Skip to content

Commit bf57cf2

Browse files
timokoesslertimokoessler
committed
Merge branch 'main' into new-instrumentation
2 parents 1c2f034 + ba17528 commit bf57cf2

File tree

10 files changed

+119
-24
lines changed

10 files changed

+119
-24
lines changed

end2end/tests/express-mongodb.ssrf.test.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ t.test("it blocks in blocking mode", (t) => {
5757
AIKIDO_DEBUG: "true",
5858
AIKIDO_BLOCKING: "true",
5959
AIKIDO_TOKEN: token,
60-
AIKIDO_URL: testServerUrl,
60+
AIKIDO_ENDPOINT: testServerUrl,
6161
},
6262
});
6363

@@ -155,7 +155,7 @@ t.test("it does not block in dry mode", (t) => {
155155
...process.env,
156156
AIKIDO_DEBUG: "true",
157157
AIKIDO_TOKEN: token,
158-
AIKIDO_URL: testServerUrl,
158+
AIKIDO_ENDPOINT: testServerUrl,
159159
},
160160
});
161161

@@ -213,7 +213,7 @@ t.test("it blocks request to base URL if proxy is not trusted", (t) => {
213213
AIKIDO_DEBUG: "true",
214214
AIKIDO_BLOCKING: "true",
215215
AIKIDO_TOKEN: token,
216-
AIKIDO_URL: testServerUrl,
216+
AIKIDO_ENDPOINT: testServerUrl,
217217
AIKIDO_TRUST_PROXY: "false",
218218
},
219219
});

end2end/tests/hono-xml-allowlists.test.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ t.test("it blocks non-allowed IP addresses", (t) => {
5959
AIKIDO_DEBUG: "true",
6060
AIKIDO_BLOCK: "true",
6161
AIKIDO_TOKEN: token,
62-
AIKIDO_URL: testServerUrl,
62+
AIKIDO_ENDPOINT: testServerUrl,
6363
},
6464
});
6565

end2end/tests/hono-xml-blocklists.test.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ t.test("it blocks geo restricted IPs", (t) => {
5858
AIKIDO_DEBUG: "true",
5959
AIKIDO_BLOCKING: "true",
6060
AIKIDO_TOKEN: token,
61-
AIKIDO_URL: testServerUrl,
61+
AIKIDO_ENDPOINT: testServerUrl,
6262
},
6363
});
6464

@@ -158,7 +158,7 @@ t.test("it blocks bots", (t) => {
158158
AIKIDO_DEBUG: "true",
159159
AIKIDO_BLOCKING: "true",
160160
AIKIDO_TOKEN: token,
161-
AIKIDO_URL: testServerUrl,
161+
AIKIDO_ENDPOINT: testServerUrl,
162162
},
163163
});
164164

@@ -252,7 +252,7 @@ t.test("it does not block bypass IP if in blocklist", (t) => {
252252
AIKIDO_DEBUG: "true",
253253
AIKIDO_BLOCKING: "true",
254254
AIKIDO_TOKEN: token,
255-
AIKIDO_URL: testServerUrl,
255+
AIKIDO_ENDPOINT: testServerUrl,
256256
},
257257
});
258258

end2end/tests/hono-xml-rate-limiting.test.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ t.test("it rate limits requests", (t) => {
4949
AIKIDO_DEBUG: "true",
5050
AIKIDO_BLOCKING: "true",
5151
AIKIDO_TOKEN: token,
52-
AIKIDO_URL: testServerUrl,
52+
AIKIDO_ENDPOINT: testServerUrl,
5353
},
5454
});
5555

@@ -109,7 +109,7 @@ t.test("user rate limiting works", (t) => {
109109
AIKIDO_DEBUG: "true",
110110
AIKIDO_BLOCKING: "true",
111111
AIKIDO_TOKEN: token,
112-
AIKIDO_URL: testServerUrl,
112+
AIKIDO_ENDPOINT: testServerUrl,
113113
},
114114
});
115115

end2end/tests/nestjs-fastify-rate-limiting.test.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ t.test("it rate limits requests", (t) => {
6060
AIKIDO_DEBUG: "true",
6161
AIKIDO_BLOCKING: "true",
6262
AIKIDO_TOKEN: token,
63-
AIKIDO_URL: testServerUrl,
63+
AIKIDO_ENDPOINT: testServerUrl,
6464
PORT: "4002",
6565
},
6666
});
@@ -122,7 +122,7 @@ t.test("user rate limiting works", (t) => {
122122
AIKIDO_DEBUG: "true",
123123
AIKIDO_BLOCKING: "true",
124124
AIKIDO_TOKEN: token,
125-
AIKIDO_URL: testServerUrl,
125+
AIKIDO_ENDPOINT: testServerUrl,
126126
PORT: "4003",
127127
},
128128
});

library/agent/getAPIURL.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
export function getAPIURL() {
2-
if (process.env.AIKIDO_URL) {
3-
return new URL(process.env.AIKIDO_URL);
2+
if (process.env.AIKIDO_ENDPOINT) {
3+
return new URL(process.env.AIKIDO_ENDPOINT);
44
}
55

66
return new URL("https://guard.aikido.dev");

library/agent/realtime/getRealtimeURL.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
export function getRealtimeURL() {
2-
if (process.env.AIKIDO_REALTIME_URL) {
3-
return new URL(process.env.AIKIDO_REALTIME_URL);
2+
if (process.env.AIKIDO_REALTIME_ENDPOINT) {
3+
return new URL(process.env.AIKIDO_REALTIME_ENDPOINT);
44
}
55

66
return new URL("https://runtime.aikido.dev");

library/helpers/isWellKnownURI.ts

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
const wellKnown = new Set([
2+
"/.well-known/acme-challenge",
3+
"/.well-known/amphtml",
4+
"/.well-known/api-catalog",
5+
"/.well-known/appspecific",
6+
"/.well-known/ashrae",
7+
"/.well-known/assetlinks.json",
8+
"/.well-known/broadband-labels",
9+
"/.well-known/brski",
10+
"/.well-known/caldav",
11+
"/.well-known/carddav",
12+
"/.well-known/change-password",
13+
"/.well-known/cmp",
14+
"/.well-known/coap",
15+
"/.well-known/coap-eap",
16+
"/.well-known/core",
17+
"/.well-known/csaf",
18+
"/.well-known/csaf-aggregator",
19+
"/.well-known/csvm",
20+
"/.well-known/did.json",
21+
"/.well-known/did-configuration.json",
22+
"/.well-known/dnt",
23+
"/.well-known/dnt-policy.txt",
24+
"/.well-known/dots",
25+
"/.well-known/ecips",
26+
"/.well-known/edhoc",
27+
"/.well-known/enterprise-network-security",
28+
"/.well-known/enterprise-transport-security",
29+
"/.well-known/est",
30+
"/.well-known/genid",
31+
"/.well-known/gnap-as-rs",
32+
"/.well-known/gpc.json",
33+
"/.well-known/gs1resolver",
34+
"/.well-known/hoba",
35+
"/.well-known/host-meta",
36+
"/.well-known/host-meta.json",
37+
"/.well-known/hosting-provider",
38+
"/.well-known/http-opportunistic",
39+
"/.well-known/idp-proxy",
40+
"/.well-known/jmap",
41+
"/.well-known/keybase.txt",
42+
"/.well-known/knx",
43+
"/.well-known/looking-glass",
44+
"/.well-known/masque",
45+
"/.well-known/matrix",
46+
"/.well-known/mercure",
47+
"/.well-known/mta-sts.txt",
48+
"/.well-known/mud",
49+
"/.well-known/nfv-oauth-server-configuration",
50+
"/.well-known/ni",
51+
"/.well-known/nodeinfo",
52+
"/.well-known/nostr.json",
53+
"/.well-known/oauth-authorization-server",
54+
"/.well-known/oauth-protected-resource",
55+
"/.well-known/ohttp-gateway",
56+
"/.well-known/openid-federation",
57+
"/.well-known/open-resource-discovery",
58+
"/.well-known/openid-configuration",
59+
"/.well-known/openorg",
60+
"/.well-known/oslc",
61+
"/.well-known/pki-validation",
62+
"/.well-known/posh",
63+
"/.well-known/privacy-sandbox-attestations.json",
64+
"/.well-known/private-token-issuer-directory",
65+
"/.well-known/probing.txt",
66+
"/.well-known/pvd",
67+
"/.well-known/rd",
68+
"/.well-known/related-website-set.json",
69+
"/.well-known/reload-config",
70+
"/.well-known/repute-template",
71+
"/.well-known/resourcesync",
72+
"/.well-known/sbom",
73+
"/.well-known/security.txt",
74+
"/.well-known/ssf-configuration",
75+
"/.well-known/sshfp",
76+
"/.well-known/stun-key",
77+
"/.well-known/terraform.json",
78+
"/.well-known/thread",
79+
"/.well-known/time",
80+
"/.well-known/timezone",
81+
"/.well-known/tdmrep.json",
82+
"/.well-known/tor-relay",
83+
"/.well-known/tpcd",
84+
"/.well-known/traffic-advice",
85+
"/.well-known/trust.txt",
86+
"/.well-known/uma2-configuration",
87+
"/.well-known/void",
88+
"/.well-known/webfinger",
89+
"/.well-known/webweaver.json",
90+
"/.well-known/wot",
91+
]);
92+
93+
// Check if a path is a well-known URI
94+
// e.g. /.well-known/acme-challenge
95+
// https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
96+
export function isWellKnownURI(path: string) {
97+
return wellKnown.has(path);
98+
}

library/sources/http-server/shouldDiscoverRoute.test.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -215,7 +215,7 @@ t.test("it allows .well-known directory", async () => {
215215
route: "/.well-known",
216216
method: "GET",
217217
}),
218-
true
218+
false
219219
);
220220
t.same(
221221
shouldDiscoverRoute({

library/sources/http-server/shouldDiscoverRoute.ts

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
import { getFileExtension } from "../../helpers/getFileExtension";
2+
import { isWellKnownURI } from "../../helpers/isWellKnownURI";
23

34
const EXCLUDED_METHODS = ["OPTIONS", "HEAD"];
45
const IGNORE_EXTENSIONS = ["properties", "config", "webmanifest"];
@@ -25,16 +26,17 @@ export function shouldDiscoverRoute({
2526

2627
const segments = route.split("/");
2728

28-
// e.g. /path/to/.file or /.directory/file
29-
if (segments.some(isDotFile)) {
29+
// Do not discover routes with dot files like `/path/to/.file` or `/.directory/file`
30+
// We want to allow discovery of well-known URIs like `/.well-known/acme-challenge`
31+
if (!isWellKnownURI(route) && segments.some(isDotFile)) {
3032
return false;
3133
}
3234

3335
if (segments.some(containsIgnoredString)) {
3436
return false;
3537
}
3638

37-
// Check for every file segment if it contains an file extension and if it should be discovered or ignored
39+
// Check for every file segment if it contains a file extension and if it should be discovered or ignored
3840
return segments.every(shouldDiscoverExtension);
3941
}
4042

@@ -61,11 +63,6 @@ function shouldDiscoverExtension(segment: string) {
6163
}
6264

6365
function isDotFile(segment: string) {
64-
// See https://www.rfc-editor.org/rfc/rfc8615
65-
if (segment === ".well-known") {
66-
return false;
67-
}
68-
6966
return segment.startsWith(".") && segment.length > 1;
7067
}
7168

0 commit comments

Comments
 (0)