; DELETE FROM weather; --" like?')}`,
+          {
+            signal: AbortSignal.timeout(5000),
+          }
+        ),
+      ]);
+    })
+    .then(async ([sqlInjection]) => {
+      t.equal(sqlInjection.status, 500);
+
+      const response = await sqlInjection.json();
+      t.equal(
+        response.error,
+        "Error executing tool weather: Zen has blocked an SQL injection: better-sqlite3.prepare(...) originating from aiToolParams.[0].location"
+      );
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});
+
+t.test("it does not block in monitoring mode", (t) => {
+  const server = spawn(`node`, [pathToApp, "4007"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCK: "false" },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err.message);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(() => {
+      return Promise.all([
+        fetch(
+          `http://127.0.0.1:4007/weather?prompt=${encodeURIComponent('What is the weather in "Ghent\'; DELETE FROM weather; --" like?')}`,
+          {
+            signal: AbortSignal.timeout(5000),
+          }
+        ),
+      ]);
+    })
+    .then(async ([sqlInjection]) => {
+      t.equal(sqlInjection.status, 500);
+
+      const response = await sqlInjection.json();
+      t.equal(
+        response.error,
+        "Error executing tool weather: The supplied SQL string contains more than one statement"
+      );
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});

sample-apps/hono-sqlite-ai/README.md

@@ -0,0 +1,7 @@
+# hono-sqlite-ai
+
+WARNING: This application contains security issues and should not be used in production (or taken as an example of how to write secure code).
+
+This example uses an in-memory SQLite database.
+
+In the root directory run `npm run sample-app hono-sqlite-ai` to start the server.

sample-apps/hono-sqlite-ai/app.js

@@ -0,0 +1,76 @@
+const Zen = require("@aikidosec/firewall");
+const { seedDatabase, getTemperature } = require("./db");
+const { Hono } = require("hono");
+const { serve } = require("@hono/node-server");
+const { google } = require("@ai-sdk/google");
+const { generateText, tool } = require("ai");
+const { z } = require("zod");
+
+(async () => {
+  const app = new Hono();
+  seedDatabase();
+
+  Zen.addHonoMiddleware(app);
+
+  // Insecure test api
+  app.get("/weather", async (c) => {
+    const prompt = c.req.query("prompt");
+
+    if (!prompt) {
+      return c.json(
+        {
+          error: "Prompt is required",
+        },
+        400
+      );
+    }
+
+    try {
+      const response = await sendRequestToLLM(prompt);
+
+      return c.json({
+        response: response.toolResults,
+      });
+    } catch (error) {
+      return c.json(
+        {
+          error: error.message,
+        },
+        500
+      );
+    }
+  });
+
+  const port = parseInt(process.argv[2], 10) || 4000;
+
+  if (isNaN(port)) {
+    console.error("Invalid port");
+    process.exit(1);
+  }
+
+  serve({
+    fetch: app.fetch,
+    port: port,
+  }).on("listening", () => {
+    console.log(`Server is running on port ${port}`);
+  });
+})();
+
+async function sendRequestToLLM(prompt) {
+  return await generateText({
+    model: google("models/gemini-2.0-flash-lite"),
+    tools: {
+      weather: tool({
+        description: "Get the weather in a location",
+        parameters: z.object({
+          location: z.string().describe("The location to get the weather for"),
+        }),
+        execute: async ({ location }) => {
+          return getTemperature(location);
+        },
+      }),
+    },
+    prompt: prompt,
+    toolChoice: "required",
+  });
+}

sample-apps/hono-sqlite-ai/db.js

@@ -0,0 +1,31 @@
+const Database = require("better-sqlite3");
+
+const db = new Database(":memory:");
+
+function seedDatabase() {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS weather (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      city TEXT NOT NULL,
+      temperature REAL NOT NULL
+    );
+  `);
+  db.exec("INSERT INTO weather (city, temperature) VALUES ('New York', 25.0);");
+  db.exec(
+    "INSERT INTO weather (city, temperature) VALUES ('Los Angeles', 30.0);"
+  );
+  db.exec("INSERT INTO weather (city, temperature) VALUES ('Ghent', 20.0);");
+  db.exec("INSERT INTO weather (city, temperature) VALUES ('Oslo', 15.0);");
+}
+
+function getTemperature(city) {
+  // Insecure, vulnerable to SQL injection
+  return db
+    .prepare(`SELECT temperature FROM weather WHERE city = '${city}';`)
+    .get();
+}
+
+module.exports = {
+  seedDatabase,
+  getTemperature,
+};