AikidoSec · willem-delbare · Feb 11, 2025 · Feb 11, 2025
diff --git a/library/agent/ServiceConfig.test.ts b/library/agent/ServiceConfig.test.ts
@@ -5,7 +5,7 @@ t.test("it returns false if empty rules", async () => {
   const config = new ServiceConfig([], 0, [], [], false, []);
   t.same(config.getLastUpdatedAt(), 0);
   t.same(config.isUserBlocked("id"), false);
-  t.same(config.isAllowedIP("1.2.3.4"), false);
+  t.same(config.isBypassedIP("1.2.3.4"), false);
   t.same(
     config.getEndpoints({
       url: undefined,
@@ -80,10 +80,10 @@ t.test("it works", async () => {
   );
 });
 
-t.test("it checks if IP is allowed", async () => {
+t.test("it checks if IP is bypassed", async () => {
   const config = new ServiceConfig([], 0, [], ["1.2.3.4"], false, []);
-  t.same(config.isAllowedIP("1.2.3.4"), true);
-  t.same(config.isAllowedIP("1.2.3.5"), false);
+  t.same(config.isBypassedIP("1.2.3.4"), true);
+  t.same(config.isBypassedIP("1.2.3.5"), false);
 });
 
 t.test("ip blocking works", async () => {

diff --git a/library/agent/ServiceConfig.ts b/library/agent/ServiceConfig.ts
@@ -5,7 +5,7 @@ import { Blocklist as BlocklistType } from "./api/fetchBlockedLists";
 
 export class ServiceConfig {
   private blockedUserIds: Map<string, string> = new Map();
-  private allowedIPAddresses: Map<string, string> = new Map();
+  private bypassedIPAddresses: Set<string> = new Set();
   private nonGraphQLEndpoints: Endpoint[] = [];
   private graphqlFields: Endpoint[] = [];
   private blockedIPAddresses: { blocklist: IPMatcher; description: string }[] =
@@ -16,12 +16,12 @@ export class ServiceConfig {
     endpoints: Endpoint[],
     private lastUpdatedAt: number,
     blockedUserIds: string[],
-    allowedIPAddresses: string[],
+    bypassedIPAddresses: string[],
     private receivedAnyStats: boolean,
     blockedIPAddresses: BlocklistType[]
   ) {
     this.setBlockedUserIds(blockedUserIds);
-    this.setAllowedIPAddresses(allowedIPAddresses);
+    this.setBypassedIPAddresses(bypassedIPAddresses);
     this.setEndpoints(endpoints);
     this.setBlockedIPAddresses(blockedIPAddresses);
   }
@@ -60,15 +60,15 @@ export class ServiceConfig {
     return endpoints.length > 0 ? endpoints[0] : undefined;
   }
 
-  private setAllowedIPAddresses(allowedIPAddresses: string[]) {
-    this.allowedIPAddresses = new Map();
-    allowedIPAddresses.forEach((ip) => {
-      this.allowedIPAddresses.set(ip, ip);
+  private setBypassedIPAddresses(ipAddresses: string[]) {
+    this.bypassedIPAddresses = new Set();
+    ipAddresses.forEach((ip) => {
+      this.bypassedIPAddresses.add(ip);
     });
   }
 
-  isAllowedIP(ip: string) {
-    return this.allowedIPAddresses.has(ip);
+  isBypassedIP(ip: string) {
+    return this.bypassedIPAddresses.has(ip);
   }
 
   private setBlockedUserIds(blockedUserIds: string[]) {
@@ -130,12 +130,12 @@ export class ServiceConfig {
     endpoints: Endpoint[],
     lastUpdatedAt: number,
     blockedUserIds: string[],
-    allowedIPAddresses: string[],
+    bypassedIPAddresses: string[],
     hasReceivedAnyStats: boolean
   ) {
     this.setEndpoints(endpoints);
     this.setBlockedUserIds(blockedUserIds);
-    this.setAllowedIPAddresses(allowedIPAddresses);
+    this.setBypassedIPAddresses(bypassedIPAddresses);
     this.lastUpdatedAt = lastUpdatedAt;
     this.receivedAnyStats = hasReceivedAnyStats;
   }

diff --git a/library/agent/hooks/onInspectionInterceptorResult.ts b/library/agent/hooks/onInspectionInterceptorResult.ts
@@ -27,12 +27,12 @@ export function onInspectionInterceptorResult(
     withoutContext: !context,
   });
 
-  const isAllowedIP =
+  const isBypassedIP =
     context &&
     context.remoteAddress &&
-    agent.getConfig().isAllowedIP(context.remoteAddress);
+    agent.getConfig().isBypassedIP(context.remoteAddress);
 
-  if (result && context && !isAllowedIP) {
+  if (result && context && !isBypassedIP) {
     // Flag request as having an attack detected
     updateContext(context, "attackDetected", true);
 

diff --git a/library/ratelimiting/shouldRateLimitRequest.ts b/library/ratelimiting/shouldRateLimitRequest.ts
@@ -47,11 +47,11 @@ export function shouldRateLimitRequest(
     isProduction;
 
   // Allow requests from allowed IPs, e.g. never rate limit office IPs
-  const isAllowedIP =
+  const isBypassedIP =
     context.remoteAddress &&
-    agent.getConfig().isAllowedIP(context.remoteAddress);
+    agent.getConfig().isBypassedIP(context.remoteAddress);
 
-  if (isFromLocalhostInProduction || isAllowedIP) {
+  if (isFromLocalhostInProduction || isBypassedIP) {
     return { block: false };
   }
 

diff --git a/library/sinks/undici/wrapDispatch.ts b/library/sinks/undici/wrapDispatch.ts
@@ -82,12 +82,12 @@ export function wrapDispatch(orig: Dispatch, agent: Agent): Dispatch {
  * Checks if it's a redirect to a private IP that originates from a user input and blocks it if it is.
  */
 function blockRedirectToPrivateIP(url: URL, context: Context, agent: Agent) {
-  const isAllowedIP =
+  const isBypassedIP =
     context &&
     context.remoteAddress &&
-    agent.getConfig().isAllowedIP(context.remoteAddress);
+    agent.getConfig().isBypassedIP(context.remoteAddress);
 
-  if (isAllowedIP) {
+  if (isBypassedIP) {
     // If the IP address is allowed, we don't need to block the request
     return;
   }

diff --git a/library/sources/graphql/shouldRateLimitOperation.ts b/library/sources/graphql/shouldRateLimitOperation.ts
@@ -45,8 +45,8 @@ export function shouldRateLimitOperation(
     : false;
 
   // Allow requests from allowed IPs, e.g. never rate limit office IPs
-  const isAllowedIP = context.remoteAddress
-    ? agent.getConfig().isAllowedIP(context.remoteAddress)
+  const isBypassedIP = context.remoteAddress
+    ? agent.getConfig().isBypassedIP(context.remoteAddress)
     : false;
 
   for (const field of topLevelFields.fields) {
@@ -56,7 +56,7 @@ export function shouldRateLimitOperation(
       field,
       topLevelFields.type,
       isFromLocalhostInProduction,
-      isAllowedIP
+      isBypassedIP
     );
 
     if (result.block) {
@@ -74,7 +74,7 @@ function shouldRateLimitField(
   field: FieldNode,
   operationType: "query" | "mutation",
   isFromLocalhostInProduction: boolean,
-  isAllowedIP: boolean
+  isBypassedIP: boolean
 ): Result {
   const match = agent
     .getConfig()
@@ -94,7 +94,7 @@ function shouldRateLimitField(
     return { block: false };
   }
 
-  if (context.remoteAddress && !isFromLocalhostInProduction && !isAllowedIP) {
+  if (context.remoteAddress && !isFromLocalhostInProduction && !isBypassedIP) {
     const allowed = agent
       .getRateLimiter()
       .isAllowed(

diff --git a/library/sources/http-server/checkIfRequestIsBlocked.ts b/library/sources/http-server/checkIfRequestIsBlocked.ts
@@ -40,11 +40,11 @@ export function checkIfRequestIsBlocked(
     return true;
   }
 
-  const isAllowedIP =
+  const isBypassedIP =
     context.remoteAddress &&
-    agent.getConfig().isAllowedIP(context.remoteAddress);
+    agent.getConfig().isBypassedIP(context.remoteAddress);
 
-  if (isAllowedIP) {
+  if (isBypassedIP) {
     return false;
   }
 

diff --git a/library/vulnerabilities/ssrf/inspectDNSLookupCalls.ts b/library/vulnerabilities/ssrf/inspectDNSLookupCalls.ts
@@ -179,12 +179,12 @@ function wrapDNSLookupCallback(
       return callback(err, addresses, family);
     }
 
-    const isAllowedIP =
+    const isBypassedIP =
       context &&
       context.remoteAddress &&
-      agent.getConfig().isAllowedIP(context.remoteAddress);
+      agent.getConfig().isBypassedIP(context.remoteAddress);
 
-    if (isAllowedIP) {
+    if (isBypassedIP) {
       // If the IP address is allowed, we don't need to block the request
       // Just call the original callback to allow the DNS lookup
       return callback(err, addresses, family);