Merge branch 'main' into cache-forceProtectionOff

Author: timokoessler

.github/workflows/benchmark.yml

@@ -23,8 +23,9 @@ jobs:
           - "27016:5432"
     timeout-minutes: 10
     strategy:
+      fail-fast: false
       matrix:
-        node-version: [18.x]
+        node-version: [20.x, 24.x]
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
@@ -34,7 +35,7 @@ jobs:
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
       - name: Install K6
-        uses: grafana/setup-k6-action@v1
+        uses: grafana/setup-k6-action@ffe7d7290dfa715e48c2ccc924d068444c94bde2 # v1
       - name: Install wrk
         run: |
           sudo apt-get update
@@ -48,10 +49,15 @@ jobs:
       - name: Run shell injection Benchmark
         run: cd benchmarks/shell-injection && node benchmark.js
       - name: Run Hono with Postgres Benchmark
+        # Skip on Node 24.x due to a bug: https://github.com/honojs/node-server/issues/240
+        if: matrix.node-version != '24.x'
         run: cd benchmarks/hono-pg && node benchmark.js
       - name: Run API Discovery Benchmark
         run: cd benchmarks/api-discovery && node benchmark.js
       - name: Run Express Benchmark
+        # Skip on Node 24.x because benchmark currently fails.
+        # Big performance improve in comparison to older Node.js versions, but higher difference between usage with and without Zen
+        if: matrix.node-version != '24.x'
         run: cd benchmarks/express && node benchmark.js
       - name: Check Rate Limiter memory usage
         run: cd benchmarks/rate-limiting && node --expose-gc memory.js

.github/workflows/unit-test.yml

@@ -64,7 +64,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [16.x, 18.x, 20.x, 22.x, 23.x]
+        node-version: [16.x, 18.x, 20.x, 22.x, 24.x]
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
@@ -81,9 +81,9 @@ jobs:
       - run: npm run build
       - run: npm run test:ci
       - name: "Upload coverage"
-        uses: codecov/codecov-action@v4.0.1
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5
         with:
-          file: ./library/.tap/report/lcov.info
+          files: ./library/.tap/report/lcov.info
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
           slug: AikidoSec/firewall-node

README.md

@@ -45,7 +45,7 @@ Zen for Node.js 16+ is compatible with:
 * ✅ [micro](docs/micro.md) 10.x
 * ✅ [Next.js](docs/next.md) 12.x, 13.x and 14.x
 * ✅ [Fastify](docs/fastify.md) 4.x and 5.x
-* ✅ [Koa](docs/koa.md) 2.x
+* ✅ [Koa](docs/koa.md) 3.x and 2.x
 * ✅ [NestJS](docs/nestjs.md) 10.x and 11.x
 
 ### Database drivers
@@ -87,12 +87,12 @@ See list above for supported database drivers.
 ### Data serialization tools
 
 * ✅ [`xml2js`](https://www.npmjs.com/package/xml2js) 0.6.x, 0.5.x, ^0.4.18
-* ✅ [`fast-xml-parser`](https://www.npmjs.com/package/fast-xml-parser) 4.x
+* ✅ [`fast-xml-parser`](https://www.npmjs.com/package/fast-xml-parser) 5.x, 4.x
 * ✅ [`xml-js`](https://www.npmjs.com/package/xml-js) 1.x
 
 ### Shell tools
 
-* ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.8.x, 0.7.x
+* ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.9.x, 0.8.x, 0.7.x
 
 ### Routers
 

benchmarks/express/package-lock.json

@@ -14,10 +14,12 @@ const modules = [
     module: "nosqli",
     name: "NoSQL query",
   },
+  /*
+  Disabled because functionName.constructor === Function is false after patching global
   {
     module: "jsinjection",
     name: "`new Function(...)`",
-  },
+  },*/
   {
     module: "shelli",
     name: "Shell command",

benchmarks/hono-pg/package-lock.json

@@ -59,6 +59,19 @@ Zen.addExpressMiddleware(app);
 app.get(...);
 ```
 
+You can also pass a `Router` instance to `Zen.addExpressMiddleware`:
+
+```js
+const router = express.Router();
+
+// Note: The middleware should be executed once per request
+Zen.addExpressMiddleware(router);
+
+router.get(...);
+
+app.use(router);
+```
+
 ## Debug mode
 
 If you need to debug the firewall, you can run your express app with the environment variable `AIKIDO_DEBUG` set to `true`:

benchmarks/operations/benchmark.js

@@ -1,4 +1,4 @@
-FROM node:22
+FROM node:22-slim
 
 WORKDIR /app
 

docs/express.md

@@ -2,6 +2,9 @@ const {
   getBlockedIPAddresses,
   getBlockedUserAgents,
   getAllowedIPAddresses,
+  getMonitoredUserAgents,
+  getMonitoredIPAddresses,
+  getUserAgentDetails,
 } = require("../zen/config");
 
 module.exports = function lists(req, res) {
@@ -12,6 +15,9 @@ module.exports = function lists(req, res) {
   const blockedIps = getBlockedIPAddresses(req.app);
   const blockedUserAgents = getBlockedUserAgents(req.app);
   const allowedIps = getAllowedIPAddresses(req.app);
+  const monitoredUserAgents = getMonitoredUserAgents(req.app);
+  const monitoredIps = getMonitoredIPAddresses(req.app);
+  const userAgentDetails = getUserAgentDetails(req.app);
 
   res.json({
     success: true,
@@ -20,22 +26,37 @@ module.exports = function lists(req, res) {
       blockedIps.length > 0
         ? [
             {
+              key: "geoip/Belgium;BE",
               source: "geoip",
               description: "geo restrictions",
               ips: blockedIps,
             },
           ]
         : [],
     blockedUserAgents: blockedUserAgents,
+    monitoredUserAgents: monitoredUserAgents,
+    userAgentDetails: userAgentDetails,
     allowedIPAddresses:
       allowedIps.length > 0
         ? [
             {
+              key: "geoip/Belgium;BE",
               source: "geoip",
               description: "geo restrictions",
               ips: allowedIps,
             },
           ]
         : [],
+    monitoredIPAddresses:
+      monitoredIps.length > 0
+        ? monitoredIps
+        : [
+            {
+              key: "geoip/Belgium;BE",
+              source: "geoip",
+              description: "geo restrictions",
+              ips: monitoredIps,
+            },
+          ],
   });
 };

end2end/server/Dockerfile

@@ -2,6 +2,9 @@ const {
   updateBlockedIPAddresses,
   updateBlockedUserAgents,
   updateAllowedIPAddresses,
+  updateMonitoredUserAgents,
+  updateMonitoredIPAddresses,
+  updateUserAgentDetails,
 } = require("../zen/config");
 
 module.exports = function updateIPLists(req, res) {
@@ -46,5 +49,26 @@ module.exports = function updateIPLists(req, res) {
     updateAllowedIPAddresses(req.app, req.body.allowedIPAddresses);
   }
 
+  if (
+    req.body.monitoredUserAgents &&
+    typeof req.body.monitoredUserAgents === "string"
+  ) {
+    updateMonitoredUserAgents(req.app, req.body.monitoredUserAgents);
+  }
+
+  if (
+    req.body.monitoredIPAddresses &&
+    Array.isArray(req.body.monitoredIPAddresses)
+  ) {
+    updateMonitoredIPAddresses(req.app, req.body.monitoredIPAddresses);
+  }
+
+  if (
+    req.body.userAgentDetails &&
+    Array.isArray(req.body.userAgentDetails)
+  ) {
+    updateUserAgentDetails(req.app, req.body.userAgentDetails);
+  }
+
   res.json({ success: true });
 };