Merge pull request #630 from AikidoSec/fix-protect-wrappers

Add missing AwsSDKVersion2 import

Author: hansott

library/agent/protect.test.ts

@@ -0,0 +1,75 @@
+import { readdir, readFile } from "fs/promises";
+import { join } from "path";
+import * as t from "tap";
+
+t.test("check that all sources and sinks are imported", async (t) => {
+  // -----
+
+  const skipCheckList = [
+    "Function", // Function sink is disabled for now because functionName.constructor === Function is false after patching global
+  ];
+
+  const noWrapperAllowList = ["Lambda"];
+
+  // -----
+
+  const sourceText = await readFile(join(__dirname, "protect.ts"), "utf-8");
+  const importDeclarations =
+    sourceText.match(/import\s+(?:[^'"]|\n)+?\s+from\s+['"][^'"]+['"]/g) || [];
+
+  const getWrappersFunctionContent =
+    sourceText
+      .match(/export function getWrappers\(\)\s*\{([\s\S]*?)^\}/m)?.[1]
+      ?.trim() ?? "";
+
+  const allSourceFiles = await readdir(join(__dirname, "../sources"), {
+    withFileTypes: true,
+  });
+
+  const allSinkFiles = await readdir(join(__dirname, "../sinks"), {
+    withFileTypes: true,
+  });
+
+  const allFiles = [...allSourceFiles, ...allSinkFiles]
+    .filter(
+      (file) =>
+        file.isFile() &&
+        file.name.endsWith(".ts") &&
+        !file.name.endsWith(".test.ts") &&
+        !file.name.endsWith(".tests.ts")
+    )
+    .map((file) => file.name.replace(/\.ts$/, ""));
+
+  for (const file of allFiles) {
+    if (skipCheckList.includes(file)) {
+      t.comment(`Skipping ${file} as it is in the allowlist.`);
+      continue;
+    }
+
+    const importDeclaration = importDeclarations.find(
+      (declaration) =>
+        declaration.includes(`"../sources/${file}"`) ||
+        declaration.includes(`"../sinks/${file}"`)
+    );
+
+    t.ok(
+      importDeclaration,
+      `Import for ${file} is missing in protect.ts: ${importDeclaration}`
+    );
+
+    if (noWrapperAllowList.includes(file)) {
+      t.comment(
+        `Skipping getWrappers check for ${file} as it is in the noWrapperAllowList.`
+      );
+      continue;
+    }
+
+    const includesInGetWrappers = getWrappersFunctionContent.includes(
+      `new ${file}()`
+    );
+    t.ok(
+      includesInGetWrappers,
+      `getWrappers function does not include ${file} in its return value`
+    );
+  }
+});

library/agent/protect.ts

@@ -39,7 +39,7 @@ import { SQLite3 } from "../sinks/SQLite3";
 import { XmlMinusJs } from "../sources/XmlMinusJs";
 import { Hapi } from "../sources/Hapi";
 import { Shelljs } from "../sinks/Shelljs";
-import { NodeSQLite } from "../sinks/NodeSqlite";
+import { NodeSQLite } from "../sinks/NodeSQLite";
 import { BetterSQLite3 } from "../sinks/BetterSQLite3";
 import { isDebugging } from "../helpers/isDebugging";
 import { shouldBlock } from "../helpers/shouldBlock";
@@ -48,6 +48,7 @@ import { Fastify } from "../sources/Fastify";
 import { Koa } from "../sources/Koa";
 import { ClickHouse } from "../sinks/ClickHouse";
 import { Prisma } from "../sinks/Prisma";
+import { AwsSDKVersion2 } from "../sinks/AwsSDKVersion2";
 
 function getLogger(): Logger {
   if (isDebugging()) {
@@ -141,6 +142,7 @@ export function getWrappers() {
     new ClickHouse(),
     new Prisma(),
     // new Function(), Disabled because functionName.constructor === Function is false after patching global
+    new AwsSDKVersion2(),
   ];
 }
 

library/sinks/NodeSQLite.test.ts

@@ -1,6 +1,6 @@
 import * as t from "tap";
 import { runWithContext, type Context } from "../agent/Context";
-import { NodeSQLite } from "./NodeSqlite";
+import { NodeSQLite } from "./NodeSQLite";
 import { isPackageInstalled } from "../helpers/isPackageInstalled";
 import { createTestAgent } from "../helpers/createTestAgent";
 

library/sinks/NodeSqlite.ts library/sinks/NodeSQLite.tslibrary/sinks/NodeSqlite.ts renamed to library/sinks/NodeSQLite.ts

@@ -108,99 +108,103 @@ export function createUndiciTests(undiciPkgName: string, port: number) {
         Agent: UndiciAgent,
       } = require(undiciPkgName) as typeof import("undici-v6");
 
-      await request("https://app.aikido.dev");
+      await request("https://ssrf-redirects.testssandbox.com");
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: 443, hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: 443, hits: 1 },
       ]);
       agent.getHostnames().clear();
 
-      await fetch("https://app.aikido.dev");
+      await fetch("https://ssrf-redirects.testssandbox.com");
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: 443, hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: 443, hits: 1 },
       ]);
       agent.getHostnames().clear();
 
       await request({
         protocol: "https:",
-        hostname: "app.aikido.dev",
+        hostname: "ssrf-redirects.testssandbox.com",
         port: 443,
       });
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: 443, hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: 443, hits: 1 },
       ]);
       agent.getHostnames().clear();
 
       await request({
         protocol: "https:",
-        hostname: "app.aikido.dev",
+        hostname: "ssrf-redirects.testssandbox.com",
         port: "443",
       });
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: "443", hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: "443", hits: 1 },
       ]);
       agent.getHostnames().clear();
 
       await request({
         protocol: "https:",
-        hostname: "app.aikido.dev",
+        hostname: "ssrf-redirects.testssandbox.com",
         port: undefined,
       });
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: 443, hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: 443, hits: 1 },
       ]);
       agent.getHostnames().clear();
 
       await request({
         protocol: "http:",
-        hostname: "app.aikido.dev",
+        hostname: "ssrf-redirects.testssandbox.com",
         port: undefined,
       });
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: 80, hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: 80, hits: 1 },
       ]);
       agent.getHostnames().clear();
 
       await request({
         protocol: "https:",
-        hostname: "app.aikido.dev",
+        hostname: "ssrf-redirects.testssandbox.com",
         port: "443",
       });
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: "443", hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: "443", hits: 1 },
       ]);
       agent.getHostnames().clear();
 
-      await request(new URL("https://app.aikido.dev"));
+      await request(new URL("https://ssrf-redirects.testssandbox.com"));
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: 443, hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: 443, hits: 1 },
       ]);
       agent.getHostnames().clear();
 
-      await request(require("url").parse("https://app.aikido.dev"));
+      await request(
+        require("url").parse("https://ssrf-redirects.testssandbox.com")
+      );
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: "443", hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: "443", hits: 1 },
       ]);
       agent.getHostnames().clear();
 
       await request({
-        origin: "https://app.aikido.dev",
+        origin: "https://ssrf-redirects.testssandbox.com",
       } as URL);
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: "443", hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: "443", hits: 1 },
       ]);
       agent.getHostnames().clear();
 
-      await request(require("url").parse("https://app.aikido.dev"));
+      await request(
+        require("url").parse("https://ssrf-redirects.testssandbox.com")
+      );
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: "443", hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: "443", hits: 1 },
       ]);
       agent.getHostnames().clear();
 
       await request({
-        origin: "https://app.aikido.dev",
+        origin: "https://ssrf-redirects.testssandbox.com",
       } as URL);
       t.same(agent.getHostnames().asArray(), [
-        { hostname: "app.aikido.dev", port: "443", hits: 1 },
+        { hostname: "ssrf-redirects.testssandbox.com", port: "443", hits: 1 },
       ]);
       agent.getHostnames().clear();