Prevent double counting monitored lists

hansott · hansott · commit cf35e65bd74f · 2025-04-18T16:32:07.000+02:00
diff --git a/library/sources/HTTPServer.stats.test.ts b/library/sources/HTTPServer.stats.test.ts
@@ -154,3 +154,59 @@ t.test("it tracks monitored IP addresses", async () => {
     });
   });
 });
+
+t.test("it only counts once if multiple listeners", async () => {
+  const server = http.createServer((req, res) => {
+    res.setHeader("Content-Type", "text/plain");
+    res.end("OK");
+  });
+
+  server.on("request", (req, res) => {
+    if (res.headersSent) {
+      return;
+    }
+
+    res.setHeader("Content-Type", "text/plain");
+    res.end("OK");
+  });
+
+  await new Promise<void>((resolve) => {
+    server.listen(3329, () => {
+      Promise.all([
+        fetch({
+          url: new URL("http://localhost:3329/test"),
+          method: "GET",
+          headers: {
+            "user-agent": "GPTBot",
+          },
+          timeoutInMS: 500,
+        }),
+        fetch({
+          url: new URL("http://localhost:3329/test"),
+          method: "GET",
+          headers: {
+            "x-forwarded-for": "1.2.3.4",
+          },
+          timeoutInMS: 500,
+        }),
+      ]).then(() => {
+        const { userAgents, ipAddresses } = agent
+          .getInspectionStatistics()
+          .getStats();
+        t.same(userAgents, {
+          breakdown: {
+            // eslint-disable-next-line camelcase
+            ai_data_scrapers: { total: 1, blocked: 0 },
+          },
+        });
+        t.same(ipAddresses, {
+          breakdown: {
+            "known_threat_actors/public_scanners": { total: 1, blocked: 0 },
+          },
+        });
+        server.close();
+        resolve();
+      });
+    });
+  });
+});
diff --git a/library/sources/http-server/checkIfRequestIsBlocked.ts b/library/sources/http-server/checkIfRequestIsBlocked.ts
@@ -5,13 +5,15 @@ import { getContext } from "../../agent/Context";
 import { escapeHTML } from "../../helpers/escapeHTML";
 import { ipAllowedToAccessRoute } from "./ipAllowedToAccessRoute";
 
+const checkedBlocks = Symbol("__zen_checked_blocks__");
+
 /**
  * Inspects the IP address of the request:
  * - Whether the IP address is blocked by an IP blocklist (e.g. Geo restrictions)
  * - Whether the IP address is allowed to access the current route (e.g. Admin panel)
  */
 export function checkIfRequestIsBlocked(
-  res: ServerResponse,
+  res: ServerResponse & { [checkedBlocks]?: boolean },
   agent: Agent
 ): boolean {
   if (res.headersSent) {
@@ -26,6 +28,14 @@ export function checkIfRequestIsBlocked(
     return false;
   }
 
+  if (res[checkedBlocks]) {
+    return false;
+  }
+
+  // We don't need to check again if the request has already been checked
+  // Also ensures that the statistics are only counted once
+  // res[checkedBlocklist] = true;
+
   if (!ipAllowedToAccessRoute(context, agent)) {
     res.statusCode = 403;
     res.setHeader("Content-Type", "text/plain");
@@ -69,43 +79,37 @@ export function checkIfRequestIsBlocked(
     ? agent.getConfig().getBlockedIPAddresses(context.remoteAddress)
     : [];
 
-  if (blockedIPs.length > 0) {
-    // The same IP address can be blocked by multiple lists
-    agent.getInspectionStatistics().onIPAddressMatches(blockedIPs);
+  agent.getInspectionStatistics().onIPAddressMatches(blockedIPs);
+  const blockingMatch = blockedIPs.find((match) => !match.monitor);
 
-    const blockingMatch = blockedIPs.find((match) => !match.monitor);
-    if (blockingMatch) {
-      res.statusCode = 403;
-      res.setHeader("Content-Type", "text/plain");
-
-      let message = `Your IP address is blocked due to ${escapeHTML(blockingMatch.reason)}.`;
-      if (context.remoteAddress) {
-        message += ` (Your IP: ${escapeHTML(context.remoteAddress)})`;
-      }
+  if (blockingMatch) {
+    res.statusCode = 403;
+    res.setHeader("Content-Type", "text/plain");
 
-      res.end(message);
-      return true;
+    let message = `Your IP address is blocked due to ${escapeHTML(blockingMatch.reason)}.`;
+    if (context.remoteAddress) {
+      message += ` (Your IP: ${escapeHTML(context.remoteAddress)})`;
     }
+
+    res.end(message);
+    return true;
   }
 
   const blockedUserAgents =
     context.headers && typeof context.headers["user-agent"] === "string"
       ? agent.getConfig().getBlockedUserAgents(context.headers["user-agent"])
       : [];
 
-  if (blockedUserAgents.length > 0) {
-    // The same user agent can be blocked by multiple lists
-    agent.getInspectionStatistics().onUserAgentMatches(blockedUserAgents);
+  agent.getInspectionStatistics().onUserAgentMatches(blockedUserAgents);
 
-    if (blockedUserAgents.find((match) => !match.monitor)) {
-      res.statusCode = 403;
-      res.setHeader("Content-Type", "text/plain");
+  if (blockedUserAgents.find((match) => !match.monitor)) {
+    res.statusCode = 403;
+    res.setHeader("Content-Type", "text/plain");
 
-      res.end(
-        "You are not allowed to access this resource because you have been identified as a bot."
-      );
-      return true;
-    }
+    res.end(
+      "You are not allowed to access this resource because you have been identified as a bot."
+    );
+    return true;
   }
 
   return false;
