Merge branch 'main' of github.com:AikidoSec/node-RASP into dont-shado…

…w-ports-in-hostnames * 'main' of github.com:AikidoSec/node-RASP: (484 commits) Fix linting Add unit tests for hono/context-storage Fix addHonoMiddleware types Upgrade mongodb in sample app Add comment about mongodb v6.10.0 Keep same order Use process.nextTick before wrapping Collection Fix lock files Add links to docs Update end2end/tests/node-red.test.js Update end2end/tests/node-red.test.js Add node-red e2e test Fix property definition fix: Do not use wrap helper for req handler Improve package.json Fix test Fix lint Fix lint Fix type import Test express v4 and v5 ...
AikidoSec · Dec 6, 2024 · 29736ee · 29736ee
2 parents f5ec025 + 72b4f80
commit 29736ee
Show file tree

Hide file tree

Showing 464 changed files with 87,083 additions and 17,775 deletions.
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -1,4 +1,4 @@
-# Contributing to Aikido Security's firewall for Node.js
+# Contributing to Zen by Aikido for Node.js
 
 First off, thanks for taking the time to contribute! ❤️
 

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -1,6 +1,6 @@
 # Reporting Security Issues
 
-The Aikido team and community take security bugs in firewall seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+The Aikido team and community take security bugs in Zen seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
 
 To report a security issue, register on Intigriti and navigate to https://app.intigriti.com/researcher/programs/aikido/aikidoruntime.
 

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -21,7 +21,7 @@ jobs:
           "POSTGRES_DB": "main_db"
         ports:
           - "27016:5432"
-    timeout-minutes: 5
+    timeout-minutes: 10
     strategy:
       matrix:
         node-version: [18.x]
@@ -33,13 +33,21 @@ jobs:
           node-version: ${{ matrix.node-version }}
       - name: Install K6
         uses: grafana/setup-k6-action@v1
+      - name: Install wrk
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wrk
       - run: make install
       - run: make build
       - name: Run NoSQL Injection Benchmark
-        run: cd benchmarks/nosql-injection && AIKIDO_CI=true node benchmark.js
+        run: cd benchmarks/nosql-injection && AIKIDO_CI=true node --preserve-symlinks benchmark.js
       - name: Run SQL Injection Benchmark
-        run: cd benchmarks/sql-injection && node benchmark.js
+        run: cd benchmarks/sql-injection && node --preserve-symlinks benchmark.js
       - name: Run shell injection Benchmark
-        run: cd benchmarks/shell-injection && node benchmark.js
+        run: cd benchmarks/shell-injection && node --preserve-symlinks benchmark.js
       - name: Run Hono with Postgres Benchmark
-        run: cd benchmarks/hono-pg && node benchmark.js
+        run: cd benchmarks/hono-pg && node --preserve-symlinks benchmark.js
+      - name: Run API Discovery Benchmark
+        run: cd benchmarks/api-discovery && node --preserve-symlinks benchmark.js
+      - name: Run Express Benchmark
+        run: cd benchmarks/express && node --preserve-symlinks benchmark.js
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
@@ -26,13 +26,25 @@ jobs:
           node-version: "18.x"
           registry-url: "https://registry.npmjs.org"
           scope: "@aikidosec"
-      - run: make install
+      - name: Install dependencies
+        run: make install
       - name: Get the version
         id: get_version
-        run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
-      - run: cd library && npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }}
-      - run: make build
-      - run: make lint
-      - run: cd build && npm publish --provenance --access public
+        run: echo "tag=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
+      - name: Set the version
+        run: cd library && npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }}
+      - name: Build the library
+        run: make build
+      - name: Linting
+        run: make lint
+      - name: Publish to NPM
+        run: |
+          if [ "${{ github.event.release.prerelease }}" = "true" ]; then
+            echo "Publishing beta version ${{ steps.get_version.outputs.tag }} to NPM"
+            cd build && npm publish --provenance --access public --tag beta
+          else
+            echo "Publishing version ${{ steps.get_version.outputs.tag }} to NPM"
+            cd build && npm publish --provenance --access public
+          fi
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml
@@ -29,7 +29,23 @@ jobs:
         options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=5 -e MYSQL_ROOT_PASSWORD=mypassword -e MYSQL_DATABASE=catsdb --entrypoint sh mysql:8.0 -c "exec docker-entrypoint.sh mysqld --default-authentication-plugin=mysql_native_password"
         ports:
           - "27015:3306"
-    timeout-minutes: 5
+      mariadb:
+        image: mariadb:11
+        env:
+          MARIADB_ROOT_PASSWORD: mypassword
+          MARIADB_DATABASE: catsdb
+        ports:
+          - "27018:3306"
+      clickhouse:
+        image: clickhouse/clickhouse-server:24
+        env:
+          "CLICKHOUSE_USER": "clickhouse"
+          "CLICKHOUSE_PASSWORD": "clickhouse"
+          "CLICKHOUSE_DB": "main_db"
+          "CLICKHOUSE_DEFAULT_ACCESS": "MANAGEMENT=1"
+        ports:
+          - "27019:8123"
+    timeout-minutes: 10
     strategy:
       matrix:
         node-version: [18.x]
@@ -39,6 +55,12 @@ jobs:
         uses: actions/setup-node@v2
         with:
           node-version: ${{ matrix.node-version }}
+      - name: Add local.aikido.io to /etc/hosts
+        run: |
+          sudo echo "127.0.0.1 local.aikido.io" | sudo tee -a /etc/hosts
+      - name: Build and run server
+        run: |
+          cd end2end/server && docker build -t server . && docker run -d -p 5874:3000 server
       - run: make install
       - run: make build
       - run: make end2end
diff --git a/.github/workflows/lint-code.yml b/.github/workflows/lint-code.yml
@@ -13,4 +13,5 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - run: make install
+      - run: make build
       - run: make lint
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -35,9 +35,26 @@ jobs:
         options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=5 -e MYSQL_ROOT_PASSWORD=mypassword -e MYSQL_DATABASE=catsdb --entrypoint sh mysql:8.0 -c "exec docker-entrypoint.sh mysqld --default-authentication-plugin=mysql_native_password"
         ports:
           - "27015:3306"
+      mariadb:
+        image: mariadb:11
+        env:
+          MARIADB_ROOT_PASSWORD: mypassword
+          MARIADB_DATABASE: catsdb
+        ports:
+          - "27018:3306"
+      clickhouse:
+        image: clickhouse/clickhouse-server:24
+        env:
+          "CLICKHOUSE_USER": "clickhouse"
+          "CLICKHOUSE_PASSWORD": "clickhouse"
+          "CLICKHOUSE_DB": "main_db"
+          "CLICKHOUSE_DEFAULT_ACCESS": "MANAGEMENT=1"
+        ports:
+          - "27019:8123"
     strategy:
+      fail-fast: false
       matrix:
-        node-version: [16.x, 18.x, 20.x, 22.x]
+        node-version: [16.x, 18.x, 20.x, 22.x, 23.x]
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
@@ -48,6 +65,7 @@ jobs:
         run: |
           sudo echo "127.0.0.1 local.aikido.io" | sudo tee -a /etc/hosts
       - run: make install
+      - run: make build
       - run: make test-ci
       - name: "Upload coverage"
         uses: codecov/[email protected]

diff --git a/LICENSE b/LICENSE
@@ -1,7 +1,7 @@
 This program is offered under a commercial and under the AGPL license.
 You can be released from the requirements of the AGPL license by purchasing
 a commercial license. Buying such a license is mandatory as soon as you
-develop commercial activities involving the Aikido Firewall software without
+develop commercial activities involving Zen by Aikido software without
 disclosing the source code of your own applications. These activities include
 but are not limited to: offering paid services to customers in a web application
 or shipping Aikido with a closed source product.

diff --git a/Makefile b/Makefile
@@ -1,3 +1,9 @@
+INTERNALS_VERSION = v0.1.31
+INTERNALS_URL = https://github.com/AikidoSec/zen-internals/releases/download/$(INTERNALS_VERSION)
+TARBALL = zen_internals.tgz
+CHECKSUM_FILE = zen_internals.tgz.sha256sum
+INTERNALS_DIR = library/internals
+
 .PHONY: containers
 containers:
 	cd sample-apps && docker-compose up -d --remove-orphans
@@ -62,6 +68,22 @@ lambda-mongodb-safe:
 nestjs-sentry:
 	cd sample-apps/nestjs-sentry && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true NODE_OPTIONS=--preserve-symlinks npm run start
 
+.PHONY: nestjs-fastify
+nestjs-fastify:
+	cd sample-apps/nestjs-fastify && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true NODE_OPTIONS=--preserve-symlinks npm run start
+
+.PHONY: fastify-mysql2
+fastify-mysql2:
+	cd sample-apps/fastify-mysql2 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+
+.PHONY: koa-sqlite3
+koa-sqlite3:
+	cd sample-apps/koa-sqlite3 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+
+.PHONY: fastify-clickhouse
+fastify-clickhouse:
+	cd sample-apps/fastify-clickhouse && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
+
 .PHONY: install
 install:
 	mkdir -p build
@@ -74,13 +96,25 @@ install:
 	node scripts/install.js
 
 .PHONY: build
-build:
+build: $(INTERNALS_DIR)/zen_internals.js
 	mkdir -p build
 	rm -r build
 	cd library && npm run build
 	cp README.md build/README.md
 	cp LICENSE build/LICENSE
 	cp library/package.json build/package.json
+	mkdir -p build/internals
+	cp $(INTERNALS_DIR)/zen_internals_bg.wasm build/internals/zen_internals_bg.wasm
+
+$(INTERNALS_DIR)/zen_internals.js: Makefile
+	curl -L $(INTERNALS_URL)/$(TARBALL) -o $(INTERNALS_DIR)/$(TARBALL)
+	curl -L $(INTERNALS_URL)/$(CHECKSUM_FILE) -o $(INTERNALS_DIR)/$(CHECKSUM_FILE)
+	cd $(INTERNALS_DIR) && sha256sum -c $(CHECKSUM_FILE)
+	tar -xzf $(INTERNALS_DIR)/$(TARBALL) -C $(INTERNALS_DIR)
+	touch $@
+	rm $(INTERNALS_DIR)/zen_internals.d.ts
+	rm $(INTERNALS_DIR)/$(TARBALL)
+	rm $(INTERNALS_DIR)/$(CHECKSUM_FILE)
 
 .PHONY: watch
 watch: build
@@ -107,3 +141,5 @@ benchmark: build
 	cd benchmarks/shell-injection && node --preserve-symlinks benchmark.js
 	cd benchmarks/sql-injection && node --preserve-symlinks benchmark.js
 	cd benchmarks/hono-pg && node --preserve-symlinks benchmark.js
+	cd benchmarks/api-discovery && node --preserve-symlinks benchmark.js
+	cd benchmarks/express && node --preserve-symlinks benchmark.js
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
-![Aikido Firewall for Node.js](./docs/banner.svg)
+![Zen by Aikido for Node.js](./docs/banner.svg)
 
-# Aikido Firewall for Node.js
+# Zen, in-app firewall for Node.js | by Aikido
 
 [![NPM Version](https://img.shields.io/npm/v/%40aikidosec%2Ffirewall?style=flat-square)](https://www.npmjs.com/package/@aikidosec/firewall) 
 [![Codecov](https://img.shields.io/codecov/c/github/AikidoSec/firewall-node?style=flat-square&token=AJK9LU35GY)](https://app.codecov.io/gh/aikidosec/firewall-node) 
@@ -9,39 +9,43 @@
 [![Unit tests](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml) 
 [![End to end tests](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml) 
 
-Aikido Firewall is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks.
+Zen, your in-app firewall for peace of mind– at runtime.
+
+Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks.
 
 It protects your Node.js apps by preventing user input containing dangerous strings, which allow injection, pollution, and path traversal attacks. It runs on the same server as your Node.js app for simple [installation](#installation) and zero maintenance.
 
 ## Features
 
-Firewall autonomously protects your Node.js applications against:
+Zen will autonomously protect your Node.js applications against:
 
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities)
-* 🛡️ [SQL injection attacks]([https://www.aikido.dev/blog/web-application-security-vulnerabilities](https://owasp.org/www-community/attacks/SQL_Injection))
+* 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
 * 🛡️ [Command injection attacks](https://owasp.org/www-community/attacks/Command_Injection)
 * 🛡️ [Prototype pollution](./docs/prototype-pollution.md)
 * 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
 * 🛡️ [Server-side request forgery (SSRF)](./docs/ssrf.md)
 
-Firewall operates autonomously on the same server as your Node.js app to:
+Zen operates autonomously on the same server as your Node.js app to:
 
 * ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
 * ✅ Rate limit specific API endpoints by IP or by user
 * ✅ Allow you to block specific users manually
 
 ## Supported libraries and frameworks
 
-Aikido Firewall for Node.js 16+ is compatible with:
+Zen for Node.js 16+ is compatible with:
 
 ### Web frameworks
 
-* ✅ [Express](docs/express.md) 4.x
+* ✅ [Express](docs/express.md) 4.x, 5.x
 * ✅ [Hono](docs/hono.md) 4.x
 * ✅ [hapi](docs/hapi.md) 21.x
 * ✅ [micro](docs/micro.md) 10.x
 * ✅ [Next.js](docs/next.md) 12.x, 13.x and 14.x
-* ✅ Fastify (upcoming)
+* ✅ [Fastify](docs/fastify.md) 4.x and 5.x
+* ✅ [Koa](docs/koa.md) 2.x
+* ✅ [NestJS](docs/nestjs.md) 10.x
 
 ### Database drivers
 
@@ -50,9 +54,12 @@ Aikido Firewall for Node.js 16+ is compatible with:
 * ✅ [`pg`](https://www.npmjs.com/package/pg) 8.x and 7.x
 * ✅ [`mysql`](https://www.npmjs.com/package/mysql) 2.x
 * ✅ [`mysql2`](https://www.npmjs.com/package/mysql2) 3.x
+* ✅ [`mariadb`](https://www.npmjs.com/package/mariadb) 3.x
 * ✅ [`sqlite3`](https://www.npmjs.com/package/sqlite3) 5.x
 * ✅ [`node:sqlite`](https://nodejs.org/api/sqlite.html)
 * ✅ [`better-sqlite3`](https://www.npmjs.com/package/better-sqlite3) 11.x, 10.x, 9.x and 8.x
+* ✅ [`postgres`](https://www.npmjs.com/package/postgres) 3.x
+* ✅ [`@clickhouse/client`](https://www.npmjs.com/package/@clickhouse/client) 1.x
 
 ### Cloud providers
 
@@ -85,9 +92,14 @@ See list above for supported database drivers.
 
 * ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.8.x, 0.7.x
 
+### Routers
+
+* ✅ [`@koa/router`](https://www.npmjs.com/package/@koa/router) 13.x, 12.x, 11.x and 10.x
+
+
 ## Installation
 
-We recommend you test Aikido's Firewall on local or staging first before moving to production.
+We recommend testing Zen locally or on staging before deploying to production.
 
 ```shell
 # The --save-exact makes sure that you don't automatically install a newer version
@@ -99,22 +111,33 @@ $ yarn add --exact @aikidosec/firewall
 
 For framework- and provider- specific instructions, check out our docs:
 
-- [Express.js-based apps](docs/express.md)
+- [Express](docs/express.md)
+- [Fastify](docs/fastify.md)
+- [Hapi](docs/hapi.md)
+- [Koa](docs/koa.md)
+- [Hono](docs/hono.md)
+- [NestJS](docs/nestjs.md)
+- [micro](docs/micro.md)
+- [Next.js](docs/next.md)
 - [AWS Lambda](docs/lambda.md)
 - [Google Cloud Functions](docs/cloud-functions.md)
 - [Google Cloud Pub/Sub](docs/pubsub.md)
 
 ## Reporting to your Aikido Security dashboard
 
-> Aikido Security is a developer-first software security platform. We scan your source code & cloud to show you which vulnerabilities are actually important.
+> Aikido is your no nonsense application security platform. One central system that scans your source code & cloud, shows you what vulnerabilities matter, and how to fix them - fast. So you can get back to building.
+
+Zen is a new product by Aikido. Built for developers to level up their security. While Aikido scans, get Zen for always-on protection.
+
+You can use some of Zen’s features without Aikido, of course. Peace of mind is just a few lines of code away.
 
-You can use some of Firewalls's features without Aikido, but you will get the most value by reporting your data to Aikido.
+But you will get the most value by reporting your data to Aikido.
 
 You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can [sign up for free](https://app.aikido.dev/login).
 
 Here's how:
 * [Log in to your Aikido account](https://app.aikido.dev/login).
-* Go to [Firewall](https://app.aikido.dev/runtime/services).
+* Go to [Zen](https://app.aikido.dev/runtime/services).
 * Go to apps.
 * Click on **Add app**.
 * Choose a name for your app.
@@ -124,9 +147,9 @@ Here's how:
 
 ## Running in production (blocking) mode
 
-By default, Firewall will only detect and report attacks to Aikido.
+By default, Zen will only detect and report attacks to Aikido.
 
-To block requests, set the `AIKIDO_BLOCKING` environment variable to `true`.
+To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
 
 See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn how to send events to Aikido.
 
@@ -135,19 +158,19 @@ See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn
 This program is offered under a commercial and under the AGPL license.
 You can be released from the requirements of the AGPL license by purchasing
 a commercial license. Buying such a license is mandatory as soon as you
-develop commercial activities involving the Aikido Firewall software without
+develop commercial activities involving the Zen software without
 disclosing the source code of your own applications. 
 
 For more information, please contact Aikido Security at this
 address: [email protected] or create an account at https://app.aikido.dev.
 
 ## Performance
 
-We run a benchmark on every commit to ensure Firewall has a minimal impact on your application's performance.
+We run a benchmark on every commit to ensure Zen has a minimal impact on your application's performance.
 
-The benchmark runs [a simple MongoDB query](benchmarks/nosql-injection/getUser.js) to measure the difference between two runs with and without Firewall:
+The benchmark runs [a simple MongoDB query](benchmarks/nosql-injection/getUser.js) to measure the difference between two runs with and without Zen:
 
-| Without Firewall | With Firewall | Difference in ms |
+| Without Zen      | With Zen      | Difference in ms |
 |------------------|---------------|------------------|
 | 0.214ms          | 0.222ms       | +0.008ms         |