Prepare ServiceConfig and stats

Author: timokoessler

library/agent/Agent.test.ts

@@ -58,6 +58,10 @@ wrap(fetch, "fetch", function mock() {
             pattern: "Bytespider",
           },
         ],
+        domains: [
+          { hostname: "example.com", mode: "block" },
+          { hostname: "aikido.dev", mode: "allow" },
+        ],
       } satisfies Response),
     };
   };
@@ -1110,6 +1114,9 @@ t.test("it fetches blocked lists", async () => {
   t.same(agent.getConfig().isUserAgentBlocked("Mozilla/5.0 (compatible)"), {
     blocked: false,
   });
+
+  t.same(agent.getConfig().shouldBlockOutgoingRequest("example.com"), true);
+  t.same(agent.getConfig().shouldBlockOutgoingRequest("aikido.dev"), false);
 });
 
 t.test("it does not fetch blocked IPs if serverless", async () => {

library/agent/Agent.ts

@@ -294,6 +294,12 @@ export class Agent {
       ) {
         this.sendHeartbeatEveryMS = response.heartbeatIntervalInMS;
       }
+
+      if (typeof response.blockNewOutgoingRequests === "boolean") {
+        this.serviceConfig.setBlockNewOutgoingRequests(
+          response.blockNewOutgoingRequests
+        );
+      }
     }
   }
 
@@ -402,13 +408,15 @@ export class Agent {
         monitoredIPAddresses,
         monitoredUserAgents,
         userAgentDetails,
+        domains,
       } = await fetchBlockedLists(this.token);
       this.serviceConfig.updateBlockedIPAddresses(blockedIPAddresses);
       this.serviceConfig.updateBlockedUserAgents(blockedUserAgents);
       this.serviceConfig.updateAllowedIPAddresses(allowedIPAddresses);
       this.serviceConfig.updateMonitoredIPAddresses(monitoredIPAddresses);
       this.serviceConfig.updateMonitoredUserAgents(monitoredUserAgents);
       this.serviceConfig.updateUserAgentDetails(userAgentDetails);
+      this.serviceConfig.updateDomains(domains);
     } catch (error: any) {
       console.error(`Aikido: Failed to update blocked lists: ${error.message}`);
     }

library/agent/Hostnames.test.ts

@@ -6,41 +6,43 @@ t.test("it works", async () => {
   t.same(hostnames.asArray(), []);
 
   hostnames.add("aikido.dev", 443);
-  t.same(hostnames.asArray(), [{ hostname: "aikido.dev", port: 443, hits: 1 }]);
+  t.same(hostnames.asArray(), [
+    { hostname: "aikido.dev", port: 443, hits: 1, blockedHits: 0 },
+  ]);
 
   hostnames.add("aikido.dev", 80);
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 443, hits: 1 },
-    { hostname: "aikido.dev", port: 80, hits: 1 },
+    { hostname: "aikido.dev", port: 443, hits: 1, blockedHits: 0 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.add("google.com", 80);
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 443, hits: 1 },
-    { hostname: "aikido.dev", port: 80, hits: 1 },
-    { hostname: "google.com", port: 80, hits: 1 },
+    { hostname: "aikido.dev", port: 443, hits: 1, blockedHits: 0 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 0 },
+    { hostname: "google.com", port: 80, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.add("google.com", 0);
   hostnames.add("google.com", -1);
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 443, hits: 1 },
-    { hostname: "aikido.dev", port: 80, hits: 1 },
-    { hostname: "google.com", port: 80, hits: 1 },
+    { hostname: "aikido.dev", port: 443, hits: 1, blockedHits: 0 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 0 },
+    { hostname: "google.com", port: 80, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.add("github.com", 80);
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 80, hits: 1 },
-    { hostname: "google.com", port: 80, hits: 1 },
-    { hostname: "github.com", port: 80, hits: 1 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 0 },
+    { hostname: "google.com", port: 80, hits: 1, blockedHits: 0 },
+    { hostname: "github.com", port: 80, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.add("jetbrains.com", 80);
   t.same(hostnames.asArray(), [
-    { hostname: "google.com", port: 80, hits: 1 },
-    { hostname: "github.com", port: 80, hits: 1 },
-    { hostname: "jetbrains.com", port: 80, hits: 1 },
+    { hostname: "google.com", port: 80, hits: 1, blockedHits: 0 },
+    { hostname: "github.com", port: 80, hits: 1, blockedHits: 0 },
+    { hostname: "jetbrains.com", port: 80, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.clear();
@@ -53,30 +55,30 @@ t.test("it respects max size", async () => {
   hostnames.add("aikido.dev", 2);
 
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 1, hits: 1 },
-    { hostname: "aikido.dev", port: 2, hits: 1 },
+    { hostname: "aikido.dev", port: 1, hits: 1, blockedHits: 0 },
+    { hostname: "aikido.dev", port: 2, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.add("aikido.dev", 3);
   hostnames.add("aikido.dev", 4);
 
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 3, hits: 1 },
-    { hostname: "aikido.dev", port: 4, hits: 1 },
+    { hostname: "aikido.dev", port: 3, hits: 1, blockedHits: 0 },
+    { hostname: "aikido.dev", port: 4, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.add("google.com", 1);
 
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 4, hits: 1 },
-    { hostname: "google.com", port: 1, hits: 1 },
+    { hostname: "aikido.dev", port: 4, hits: 1, blockedHits: 0 },
+    { hostname: "google.com", port: 1, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.add("google.com", 2);
 
   t.same(hostnames.asArray(), [
-    { hostname: "google.com", port: 1, hits: 1 },
-    { hostname: "google.com", port: 2, hits: 1 },
+    { hostname: "google.com", port: 1, hits: 1, blockedHits: 0 },
+    { hostname: "google.com", port: 2, hits: 1, blockedHits: 0 },
   ]);
 });
 
@@ -85,25 +87,64 @@ t.test("it tracks hits", async () => {
 
   hostnames.add("aikido.dev", 443);
   hostnames.add("aikido.dev", 443);
-  t.same(hostnames.asArray(), [{ hostname: "aikido.dev", port: 443, hits: 2 }]);
+  t.same(hostnames.asArray(), [
+    { hostname: "aikido.dev", port: 443, hits: 2, blockedHits: 0 },
+  ]);
 
   hostnames.add("aikido.dev", 80);
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 443, hits: 2 },
-    { hostname: "aikido.dev", port: 80, hits: 1 },
+    { hostname: "aikido.dev", port: 443, hits: 2, blockedHits: 0 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.add("google.com", 80);
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 443, hits: 2 },
-    { hostname: "aikido.dev", port: 80, hits: 1 },
-    { hostname: "google.com", port: 80, hits: 1 },
+    { hostname: "aikido.dev", port: 443, hits: 2, blockedHits: 0 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 0 },
+    { hostname: "google.com", port: 80, hits: 1, blockedHits: 0 },
   ]);
 
   hostnames.add("aikido.dev", 443);
   t.same(hostnames.asArray(), [
-    { hostname: "aikido.dev", port: 443, hits: 3 },
-    { hostname: "aikido.dev", port: 80, hits: 1 },
-    { hostname: "google.com", port: 80, hits: 1 },
+    { hostname: "aikido.dev", port: 443, hits: 3, blockedHits: 0 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 0 },
+    { hostname: "google.com", port: 80, hits: 1, blockedHits: 0 },
+  ]);
+});
+
+t.test("it tracks blocked hits", async () => {
+  const hostnames = new Hostnames(3);
+
+  hostnames.add("aikido.dev", 443, true);
+  hostnames.add("aikido.dev", 443, true);
+  t.same(hostnames.asArray(), [
+    { hostname: "aikido.dev", port: 443, hits: 2, blockedHits: 2 },
+  ]);
+
+  hostnames.add("aikido.dev", 80, true);
+  t.same(hostnames.asArray(), [
+    { hostname: "aikido.dev", port: 443, hits: 2, blockedHits: 2 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 1 },
+  ]);
+
+  hostnames.add("google.com", 80, true);
+  t.same(hostnames.asArray(), [
+    { hostname: "aikido.dev", port: 443, hits: 2, blockedHits: 2 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 1 },
+    { hostname: "google.com", port: 80, hits: 1, blockedHits: 1 },
+  ]);
+
+  hostnames.add("aikido.dev", 443, false);
+  t.same(hostnames.asArray(), [
+    { hostname: "aikido.dev", port: 443, hits: 3, blockedHits: 2 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 1 },
+    { hostname: "google.com", port: 80, hits: 1, blockedHits: 1 },
+  ]);
+
+  hostnames.add("aikido.dev", 443, false);
+  t.same(hostnames.asArray(), [
+    { hostname: "aikido.dev", port: 443, hits: 4, blockedHits: 2 },
+    { hostname: "aikido.dev", port: 80, hits: 1, blockedHits: 1 },
+    { hostname: "google.com", port: 80, hits: 1, blockedHits: 1 },
   ]);
 });

library/agent/Hostnames.ts

@@ -1,23 +1,48 @@
-type Ports = Map<number, number>;
+type Ports = Map<
+  number,
+  {
+    hits: number;
+    blockedHits: number;
+  }
+>;
 
 export class Hostnames {
   private map: Map<string, Ports> = new Map();
 
   constructor(private readonly maxEntries: number = 200) {}
 
-  add(hostname: string, port: number) {
+  add(hostname: string, port: number, blocked = false) {
     if (port <= 0) {
       return;
     }
 
     if (!this.map.has(hostname)) {
-      this.map.set(hostname, new Map([[port, 1]]));
+      this.map.set(
+        hostname,
+        new Map([
+          [
+            port,
+            {
+              hits: 1,
+              blockedHits: blocked ? 1 : 0,
+            },
+          ],
+        ])
+      );
     } else {
       const ports = this.map.get(hostname) as Ports;
       if (!ports.has(port)) {
-        ports.set(port, 1);
+        ports.set(port, {
+          hits: 1,
+          blockedHits: blocked ? 1 : 0,
+        });
       } else {
-        ports.set(port, ports.get(port)! + 1);
+        ports.set(port, {
+          hits: ports.get(port)!.hits + 1,
+          blockedHits: blocked
+            ? ports.get(port)!.blockedHits + 1
+            : ports.get(port)!.blockedHits,
+        });
       }
     }
 
@@ -47,11 +72,12 @@ export class Hostnames {
 
   asArray() {
     return Array.from(this.map.entries()).flatMap(([hostname, ports]) =>
-      Array.from(ports.entries()).map(([port, hits]) => {
+      Array.from(ports.entries()).map(([port, stats]) => {
         return {
           hostname,
           port,
-          hits,
+          hits: stats.hits,
+          blockedHits: stats.blockedHits,
         };
       })
     );

library/agent/ServiceConfig.test.ts

@@ -406,3 +406,34 @@ t.test(
     t.same(config.getMatchingUserAgentKeys("googlebot"), []);
   }
 );
+
+t.test("outbound request blocking", async (t) => {
+  const config = new ServiceConfig([], 0, [], [], false, [], []);
+
+  t.same(config.shouldBlockOutgoingRequest("example.com"), false);
+
+  config.setBlockNewOutgoingRequests(true);
+  t.same(config.shouldBlockOutgoingRequest("example.com"), true);
+
+  config.updateDomains([
+    { hostname: "example.com", mode: "allow" },
+    { hostname: "aikido.dev", mode: "block" },
+  ]);
+  t.same(config.shouldBlockOutgoingRequest("example.com"), false);
+  t.same(config.shouldBlockOutgoingRequest("aikido.dev"), true);
+  t.same(config.shouldBlockOutgoingRequest("unknown.com"), true);
+
+  config.updateDomains([
+    { hostname: "example.com", mode: "block" },
+    { hostname: "aikido.dev", mode: "allow" },
+  ]);
+  t.same(config.shouldBlockOutgoingRequest("example.com"), true);
+  t.same(config.shouldBlockOutgoingRequest("aikido.dev"), false);
+  t.same(config.shouldBlockOutgoingRequest("unknown.com"), true);
+
+  config.setBlockNewOutgoingRequests(false);
+
+  t.same(config.shouldBlockOutgoingRequest("example.com"), true);
+  t.same(config.shouldBlockOutgoingRequest("aikido.dev"), false);
+  t.same(config.shouldBlockOutgoingRequest("unknown.com"), false);
+});

library/agent/ServiceConfig.ts

@@ -2,7 +2,7 @@ import { IPMatcher } from "../helpers/ip-matcher/IPMatcher";
 import { LimitedContext, matchEndpoints } from "../helpers/matchEndpoints";
 import { isPrivateIP } from "../vulnerabilities/ssrf/isPrivateIP";
 import type { Endpoint, EndpointConfig } from "./Config";
-import { IPList, UserAgentDetails } from "./api/fetchBlockedLists";
+import type { Domain, IPList, UserAgentDetails } from "./api/fetchBlockedLists";
 import { safeCreateRegExp } from "./safeCreateRegExp";
 
 export class ServiceConfig {
@@ -27,6 +27,9 @@ export class ServiceConfig {
   private monitoredUserAgentRegex: RegExp | undefined;
   private userAgentDetails: { pattern: RegExp; key: string }[] = [];
 
+  private blockNewOutgoingRequests = false;
+  private domains = new Map<string, Domain["mode"]>();
+
   constructor(
     endpoints: EndpointConfig[],
     private lastUpdatedAt: number,
@@ -278,4 +281,24 @@ export class ServiceConfig {
   hasReceivedAnyStats() {
     return this.receivedAnyStats;
   }
+
+  setBlockNewOutgoingRequests(block: boolean) {
+    this.blockNewOutgoingRequests = block;
+  }
+
+  updateDomains(domains: Domain[]) {
+    this.domains = new Map(domains.map((i) => [i.hostname, i.mode]));
+  }
+
+  shouldBlockOutgoingRequest(hostname: string): boolean {
+    const mode = this.domains.get(hostname);
+
+    if (this.blockNewOutgoingRequests) {
+      // Only allow outgoing requests if the mode is "allow"
+      return mode !== "allow";
+    }
+
+    // Only block outgoing requests if the mode is "block"
+    return mode === "block";
+  }
 }

library/sinks/Fetch.test.ts

@@ -90,14 +90,14 @@ t.test(
     await fetch("http://app.aikido.dev");
 
     t.same(agent.getHostnames().asArray(), [
-      { hostname: "app.aikido.dev", port: 80, hits: 1 },
+      { hostname: "app.aikido.dev", port: 80, hits: 1, blockedHits: 0 },
     ]);
     agent.getHostnames().clear();
 
     await fetch(new URL("https://app.aikido.dev"));
 
     t.same(agent.getHostnames().asArray(), [
-      { hostname: "app.aikido.dev", port: 443, hits: 1 },
+      { hostname: "app.aikido.dev", port: 443, hits: 1, blockedHits: 0 },
     ]);
     agent.getHostnames().clear();
 
@@ -110,7 +110,7 @@ t.test(
     await fetch(new Request("https://app.aikido.dev"));
 
     t.same(agent.getHostnames().asArray(), [
-      { hostname: "app.aikido.dev", port: 443, hits: 1 },
+      { hostname: "app.aikido.dev", port: 443, hits: 1, blockedHits: 0 },
     ]);
 
     agent.getHostnames().clear();