Skip to content

Commit

Permalink
Merge branch 'esbuild' of github.com:AikidoSec/node-RASP into esbuild
Browse files Browse the repository at this point in the history
* 'esbuild' of github.com:AikidoSec/node-RASP:
  Update docs/esbuild.md
  Update docs/esbuild.md
  • Loading branch information
hansott committed Nov 28, 2024
2 parents f05b5f0 + 04d411a commit 7f719c9
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions docs/esbuild.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ This tells esbuild to exclude @aikidosec/firewall and any packages that Zen hook

Zen works by intercepting `require()` calls that a Node.js application makes when loading modules. This includes modules that are built-in to Node.js, like the `fs` module for accessing the filesystem, as well as modules installed from the NPM registry, like the `pg` database module.

Bundlers crawl all of the `require()` calls that an application makes to files on disk. It replaces the `require()` calls with custom code and combines all the resulting JavaScript into one "bundled" file. When a built-in module is loaded, such as `require('fs')`, that call can then remain the same in the resulting bundle.
Bundlers like esbuild crawl all of the `require()` calls that an application makes to files on disk. It replaces the `require()` calls with custom code and combines all the resulting JavaScript into one "bundled" file. When a built-in module is loaded, such as `require('fs')`, that call can then remain the same in the resulting bundle.

Zen stops working at this point. Zen can continue to intercept the calls for built-in modules but don't intercept calls to third party libraries. This means that when you bundle a Zen app with a bundler Zen is likely to capture information about disk access (through `fs`) and outbound HTTP requests (through `http`), but omit calls to third party libraries.
Zen can continue to intercept the calls for built-in modules but cannot intercept calls to third party libraries under those conditions. This means that when you bundle a Zen app with a bundler Zen is likely to capture information about disk access (through `fs`) and outbound HTTP requests (through `http`), but omit calls to third party libraries.

The solution is to treat all third party modules that Zen needs to instrument as being "external" to the bundler. With this setting the instrumented modules remain on disk and continue to be loaded with `require()` while the non-instrumented modules are bundled.

0 comments on commit 7f719c9

Please sign in to comment.