Merge branch 'main' of github.com:AikidoSec/node-RASP into drop-compressed-timings

* 'main' of github.com:AikidoSec/node-RASP: (85 commits)
  Rename variable to make it more clear
  Remove redundant methods
  Improve comment
  Remove `isMonitoredIPAddress`
  Use userAgent variable
  Iterate through monitored IP lists only once
  Add comment about empty string and regexp
  Refactor safeCreateRegExp to its own file
  Fix end2end test
  Fix missing imports
  Format file
  Add end2end test to ensure monitored IPs and user agents are never blocked
  Fix tests
  Adapt to new firewall/lists API
  Revert "Revert "Merge pull request #505 from AikidoSec/request-stats""
  Revert "Merge pull request #505 from AikidoSec/request-stats"
  Always include items key for arrays in data schema
  Fix test
  Set symbol to true and add comment
  Prevent double counting monitored lists
  ...

Author: hansott

end2end/server/src/handlers/lists.js

@@ -2,6 +2,9 @@ const {
   getBlockedIPAddresses,
   getBlockedUserAgents,
   getAllowedIPAddresses,
+  getMonitoredUserAgents,
+  getMonitoredIPAddresses,
+  getUserAgentDetails,
 } = require("../zen/config");
 
 module.exports = function lists(req, res) {
@@ -12,6 +15,9 @@ module.exports = function lists(req, res) {
   const blockedIps = getBlockedIPAddresses(req.app);
   const blockedUserAgents = getBlockedUserAgents(req.app);
   const allowedIps = getAllowedIPAddresses(req.app);
+  const monitoredUserAgents = getMonitoredUserAgents(req.app);
+  const monitoredIps = getMonitoredIPAddresses(req.app);
+  const userAgentDetails = getUserAgentDetails(req.app);
 
   res.json({
     success: true,
@@ -20,22 +26,37 @@ module.exports = function lists(req, res) {
       blockedIps.length > 0
         ? [
             {
+              key: "geoip/Belgium;BE",
               source: "geoip",
               description: "geo restrictions",
               ips: blockedIps,
             },
           ]
         : [],
     blockedUserAgents: blockedUserAgents,
+    monitoredUserAgents: monitoredUserAgents,
+    userAgentDetails: userAgentDetails,
     allowedIPAddresses:
       allowedIps.length > 0
         ? [
             {
+              key: "geoip/Belgium;BE",
               source: "geoip",
               description: "geo restrictions",
               ips: allowedIps,
             },
           ]
         : [],
+    monitoredIPAddresses:
+      monitoredIps.length > 0
+        ? monitoredIps
+        : [
+            {
+              key: "geoip/Belgium;BE",
+              source: "geoip",
+              description: "geo restrictions",
+              ips: monitoredIps,
+            },
+          ],
   });
 };

end2end/server/src/handlers/updateLists.js

@@ -2,6 +2,9 @@ const {
   updateBlockedIPAddresses,
   updateBlockedUserAgents,
   updateAllowedIPAddresses,
+  updateMonitoredUserAgents,
+  updateMonitoredIPAddresses,
+  updateUserAgentDetails,
 } = require("../zen/config");
 
 module.exports = function updateIPLists(req, res) {
@@ -46,5 +49,26 @@ module.exports = function updateIPLists(req, res) {
     updateAllowedIPAddresses(req.app, req.body.allowedIPAddresses);
   }
 
+  if (
+    req.body.monitoredUserAgents &&
+    typeof req.body.monitoredUserAgents === "string"
+  ) {
+    updateMonitoredUserAgents(req.app, req.body.monitoredUserAgents);
+  }
+
+  if (
+    req.body.monitoredIPAddresses &&
+    Array.isArray(req.body.monitoredIPAddresses)
+  ) {
+    updateMonitoredIPAddresses(req.app, req.body.monitoredIPAddresses);
+  }
+
+  if (
+    req.body.userAgentDetails &&
+    Array.isArray(req.body.userAgentDetails)
+  ) {
+    updateUserAgentDetails(req.app, req.body.userAgentDetails);
+  }
+
   res.json({ success: true });
 };

end2end/server/src/zen/config.js

@@ -40,6 +40,9 @@ function updateAppConfig(app, newConfig) {
 const blockedIPAddresses = [];
 const blockedUserAgents = [];
 const allowedIPAddresses = [];
+const monitoredUserAgents = [];
+const monitoredIPAddresses = [];
+const userAgentDetails = [];
 
 function updateBlockedIPAddresses(app, ips) {
   let entry = blockedIPAddresses.find((ip) => ip.serviceId === app.serviceId);
@@ -90,7 +93,7 @@ function getAllowedIPAddresses(app) {
 }
 
 function updateBlockedUserAgents(app, uas) {
-  let entry = blockedUserAgents.find((e) => e.serviceId === e.serviceId);
+  let entry = blockedUserAgents.find((e) => e.serviceId === app.serviceId);
 
   if (entry) {
     entry.userAgents = uas;
@@ -104,7 +107,7 @@ function updateBlockedUserAgents(app, uas) {
 }
 
 function getBlockedUserAgents(app) {
-  const entry = blockedUserAgents.find((e) => e.serviceId === e.serviceId);
+  const entry = blockedUserAgents.find((e) => e.serviceId === app.serviceId);
 
   if (entry) {
     return entry.userAgents;
@@ -113,6 +116,78 @@ function getBlockedUserAgents(app) {
   return "";
 }
 
+function updateMonitoredUserAgents(app, uas) {
+  let entry = monitoredUserAgents.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    entry.userAgents = uas;
+  } else {
+    entry = { serviceId: app.serviceId, userAgents: uas };
+    monitoredUserAgents.push(entry);
+  }
+
+  // Bump lastUpdatedAt
+  updateAppConfig(app, {});
+}
+
+function getMonitoredUserAgents(app) {
+  const entry = monitoredUserAgents.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    return entry.userAgents;
+  }
+
+  return "";
+}
+
+function updateMonitoredIPAddresses(app, ips) {
+  let entry = monitoredIPAddresses.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    entry.ipAddresses = ips;
+  } else {
+    entry = { serviceId: app.serviceId, ipAddresses: ips };
+    monitoredIPAddresses.push(entry);
+  }
+
+  // Bump lastUpdatedAt
+  updateAppConfig(app, {});
+}
+
+function getMonitoredIPAddresses(app) {
+  const entry = monitoredIPAddresses.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    return entry.ipAddresses;
+  }
+
+  return [];
+}
+
+function updateUserAgentDetails(app, uas) {
+  let entry = userAgentDetails.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    entry.userAgents = uas;
+  } else {
+    entry = { serviceId: app.serviceId, userAgents: uas };
+    userAgentDetails.push(entry);
+  }
+
+  // Bump lastUpdatedAt
+  updateAppConfig(app, {});
+}
+
+function getUserAgentDetails(app) {
+  const entry = userAgentDetails.find((e) => e.serviceId === app.serviceId);
+
+  if (entry) {
+    return entry.userAgents;
+  }
+
+  return [];
+}
+
 module.exports = {
   getAppConfig,
   updateAppConfig,
@@ -122,4 +197,10 @@ module.exports = {
   getBlockedUserAgents,
   getAllowedIPAddresses,
   updateAllowedIPAddresses,
+  updateMonitoredUserAgents,
+  getMonitoredUserAgents,
+  updateMonitoredIPAddresses,
+  getMonitoredIPAddresses,
+  updateUserAgentDetails,
+  getUserAgentDetails,
 };

end2end/tests/hono-xml-monitored-lists.test.js

@@ -0,0 +1,151 @@
+const t = require("tap");
+const { spawn } = require("child_process");
+const { resolve } = require("path");
+const timeout = require("../timeout");
+
+const pathToApp = resolve(__dirname, "../../sample-apps/hono-xml", "app.js");
+const testServerUrl = "http://localhost:5874";
+
+let token;
+t.beforeEach(async () => {
+  const response = await fetch(`${testServerUrl}/api/runtime/apps`, {
+    method: "POST",
+  });
+  const body = await response.json();
+  token = body.token;
+
+  const lists = await fetch(`${testServerUrl}/api/runtime/firewall/lists`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: token,
+    },
+    body: JSON.stringify({
+      blockedIPAddresses: [],
+      monitoredIPAddresses: ["1.3.2.0/24", "e98c:a7ba:2329:8c69::/64"],
+      monitoredUserAgents: "monitored-bot",
+      userAgentDetails: [
+        {
+          key: "monitored-bot",
+          pattern: "monitored-bot",
+        },
+      ],
+    }),
+  });
+  t.same(lists.status, 200);
+});
+
+t.test("it does not block monitored IPs", (t) => {
+  const server = spawn(`node`, [pathToApp, "4005"], {
+    env: {
+      ...process.env,
+      AIKIDO_DEBUG: "true",
+      AIKIDO_BLOCKING: "true",
+      AIKIDO_TOKEN: token,
+      AIKIDO_ENDPOINT: testServerUrl,
+    },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(async () => {
+      // Test IPv4 monitoring
+      const resp1 = await fetch("http://127.0.0.1:4005/add", {
+        method: "POST",
+        body: "<cat><name>Njuska</name></cat>",
+        headers: {
+          "Content-Type": "application/xml",
+          "X-Forwarded-For": "1.3.2.4",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp1.status, 200);
+      t.same(await resp1.text(), JSON.stringify({ success: true }));
+
+      // Test IPv6 monitoring
+      const resp2 = await fetch("http://127.0.0.1:4005/add", {
+        method: "POST",
+        body: "<cat><name>Harry</name></cat>",
+        headers: {
+          "Content-Type": "application/xml",
+          "X-Forwarded-For": "e98c:a7ba:2329:8c69:a13a:8aff:a932:13f2",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp2.status, 200);
+      t.same(await resp2.text(), JSON.stringify({ success: true }));
+    })
+    .catch((error) => {
+      t.fail(error);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});
+
+t.test("it does not block monitored user agents", (t) => {
+  const server = spawn(`node`, [pathToApp, "4006"], {
+    env: {
+      ...process.env,
+      AIKIDO_DEBUG: "true",
+      AIKIDO_BLOCKING: "true",
+      AIKIDO_TOKEN: token,
+      AIKIDO_ENDPOINT: testServerUrl,
+    },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(async () => {
+      // Test monitored user agent
+      const resp1 = await fetch("http://127.0.0.1:4006/", {
+        headers: {
+          "User-Agent": "monitored-bot",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp1.status, 200);
+    })
+    .catch((error) => {
+      t.fail(error);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});