Apply suggestions

Co-Authored-By: Hans Ott <3886384+hansott@users.noreply.github.com>

Author: timokoessler

docs/esm.md

@@ -18,18 +18,6 @@ export NODE_OPTIONS='-r @aikidosec/firewall/instrument'
 > [!IMPORTANT]  
 > Please also check the documentation on how to integrate Zen with your used web framework.
 
-## Blocking mode
-
-By default, the firewall will run in non-blocking mode. When it detects an attack, the attack will be reported to Aikido if the environment variable `AIKIDO_TOKEN` is set and continue executing the call.
-
-You can enable blocking mode by setting the environment variable `AIKIDO_BLOCK` to `true`:
-
-```sh
-AIKIDO_BLOCK=true node app.js
-```
-
-It's recommended to enable this on your staging environment for a considerable amount of time before enabling it on your production environment (e.g. one week).
-
 ## Known issues
 
 - The app might crash on startup if used together with some packages that use the Node.js Asynchronous Module Customization Hooks, like Sentry or OpenTelemetry, due to bugs in Node.js itself.

end2end/tests-new/nestjs-sentry.test.js

@@ -5,8 +5,8 @@ const { test, before } = require("node:test");
 const { equal, fail, match, doesNotMatch } = require("node:assert");
 
 const pathToAppDir = resolve(__dirname, "../../sample-apps/nestjs-sentry");
-const port = "4006";
-const port2 = "4007";
+const port = "4007";
+const port2 = "4008";
 
 before(() => {
   const { stderr } = spawnSync(`npm`, ["run", "build"], {

library/agent/hooks/WrapPackageInfo.ts

@@ -1,24 +1,30 @@
-export type WrapPackageInfo = {
-  /**
-   * Name of the package.
-   */
+export type WrapPackageInfo =
+  | {
+      // Name of the builtin module
+      name: string;
+      type: "builtin";
+    }
+  | {
+      // Name of the external package
+      name: string;
+      // Version of the external package
+      version: string;
+      type: "external";
+      // Path information for the external package
+      path: {
+        base: string;
+        // Path of the imported js file relative to the module base directory
+        relative: string;
+      };
+    }
+  | {
+      // Name of the global
+      name: string;
+      type: "global";
+    };
+
+export type PartialWrapPackageInfo = {
   name: string;
-  /**
-   * Version of the package, only set if the module is not a builtin module.
-   */
-  version?: string;
-  /**
-   * Type of the wrap target.
-   */
   type: "builtin" | "external" | "global";
-  /**
-   * Only set if the module is not a builtin module.
-   */
-  path?: {
-    base: string;
-    /**
-     * Path of the imported js file relative to the module base directory.
-     */
-    relative: string;
-  };
+  version?: string;
 };

library/agent/hooks/instrumentation/types.ts

@@ -4,7 +4,7 @@ import type {
   ModifyArgsInterceptor,
   ModifyReturnValueInterceptor,
 } from "../wrapExport";
-import type { WrapPackageInfo } from "../WrapPackageInfo";
+import type { PartialWrapPackageInfo } from "../WrapPackageInfo";
 
 type TypedArray =
   | Int8Array
@@ -77,7 +77,7 @@ export type LocalVariableAccessConfig = {
   /**
    * Callback function to be called with the accessed variable values.
    */
-  cb: (vars: any[], pkgInfo: WrapPackageInfo) => void;
+  cb: (vars: any[], pkgInfo: PartialWrapPackageInfo) => void;
 };
 
 export type FileCallbackInfoObj = {

library/agent/hooks/onInspectionInterceptorResult.ts

@@ -6,7 +6,7 @@ import { OperationKind } from "../api/Event";
 import { attackKindHumanName } from "../Attack";
 import { getContext, updateContext } from "../Context";
 import type { InterceptorResult } from "./InterceptorResult";
-import type { WrapPackageInfo } from "./WrapPackageInfo";
+import type { PartialWrapPackageInfo } from "./WrapPackageInfo";
 import { cleanError } from "../../helpers/cleanError";
 
 // Used for cleaning up the stack trace
@@ -16,7 +16,7 @@ export function onInspectionInterceptorResult(
   context: ReturnType<typeof getContext>,
   agent: Agent,
   result: InterceptorResult,
-  pkgInfo: WrapPackageInfo,
+  pkgInfo: PartialWrapPackageInfo,
   start: number,
   operation: string,
   kind: OperationKind | undefined

library/agent/hooks/wrapExport.ts

@@ -4,7 +4,7 @@ import { getInstance } from "../AgentSingleton";
 import { OperationKind } from "../api/Event";
 import { bindContext, getContext } from "../Context";
 import type { InterceptorResult } from "./InterceptorResult";
-import type { WrapPackageInfo } from "./WrapPackageInfo";
+import type { PartialWrapPackageInfo } from "./WrapPackageInfo";
 import { wrapDefaultOrNamed } from "./wrapDefaultOrNamed";
 import { onInspectionInterceptorResult } from "./onInspectionInterceptorResult";
 
@@ -44,7 +44,7 @@ export type InterceptorObject = {
 export function wrapExport(
   subject: unknown,
   methodName: string | undefined,
-  pkgInfo: WrapPackageInfo,
+  pkgInfo: PartialWrapPackageInfo,
   interceptors: InterceptorObject
 ) {
   const agent = getInstance();
@@ -147,7 +147,7 @@ export function inspectArgs(
   interceptor: InspectArgsInterceptor,
   context: ReturnType<typeof getContext>,
   agent: Agent,
-  pkgInfo: WrapPackageInfo,
+  pkgInfo: PartialWrapPackageInfo,
   methodName: string,
   kind: OperationKind | undefined
 ) {

library/agent/hooks/wrapNewInstance.ts

@@ -1,14 +1,14 @@
 import { getInstance } from "../AgentSingleton";
 import { wrapDefaultOrNamed } from "./wrapDefaultOrNamed";
-import { WrapPackageInfo } from "./WrapPackageInfo";
+import { PartialWrapPackageInfo } from "./WrapPackageInfo";
 
 /**
  * Intercepts the creation of a new instance of a class, to wrap it's methods and properties.
  */
 export function wrapNewInstance(
   subject: unknown,
   className: string | undefined,
-  pkgInfo: WrapPackageInfo,
+  pkgInfo: PartialWrapPackageInfo,
   interceptor: (exports: any) => void | unknown
 ) {
   const agent = getInstance();

library/agent/hooks/wrapRequire.test.ts

@@ -26,8 +26,10 @@ t.test("Can wrap external package", async (t) => {
     exports._test = "aikido";
     t.same(pkgInfo.name, "sqlite3");
     t.same(pkgInfo.type, "external");
-    t.ok(pkgInfo.path?.base.endsWith("node_modules/sqlite3"));
-    t.same(pkgInfo.path?.relative, "lib/sqlite3.js");
+    if (pkgInfo.type === "external") {
+      t.ok(pkgInfo.path.base.endsWith("node_modules/sqlite3"));
+      t.same(pkgInfo.path.relative, "lib/sqlite3.js");
+    }
   });
   setPackagesToPatch([pkg]);
 
@@ -56,8 +58,10 @@ t.test("Can wrap file of external package", async (t) => {
       exports._test = "aikido";
       t.same(pkgInfo.name, "hono");
       t.same(pkgInfo.type, "external");
-      t.ok(pkgInfo.path?.base.endsWith("node_modules/hono"));
-      t.same(pkgInfo.path?.relative, "dist/cjs/hono-base.js");
+      if (pkgInfo.type === "external") {
+        t.ok(pkgInfo.path.base.endsWith("node_modules/hono"));
+        t.same(pkgInfo.path.relative, "dist/cjs/hono-base.js");
+      }
     });
   setPackagesToPatch([pkg]);
 
@@ -79,6 +83,7 @@ t.test("Can wrap builtin module", async (t) => {
     exports._test = "aikido";
     t.same(pkgInfo.name, "fs");
     t.same(pkgInfo.type, "builtin");
+    // @ts-expect-error Test to ensure types are correct
     t.same(pkgInfo.path, undefined);
   });
   setBuiltinModulesToPatch([module]);

library/sinks/MongoDB.ts

@@ -239,18 +239,17 @@ export class MongoDB implements Wrapper {
         path: "lib/collection.js",
         functions: [
           ...OPERATIONS_WITH_FILTER.map(
-            (operation) =>
-              ({
-                name: operation,
-                nodeType: "MethodDefinition",
-                operationKind: "nosql_op",
-                inspectArgs: (args, agent, collection) =>
-                  this.inspectOperation(
-                    operation,
-                    args,
-                    collection as Collection
-                  ),
-              }) as PackageFunctionInstrumentationInstruction
+            (operation): PackageFunctionInstrumentationInstruction => ({
+              name: operation,
+              nodeType: "MethodDefinition",
+              operationKind: "nosql_op",
+              inspectArgs: (args, agent, collection) =>
+                this.inspectOperation(
+                  operation,
+                  args,
+                  collection as Collection
+                ),
+            })
           ),
           {
             name: "bulkWrite",

library/sinks/Prisma.ts

@@ -12,7 +12,7 @@ import { Context, getContext } from "../agent/Context";
 import { onInspectionInterceptorResult } from "../agent/hooks/onInspectionInterceptorResult";
 import { getInstance } from "../agent/AgentSingleton";
 import type { Agent } from "../agent/Agent";
-import { WrapPackageInfo } from "../agent/hooks/WrapPackageInfo";
+import { PartialWrapPackageInfo } from "../agent/hooks/WrapPackageInfo";
 import { detectNoSQLInjection } from "../vulnerabilities/nosql-injection/detectNoSQLInjection";
 import type { LocalVariableAccessConfig } from "../agent/hooks/instrumentation/types";
 
@@ -173,7 +173,7 @@ export class Prisma implements Wrapper {
     isNoSQLClient: boolean;
     sqlDialect?: SQLDialect;
     agent: Agent;
-    pkgInfo: WrapPackageInfo;
+    pkgInfo: PartialWrapPackageInfo;
   }) {
     let inspectionResult: InterceptorResult | undefined;
     const start = performance.now();
@@ -206,7 +206,10 @@ export class Prisma implements Wrapper {
     return query(args);
   }
 
-  private instrumentPrismaClient(instance: any, pkgInfo: WrapPackageInfo) {
+  private instrumentPrismaClient(
+    instance: any,
+    pkgInfo: PartialWrapPackageInfo
+  ) {
     const isNoSQLClient = this.isNoSQLClient(instance);
 
     const agent = getInstance();