Merge branch 'main' of github.com:AikidoSec/node-RASP into beta

* 'main' of github.com:AikidoSec/node-RASP: (33 commits)
  Prevent ReDoS
  Fix multiple control chars
  Remove unused code
  Check blocked users every time but log once
  Remove some comments
  Update comment
  Allow passing a Router to `addExpressMiddleware`
  Add comments
  Fix unit tests
  Fix path traversal in path
  Add comment
  Remove unused import
  Disable Function sink for now
  Fix test file brackets
  Extend comment
  Add more tests
  Fix url path traversal bypass
  Remove logs
  Increase timeout for n8n test
  Add debug logs for CI only failure
  ...

Author: hansott

README.md

@@ -87,12 +87,12 @@ See list above for supported database drivers.
 ### Data serialization tools
 
 * ✅ [`xml2js`](https://www.npmjs.com/package/xml2js) 0.6.x, 0.5.x, ^0.4.18
-* ✅ [`fast-xml-parser`](https://www.npmjs.com/package/fast-xml-parser) 4.x
+* ✅ [`fast-xml-parser`](https://www.npmjs.com/package/fast-xml-parser) 5.x, 4.x
 * ✅ [`xml-js`](https://www.npmjs.com/package/xml-js) 1.x
 
 ### Shell tools
 
-* ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.8.x, 0.7.x
+* ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.9.x, 0.8.x, 0.7.x
 
 ### Routers
 

benchmarks/express/package-lock.json

@@ -14,10 +14,12 @@ const modules = [
     module: "nosqli",
     name: "NoSQL query",
   },
+  /*
+  Disabled because functionName.constructor === Function is false after patching global
   {
     module: "jsinjection",
     name: "`new Function(...)`",
-  },
+  },*/
   {
     module: "shelli",
     name: "Shell command",

benchmarks/hono-pg/package-lock.json

@@ -59,6 +59,19 @@ Zen.addExpressMiddleware(app);
 app.get(...);
 ```
 
+You can also pass a `Router` instance to `Zen.addExpressMiddleware`:
+
+```js
+const router = express.Router();
+
+// Note: The middleware should be executed once per request
+Zen.addExpressMiddleware(router);
+
+router.get(...);
+
+app.use(router);
+```
+
 ## Debug mode
 
 If you need to debug the firewall, you can run your express app with the environment variable `AIKIDO_DEBUG` set to `true`:

benchmarks/operations/benchmark.js

@@ -38,19 +38,25 @@ t.test("it blocks in blocking mode", (t) => {
   timeout(2000)
     .then(() => {
       return Promise.all([
-        fetch("http://127.0.0.1:4000/hello/hans", {
-          signal: AbortSignal.timeout(5000),
-        }),
-        fetch(`http://127.0.0.1:4000/hello/${encodeURIComponent(`hans" //`)}`, {
-          signal: AbortSignal.timeout(5000),
-        }),
+        fetch(
+          `http://127.0.0.1:4000/where?title=${encodeURIComponent("Test'||'a")}`,
+          {
+            signal: AbortSignal.timeout(5000),
+          }
+        ),
+        fetch(
+          `http://127.0.0.1:4000/where?title=${encodeURIComponent("Test' && sleep(10000); '")}`,
+          {
+            signal: AbortSignal.timeout(5000),
+          }
+        ),
       ]);
     })
-    .then(([safeName, unsafeName]) => {
-      t.equal(safeName.status, 200);
-      t.equal(unsafeName.status, 500);
+    .then(([req1, req2]) => {
+      t.equal(req1.status, 500);
+      t.equal(req2.status, 500);
       t.match(stdout, /Starting agent/);
-      t.match(stdout, /Zen has blocked a JavaScript injection/);
+      t.match(stdout, /Zen has blocked a NoSQL injection/);
     })
     .catch((error) => {
       t.fail(error);
@@ -83,19 +89,25 @@ t.test("it does not block in dry mode", (t) => {
   timeout(2000)
     .then(() =>
       Promise.all([
-        fetch("http://127.0.0.1:4001/hello/hans", {
-          signal: AbortSignal.timeout(5000),
-        }),
-        fetch(`http://127.0.0.1:4001/hello/${encodeURIComponent(`hans" //`)}`, {
-          signal: AbortSignal.timeout(5000),
-        }),
+        fetch(
+          `http://127.0.0.1:4001/where?title=${encodeURIComponent("Test'||'a")}`,
+          {
+            signal: AbortSignal.timeout(5000),
+          }
+        ),
+        fetch(
+          `http://127.0.0.1:4001/where?title=${encodeURIComponent("Test' && sleep(10000); '")}`,
+          {
+            signal: AbortSignal.timeout(5000),
+          }
+        ),
       ])
     )
-    .then(([safeName, unsafeName]) => {
-      t.equal(safeName.status, 200);
-      t.equal(unsafeName.status, 200);
+    .then(([req1, req2]) => {
+      t.equal(req1.status, 200);
+      t.equal(req2.status, 200);
       t.match(stdout, /Starting agent/);
-      t.match(stdout, /Zen has detected a JavaScript injection/);
+      t.match(stdout, /Zen has detected a NoSQL injection/);
     })
     .catch((error) => {
       t.fail(error);

docs/express.md

@@ -38,15 +38,11 @@ t.test("it blocks in blocking mode", (t) => {
       return Promise.all([
         fetch(
           `http://localhost:4000/?petname=${encodeURIComponent("Njuska'); DELETE FROM cats;-- H")}`,
-          {
-            signal: AbortSignal.timeout(5000),
-          }
+          { signal: AbortSignal.timeout(5000) }
         ),
         fetch(
           `http://localhost:4000/cats/${encodeURIComponent("Njuska'; DELETE FROM cats;-- H")}`,
-          {
-            signal: AbortSignal.timeout(5000),
-          }
+          { signal: AbortSignal.timeout(5000) }
         ),
         fetch("http://localhost:4000/?petname=Njuska", {
           signal: AbortSignal.timeout(5000),
@@ -93,15 +89,11 @@ t.test("it does not block in dry mode", (t) => {
       Promise.all([
         fetch(
           `http://localhost:4001/?petname=${encodeURIComponent("Njuska'); DELETE FROM cats;-- H")}`,
-          {
-            signal: AbortSignal.timeout(5000),
-          }
+          { signal: AbortSignal.timeout(5000) }
         ),
         fetch(
           `http://localhost:4001/cats/${encodeURIComponent("Njuska'; DELETE FROM cats;-- H")}`,
-          {
-            signal: AbortSignal.timeout(5000),
-          }
+          { signal: AbortSignal.timeout(5000) }
         ),
         fetch("http://localhost:4001/?petname=Njuska", {
           signal: AbortSignal.timeout(5000),
@@ -114,6 +106,70 @@ t.test("it does not block in dry mode", (t) => {
       t.equal(normalSearch.status, 200);
       t.match(stdout, /Starting agent/);
       t.notMatch(stderr, /Zen has blocked an SQL injection/);
+      t.notMatch(
+        stderr,
+        /Some packages can't be protected because they were imported before Zen was initialized\. Please make sure to import Zen as the first module in your application\./
+      );
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});
+
+t.test("it prints wrong import warning", (t) => {
+  const server = spawn(`node`, [pathToApp, "4002"], {
+    env: {
+      ...process.env,
+      AIKIDO_DEBUG: "true",
+      AIKIDO_BLOCK: "true",
+      TEST_IMPORT_TOO_LATE: "true",
+    },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(() =>
+      Promise.all([
+        fetch(
+          `http://localhost:4002/?petname=${encodeURIComponent("Njuska'); DELETE FROM cats;-- H")}`,
+          { signal: AbortSignal.timeout(5000) }
+        ),
+        fetch(
+          `http://localhost:4002/cats/${encodeURIComponent("Njuska'; DELETE FROM cats;-- H")}`,
+          { signal: AbortSignal.timeout(5000) }
+        ),
+        fetch("http://localhost:4002/?petname=Njuska", {
+          signal: AbortSignal.timeout(5000),
+        }),
+      ])
+    )
+    .then(([sqlInjection, sqlInjection2, normalSearch]) => {
+      t.equal(sqlInjection.status, 200);
+      t.equal(sqlInjection2.status, 200);
+      t.equal(normalSearch.status, 200);
+      t.match(stdout, /Starting agent/);
+      t.match(
+        stderr,
+        /Some packages can't be protected because they were imported before Zen was initialized\. Please make sure to import Zen as the first module in your application\./
+      );
+      t.notMatch(stderr, /Zen has blocked an SQL injection/);
     })
     .catch((error) => {
       t.fail(error.message);

end2end/tests/express-mongodb.code-injection.test.js

@@ -1,9 +1,19 @@
 const t = require("tap");
-const { spawnSync, spawn, execSync } = require("child_process");
+const { spawn, execSync } = require("child_process");
 const { resolve, join } = require("path");
 const timeout = require("../timeout");
 
 const pathToApp = resolve(__dirname, "../../sample-apps/n8n");
+const dataFolder = join(pathToApp, ".n8n");
+
+t.before(() => {
+  // Delete the .n8n folder if it exists
+  try {
+    execSync(`rm -rf ${dataFolder}`);
+  } catch (error) {
+    // Ignore error
+  }
+});
 
 t.test("it logs in", (t) => {
   const port = 5678;
@@ -14,6 +24,7 @@ t.test("it logs in", (t) => {
       AIKIDO_BLOCK: "true",
       NODE_OPTIONS: "-r @aikidosec/firewall",
       N8N_PORT: port.toString(),
+      N8N_USER_FOLDER: dataFolder,
     },
     cwd: pathToApp,
   });
@@ -37,7 +48,7 @@ t.test("it logs in", (t) => {
   });
 
   // Wait for the server to start
-  timeout(5000)
+  timeout(8000)
     .then(() => {
       return fetch(`http://127.0.0.1:${port}/rest/owner/setup`, {
         method: "POST",

end2end/tests/express-mysql2.test.js

@@ -468,7 +468,7 @@ export class Agent {
       }
     }
 
-    wrapInstalledPackages(wrappers);
+    wrapInstalledPackages(wrappers, this.serverless);
 
     // Send startup event and wait for config
     // Then start heartbeats and polling for config changes

end2end/tests/n8n.test.js

@@ -8,6 +8,7 @@ export const SOURCES = [
   "xml",
   "subdomains",
   "markUnsafe",
+  "url",
 ] as const;
 
 export type Source = (typeof SOURCES)[number];