AikidoSec · hansott · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024
diff --git a/library/package-lock.json b/library/package-lock.json
diff --git a/library/package.json b/library/package.json
@@ -44,6 +44,8 @@
   "devDependencies": {
     "@clickhouse/client": "^1.7.0",
     "@fastify/cookie": "^10.0.0",
+    "@aws-sdk/client-s3": "^3.637.0",
+    "@aws-sdk/credential-providers": "^3.637.0",
     "@google-cloud/functions-framework": "^3.3.0",
     "@google-cloud/pubsub": "^4.3.3",
     "@graphql-tools/executor": "^1.3.2",

diff --git a/library/sinks/AwsSDKVersion3.test.ts b/library/sinks/AwsSDKVersion3.test.ts
@@ -0,0 +1,40 @@
+import { CreateBucketCommand, ListBucketsCommand } from "@aws-sdk/client-s3";
+import { fromEnv } from "@aws-sdk/credential-providers";
+import * as t from "tap";
+import { createTestAgent } from "../helpers/createTestAgent";
+import { HTTPRequest } from "./HTTPRequest";
+
+t.test("it works", async (t) => {
+  const agent = createTestAgent();
+
+  agent.start([new HTTPRequest()]);
+
+  const { S3Client } =
+    require("@aws-sdk/client-s3") as typeof import("@aws-sdk/client-s3");
+
+  process.env.AWS_ACCESS_KEY_ID = "test";
+  process.env.AWS_SECRET_ACCESS_KEY = "test";
+
+  const s3 = new S3Client({
+    region: "us-east-1",
+    endpoint: "http://localhost:9090",
+    credentials: fromEnv(),
+    forcePathStyle: true,
+  });
+
+  const name = "bucket";
+
+  try {
+    await s3.send(new CreateBucketCommand({ Bucket: name }));
+  } catch (err: any) {
+    if (err.Code !== "BucketAlreadyOwnedByYou") {
+      throw err;
+    }
+  }
+
+  const buckets = await s3.send(new ListBucketsCommand({}));
+  t.same(
+    buckets.Buckets?.map((bucket) => bucket.Name),
+    [name]
+  );
+});
diff --git a/library/sinks/HTTPRequest.axios.test.ts b/library/sinks/HTTPRequest.axios.test.ts
@@ -21,11 +21,10 @@ const context: Context = {
 
 const redirectTestUrl = "http://ssrf-redirects.testssandbox.com";
 
-t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
+t.test("it works", async (t) => {
   const agent = createTestAgent({
     token: new Token("123"),
   });
-
   agent.start([new HTTPRequest()]);
 
   t.same(agent.getHostnames().asArray(), []);

diff --git a/library/sinks/HTTPRequest.context.test.ts b/library/sinks/HTTPRequest.context.test.ts
@@ -0,0 +1,66 @@
+/* eslint-disable prefer-rest-params */
+import * as t from "tap";
+import { Agent } from "../agent/Agent";
+import { ReportingAPIForTesting } from "../agent/api/ReportingAPIForTesting";
+import { Token } from "../agent/api/Token";
+import { Context, getContext, runWithContext } from "../agent/Context";
+import { LoggerNoop } from "../agent/logger/LoggerNoop";
+import { createTestAgent } from "../helpers/createTestAgent";
+import { HTTPRequest } from "./HTTPRequest";
+
+const source =
+  "http://firewallssrfredirects-env-2.eba-7ifve22q.eu-north-1.elasticbeanstalk.com/ssrf-test";
+const destination = "http://127.0.0.1/test";
+
+const context: Context = {
+  remoteAddress: "::1",
+  method: "POST",
+  url: "http://localhost:4000",
+  query: {},
+  headers: {},
+  body: {
+    image: source,
+  },
+  cookies: {},
+  routeParams: {},
+  source: "express",
+  route: "/posts/:id",
+};
+
+t.test("it wraps ", (t) => {
+  const agent = createTestAgent({
+    token: new Token("123"),
+  });
+  agent.start([new HTTPRequest()]);
+
+  const http = require("http") as typeof import("http");
+
+  runWithContext(context, () => {
+    const request = http.request(source, (res) => {
+      res.on("data", () => {});
+    });
+
+    request.on("response", (res) => {
+      t.same(
+        getContext()!.outgoingRequestRedirects!.map((r) => ({
+          source: r.source.toString(),
+          destination: r.destination.toString(),
+        })),
+        [
+          {
+            source: source,
+            destination: destination,
+          },
+        ]
+      );
+      t.end();
+    });
+
+    request.on("error", (e) => {
+      t.fail(e);
+      t.end();
+    });
+
+    request.end();
+  });
+});
diff --git a/library/sinks/HTTPRequest.followRedirects.test.ts b/library/sinks/HTTPRequest.followRedirects.test.ts
@@ -1,3 +1,4 @@
+import type { IncomingMessage } from "http";
 import * as t from "tap";
 import { Token } from "../agent/api/Token";
 import { Context, runWithContext } from "../agent/Context";
@@ -22,6 +23,14 @@ const context: Context = {
 let server: import("http").Server;
 const port = 3000;
 
+function consumeBody(res: IncomingMessage) {
+  // We need to consume the body
+  // From Node.19+ this would otherwise hang the test
+  res.on("readable", () => {
+    while (res.read() !== null) {}
+  });
+}
+
 t.before(async () => {
   const { createServer } = require("http") as typeof import("http");
 
@@ -39,7 +48,7 @@ t.before(async () => {
 
 const redirectTestUrl = "http://ssrf-redirects.testssandbox.com";
 
-t.test("it works", { skip: "SSRF redirect check disabled atm" }, (t) => {
+t.test("it works", (t) => {
   const agent = createTestAgent({
     token: new Token("123"),
   });
@@ -120,8 +129,7 @@ t.test("it works", { skip: "SSRF redirect check disabled atm" }, (t) => {
     },
     () => {
       const response = http.request(`http://[::]:${port}`, (res) => {
-        // consume body
-        while (res.read()) {}
+        consumeBody(res);
 
         t.same(res.statusCode, 200);
       });

diff --git a/library/sinks/HTTPRequest.localhost.test.ts b/library/sinks/HTTPRequest.localhost.test.ts
@@ -1,11 +1,8 @@
 /* eslint-disable prefer-rest-params */
 import * as t from "tap";
-import { Agent } from "../agent/Agent";
 import { createServer, IncomingMessage, Server } from "http";
-import { ReportingAPIForTesting } from "../agent/api/ReportingAPIForTesting";
 import { Token } from "../agent/api/Token";
 import { Context, runWithContext } from "../agent/Context";
-import { LoggerNoop } from "../agent/logger/LoggerNoop";
 import { createTestAgent } from "../helpers/createTestAgent";
 import { HTTPRequest } from "./HTTPRequest";
 
@@ -52,6 +49,14 @@ function createContext({
   };
 }
 
+function consumeBody(res: IncomingMessage) {
+  // We need to consume the body
+  // From Node.19+ this would otherwise hang the test
+  res.on("readable", () => {
+    while (res.read() !== null) {}
+  });
+}
+
 const agent = createTestAgent({
   token: new Token("123"),
 });
@@ -92,8 +97,8 @@ t.test("it does not block request to localhost with same port", (t) => {
         // The server should respond with a 200
         // Because we'll allow requests to localhost if it's the same port
         t.same(response.statusCode, 200);
-        response.on("data", () => {});
-        response.on("end", () => {});
+
+        consumeBody(response);
       });
       request.end();
     }
@@ -129,8 +134,8 @@ t.test("it blocks requests to other ports", (t) => {
         request.on("response", (response: IncomingMessage) => {
           // This should not be called
           t.fail();
-          response.on("data", () => {});
-          response.on("end", () => {});
+
+          consumeBody(response);
         });
         request.end();
       } catch (error) {

diff --git a/library/sinks/HTTPRequest.needle.test.ts b/library/sinks/HTTPRequest.needle.test.ts
@@ -1,27 +1,31 @@
 import * as t from "tap";
 import { Token } from "../agent/api/Token";
 import { Context, runWithContext } from "../agent/Context";
+import { getMajorNodeVersion } from "../helpers/getNodeVersion";
 import { HTTPRequest } from "./HTTPRequest";
 import { createTestAgent } from "../helpers/createTestAgent";
 
-const context: Context = {
-  remoteAddress: "::1",
-  method: "POST",
-  url: "http://localhost:4000",
-  query: {},
-  headers: {},
-  body: {
-    image: "http://localhost:5000/api/internal",
-  },
-  cookies: {},
-  routeParams: {},
-  source: "express",
-  route: "/posts/:id",
-};
-
-const redirectTestUrl = "http://ssrf-redirects.testssandbox.com";
+function createContext(obj = {}): Context {
+  return {
+    ...{
+      remoteAddress: "::1",
+      method: "POST",
+      url: "http://localhost:4000",
+      query: {},
+      headers: {},
+      body: {
+        image: "http://localhost:5000/api/internal",
+      },
+      cookies: {},
+      routeParams: {},
+      source: "express",
+      route: "/posts/:id",
+    },
+    ...obj,
+  };
+}
 
-t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
+t.test("it works", async (t) => {
   const agent = createTestAgent({
     token: new Token("123"),
   });
@@ -31,7 +35,7 @@ t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
 
   const needle = require("needle") as typeof import("needle");
 
-  await runWithContext(context, async () => {
+  await runWithContext(createContext(), async () => {
     await needle("get", "https://www.aikido.dev");
   });
 
@@ -42,42 +46,63 @@ t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
 
   const error = await t.rejects(
     async () =>
-      await runWithContext(context, async () => {
+      await runWithContext(createContext(), async () => {
         await needle("get", "http://localhost:5000/api/internal");
       })
   );
+
+  t.ok(error instanceof Error);
   if (error instanceof Error) {
     t.same(
       error.message,
       "Zen has blocked a server-side request forgery: http.request(...) originating from body.image"
     );
   }
-
-  await runWithContext(
-    {
-      ...context,
-      ...{ body: { image: `${redirectTestUrl}/ssrf-test-domain` } },
-    },
-    async () => {
-      await new Promise<void>((resolve) => {
-        needle.request(
-          "get",
-          `${redirectTestUrl}/ssrf-test-domain`,
-          {},
-          {
-            // eslint-disable-next-line camelcase
-            follow_max: 1,
-          },
-          (error, response) => {
-            t.ok(error instanceof Error);
-            t.match(
-              error?.message,
-              /Zen has blocked a server-side request forgery/
-            );
-            resolve();
-          }
-        );
-      });
-    }
-  );
 });
+
+const redirectTestUrl = "http://ssrf-redirects.testssandbox.com";
+
+t.test(
+  "it detects SSRF attacks with redirects",
+  {
+    skip:
+      getMajorNodeVersion() >= 19 ? "This request hangs on Node.js 19+" : false,
+  },
+  async (t) => {
+    const agent = createTestAgent({
+      token: new Token("123"),
+    });
+    agent.start([new HTTPRequest()]);
+
+    const needle = require("needle") as typeof import("needle");
+
+    await runWithContext(
+      createContext({ body: { image: `${redirectTestUrl}/ssrf-test-domain` } }),
+      async () => {
+        await new Promise<void>((resolve) => {
+          needle.request(
+            "get",
+            `${redirectTestUrl}/ssrf-test-domain`,
+            {},
+            {
+              /* eslint-disable camelcase */
+              follow_max: 1,
+              open_timeout: 5000,
+              response_timeout: 5000,
+              read_timeout: 5000,
+              /* eslint-enable camelcase */
+            },
+            (error, response) => {
+              t.ok(error instanceof Error);
+              t.match(
+                error?.message,
+                /Zen has blocked a server-side request forgery/
+              );
+              resolve();
+            }
+          );
+        });
+      }
+    );
+  }
+);
diff --git a/library/sinks/HTTPRequest.nodeFetch.test.ts b/library/sinks/HTTPRequest.nodeFetch.test.ts
@@ -21,7 +21,7 @@ const context: Context = {
 
 const redirectTestUrl = "http://ssrf-redirects.testssandbox.com";
 
-t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
+t.test("it works", async (t) => {
   const agent = createTestAgent({
     token: new Token("123"),
   });