AikidoSec · hansott · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -36,6 +36,7 @@ jobs:
         ports:
           - "27015:3306"
     strategy:
+      fail-fast: false
       matrix:
         node-version: [16.x, 18.x, 20.x, 22.x]
     steps:

diff --git a/library/package-lock.json b/library/package-lock.json
diff --git a/library/package.json b/library/package.json
@@ -89,5 +89,9 @@
     "lint": "npm run lint-eslint && npm run lint-tsc",
     "lint-eslint": "eslint '**/*.ts'",
     "lint-tsc": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.637.0",
+    "@aws-sdk/credential-providers": "^3.637.0"
   }
 }
diff --git a/library/sinks/AwsSDKVersion3.test.ts b/library/sinks/AwsSDKVersion3.test.ts
@@ -0,0 +1,48 @@
+import { CreateBucketCommand, ListBucketsCommand } from "@aws-sdk/client-s3";
+import { fromEnv } from "@aws-sdk/credential-providers";
+import * as t from "tap";
+import { Agent } from "../agent/Agent";
+import { ReportingAPIForTesting } from "../agent/api/ReportingAPIForTesting";
+import { LoggerForTesting } from "../agent/logger/LoggerForTesting";
+import { HTTPRequest } from "./HTTPRequest";
+
+t.test("it works", async (t) => {
+  const logger = new LoggerForTesting();
+  const agent = new Agent(
+    true,
+    logger,
+    new ReportingAPIForTesting(),
+    undefined,
+    undefined
+  );
+
+  agent.start([new HTTPRequest()]);
+
+  const { S3Client } = require("@aws-sdk/client-s3");
+
+  process.env.AWS_ACCESS_KEY_ID = "test";
+  process.env.AWS_SECRET_ACCESS_KEY = "test";
+
+  const s3 = new S3Client({
+    region: "us-east-1",
+    endpoint: "http://localhost:9090",
+    credentials: fromEnv(),
+    forcePathStyle: true,
+  });
+
+  const name = "bucket";
+
+  try {
+    await s3.send(new CreateBucketCommand({ Bucket: name }));
+  } catch (err) {
+    if (err.Code !== "BucketAlreadyOwnedByYou") {
+      throw err;
+    }
+  }
+
+  const buckets = await s3.send(new ListBucketsCommand({}));
+  t.same(
+    buckets.Buckets?.map((bucket) => bucket.Name),
+    [name]
+  );
+});
diff --git a/library/sinks/HTTPRequest.axios.test.ts b/library/sinks/HTTPRequest.axios.test.ts
@@ -24,7 +24,7 @@ const context: Context = {
 const redirectTestUrl =
   "http://firewallssrfredirects-env-2.eba-7ifve22q.eu-north-1.elasticbeanstalk.com";
 
-t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
+t.test("it works", async (t) => {
   const agent = new Agent(
     true,
     new LoggerNoop(),

diff --git a/library/sinks/HTTPRequest.context.test.ts b/library/sinks/HTTPRequest.context.test.ts
@@ -0,0 +1,69 @@
+/* eslint-disable prefer-rest-params */
+import * as t from "tap";
+import { Agent } from "../agent/Agent";
+import { ReportingAPIForTesting } from "../agent/api/ReportingAPIForTesting";
+import { Token } from "../agent/api/Token";
+import { Context, getContext, runWithContext } from "../agent/Context";
+import { LoggerNoop } from "../agent/logger/LoggerNoop";
+import { HTTPRequest } from "./HTTPRequest";
+
+const source =
+  "http://firewallssrfredirects-env-2.eba-7ifve22q.eu-north-1.elasticbeanstalk.com/ssrf-test";
+const destination = "http://127.0.0.1/test";
+
+const context: Context = {
+  remoteAddress: "::1",
+  method: "POST",
+  url: "http://localhost:4000",
+  query: {},
+  headers: {},
+  body: {
+    image: source,
+  },
+  cookies: {},
+  routeParams: {},
+  source: "express",
+  route: "/posts/:id",
+};
+
+t.test("it wraps ", (t) => {
+  const agent = new Agent(
+    true,
+    new LoggerNoop(),
+    new ReportingAPIForTesting(),
+    new Token("123"),
+    undefined
+  );
+  agent.start([new HTTPRequest()]);
+
+  const http = require("http");
+
+  runWithContext(context, () => {
+    const request = http.request(source, (res) => {
+      res.on("data", () => {});
+    });
+
+    request.on("response", (res) => {
+      t.same(
+        getContext().outgoingRequestRedirects.map((r) => ({
+          source: r.source.toString(),
+          destination: r.destination.toString(),
+        })),
+        [
+          {
+            source: source,
+            destination: destination,
+          },
+        ]
+      );
+      t.end();
+    });
+
+    request.on("error", (e) => {
+      t.fail(e);
+      t.end();
+    });
+
+    request.end();
+  });
+});
diff --git a/library/sinks/HTTPRequest.followRedirects.test.ts b/library/sinks/HTTPRequest.followRedirects.test.ts
@@ -24,7 +24,7 @@ const context: Context = {
 const redirectTestUrl =
   "http://firewallssrfredirects-env-2.eba-7ifve22q.eu-north-1.elasticbeanstalk.com";
 
-t.test("it works", { skip: "SSRF redirect check disabled atm" }, (t) => {
+t.test("it works", (t) => {
   const agent = new Agent(
     true,
     new LoggerNoop(),

diff --git a/library/sinks/HTTPRequest.needle.test.ts b/library/sinks/HTTPRequest.needle.test.ts
@@ -4,27 +4,30 @@ import { ReportingAPIForTesting } from "../agent/api/ReportingAPIForTesting";
 import { Token } from "../agent/api/Token";
 import { Context, runWithContext } from "../agent/Context";
 import { LoggerNoop } from "../agent/logger/LoggerNoop";
+import { getMajorNodeVersion } from "../helpers/getNodeVersion";
 import { HTTPRequest } from "./HTTPRequest";
 
-const context: Context = {
-  remoteAddress: "::1",
-  method: "POST",
-  url: "http://localhost:4000",
-  query: {},
-  headers: {},
-  body: {
-    image: "http://localhost:5000/api/internal",
-  },
-  cookies: {},
-  routeParams: {},
-  source: "express",
-  route: "/posts/:id",
-};
-
-const redirectTestUrl =
-  "http://firewallssrfredirects-env-2.eba-7ifve22q.eu-north-1.elasticbeanstalk.com";
+function createContext(obj = {}): Context {
+  return {
+    ...{
+      remoteAddress: "::1",
+      method: "POST",
+      url: "http://localhost:4000",
+      query: {},
+      headers: {},
+      body: {
+        image: "http://localhost:5000/api/internal",
+      },
+      cookies: {},
+      routeParams: {},
+      source: "express",
+      route: "/posts/:id",
+    },
+    ...obj,
+  };
+}
 
-t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
+t.test("it works", async (t) => {
   const agent = new Agent(
     true,
     new LoggerNoop(),
@@ -38,7 +41,7 @@ t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
 
   const needle = require("needle");
 
-  await runWithContext(context, async () => {
+  await runWithContext(createContext(), async () => {
     await needle("get", "https://www.aikido.dev");
   });
 
@@ -49,42 +52,68 @@ t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
 
   const error = await t.rejects(
     async () =>
-      await runWithContext(context, async () => {
+      await runWithContext(createContext(), async () => {
         await needle("get", "http://localhost:5000/api/internal");
       })
   );
+
+  t.ok(error instanceof Error);
   if (error instanceof Error) {
     t.same(
       error.message,
       "Aikido firewall has blocked a server-side request forgery: http.request(...) originating from body.image"
     );
   }
-
-  await runWithContext(
-    {
-      ...context,
-      ...{ body: { image: `${redirectTestUrl}/ssrf-test-domain` } },
-    },
-    async () => {
-      await new Promise<void>((resolve) => {
-        needle.request(
-          "get",
-          `${redirectTestUrl}/ssrf-test-domain`,
-          {},
-          {
-            // eslint-disable-next-line camelcase
-            follow_max: 1,
-          },
-          (error, response) => {
-            t.ok(error instanceof Error);
-            t.match(
-              error?.message,
-              /Aikido firewall has blocked a server-side request forgery/
-            );
-            resolve();
-          }
-        );
-      });
-    }
-  );
 });
+
+const redirectTestUrl =
+  "http://firewallssrfredirects-env-2.eba-7ifve22q.eu-north-1.elasticbeanstalk.com";
+
+t.test(
+  "it detects SSRF attacks with redirects",
+  {
+    skip:
+      getMajorNodeVersion() >= 19 ? "This request hangs on Node.js 19+" : false,
+  },
+  async (t) => {
+    const agent = new Agent(
+      true,
+      new LoggerNoop(),
+      new ReportingAPIForTesting(),
+      new Token("123"),
+      undefined
+    );
+    agent.start([new HTTPRequest()]);
+
+    const needle = require("needle");
+
+    await runWithContext(
+      createContext({ body: { image: `${redirectTestUrl}/ssrf-test-domain` } }),
+      async () => {
+        await new Promise<void>((resolve) => {
+          needle.request(
+            "get",
+            `${redirectTestUrl}/ssrf-test-domain`,
+            {},
+            {
+              /* eslint-disable camelcase */
+              follow_max: 1,
+              open_timeout: 5000,
+              response_timeout: 5000,
+              read_timeout: 5000,
+              /* eslint-enable camelcase */
+            },
+            (error, response) => {
+              t.ok(error instanceof Error);
+              t.match(
+                error?.message,
+                /Aikido firewall has blocked a server-side request forgery/
+              );
+              resolve();
+            }
+          );
+        });
+      }
+    );
+  }
+);
diff --git a/library/sinks/HTTPRequest.nodeFetch.test.ts b/library/sinks/HTTPRequest.nodeFetch.test.ts
@@ -24,7 +24,7 @@ const context: Context = {
 const redirectTestUrl =
   "http://firewallssrfredirects-env-2.eba-7ifve22q.eu-north-1.elasticbeanstalk.com";
 
-t.test("it works", { skip: "SSRF redirect check disabled atm" }, async (t) => {
+t.test("it works", async (t) => {
   const agent = new Agent(
     true,
     new LoggerNoop(),