Merge branch 'main' of github.com:AikidoSec/node-RASP into request-stats

* 'main' of github.com:AikidoSec/node-RASP:
  Prevent ReDoS
  Fix multiple control chars
  Remove unused code
  Check blocked users every time but log once
  Remove some comments
  Update comment
  Allow passing a Router to `addExpressMiddleware`
  Add comments
  Fix unit tests
  Fix path traversal in path
  Fix test file brackets
  Extend comment
  Add more tests
  Fix url path traversal bypass
  fix: Remove another ts-expect-error
  Remove unused @ts-expect-error
  Support Shelljs 0.9.x

Author: hansott

README.md

@@ -92,7 +92,7 @@ See list above for supported database drivers.
 
 ### Shell tools
 
-* ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.8.x, 0.7.x
+* ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.9.x, 0.8.x, 0.7.x
 
 ### Routers
 

docs/express.md

@@ -59,6 +59,19 @@ Zen.addExpressMiddleware(app);
 app.get(...);
 ```
 
+You can also pass a `Router` instance to `Zen.addExpressMiddleware`:
+
+```js
+const router = express.Router();
+
+// Note: The middleware should be executed once per request
+Zen.addExpressMiddleware(router);
+
+router.get(...);
+
+app.use(router);
+```
+
 ## Debug mode
 
 If you need to debug the firewall, you can run your express app with the environment variable `AIKIDO_DEBUG` set to `true`:

library/agent/Source.ts

@@ -8,6 +8,7 @@ export const SOURCES = [
   "xml",
   "subdomains",
   "markUnsafe",
+  "url",
 ] as const;
 
 export type Source = (typeof SOURCES)[number];

library/middleware/express.ts

@@ -1,5 +1,5 @@
 /** TS_EXPECT_TYPES_ERROR_OPTIONAL_DEPENDENCY **/
-import type { Express } from "express";
+import type { Express, Router } from "express";
 import { shouldBlockRequest } from "./shouldBlockRequest";
 import { escapeHTML } from "../helpers/escapeHTML";
 
@@ -8,7 +8,7 @@ import { escapeHTML } from "../helpers/escapeHTML";
  * Attacks will still be blocked by Zen if you do not call this function.
  * Execute this function as early as possible in your Express app, but after the middleware that sets the user.
  */
-export function addExpressMiddleware(app: Express) {
+export function addExpressMiddleware(app: Express | Router) {
   app.use((req, res, next) => {
     const result = shouldBlockRequest();
 

library/middleware/shouldBlockRequest.test.ts

@@ -19,19 +19,23 @@ const sampleContext: Context = {
   route: "/posts/:id",
 };
 
-t.test("without context", async (t) => {
-  const logs: string[] = [];
-  wrap(console, "warn", function warn() {
-    return function warn(message: string) {
-      logs.push(message);
-    };
-  });
+let logs: string[] = [];
+wrap(console, "warn", function warn() {
+  return function warn(message: string) {
+    logs.push(message);
+  };
+});
 
+t.beforeEach(() => {
+  logs = [];
+});
+
+t.test("without context", async (t) => {
   const result = shouldBlockRequest();
   shouldBlockRequest();
   t.same(result, { block: false });
   t.same(logs, [
-    "shouldBlockRequest() was called without a context. The request will not be blocked. Make sure to call shouldBlockRequest() within an HTTP request. If you're using serverless functions, make sure to use the handler wrapper provided by Zen. Also ensure you import Zen at the top of your main app file (before any other imports).",
+    "Zen.shouldBlockRequest() was called without a context. The request will not be blocked. Make sure to call shouldBlockRequest() within an HTTP request. If you're using serverless functions, make sure to use the handler wrapper provided by Zen. Also ensure you import Zen at the top of your main app file (before any other imports).",
   ]);
 });
 
@@ -47,3 +51,14 @@ t.test("with agent", async (t) => {
     t.same(shouldBlockRequest(), { block: false });
   });
 });
+
+t.test("multiple calls", async (t) => {
+  createTestAgent();
+  runWithContext(sampleContext, () => {
+    shouldBlockRequest();
+    shouldBlockRequest();
+  });
+  t.same(logs, [
+    "Zen.shouldBlockRequest() was called multiple times. The middleware should be executed once per request.",
+  ]);
+});

library/middleware/shouldBlockRequest.ts

@@ -21,6 +21,10 @@ export function shouldBlockRequest(): Result {
     return { block: false };
   }
 
+  if (context.executedMiddleware) {
+    logWarningAlreadyExecutedMiddleware();
+  }
+
   updateContext(context, "executedMiddleware", true);
   agent.onMiddlewareExecuted();
 
@@ -50,8 +54,23 @@ function logWarningShouldBlockRequestCalledWithoutContext() {
 
   // eslint-disable-next-line no-console
   console.warn(
-    "shouldBlockRequest() was called without a context. The request will not be blocked. Make sure to call shouldBlockRequest() within an HTTP request. If you're using serverless functions, make sure to use the handler wrapper provided by Zen. Also ensure you import Zen at the top of your main app file (before any other imports)."
+    "Zen.shouldBlockRequest() was called without a context. The request will not be blocked. Make sure to call shouldBlockRequest() within an HTTP request. If you're using serverless functions, make sure to use the handler wrapper provided by Zen. Also ensure you import Zen at the top of your main app file (before any other imports)."
   );
 
   loggedWarningShouldBlockRequestCalledWithoutContext = true;
 }
+
+let loggedWarningAlreadyExecutedMiddleware = false;
+
+function logWarningAlreadyExecutedMiddleware() {
+  if (loggedWarningAlreadyExecutedMiddleware) {
+    return;
+  }
+
+  // eslint-disable-next-line no-console
+  console.warn(
+    "Zen.shouldBlockRequest() was called multiple times. The middleware should be executed once per request."
+  );
+
+  loggedWarningAlreadyExecutedMiddleware = true;
+}