@aikidosec/firewall
Version:
Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks
52 lines (51 loc) • 2.1 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.FastXmlParser = void 0;
const Context_1 = require("../agent/Context");
const wrapExport_1 = require("../agent/hooks/wrapExport");
const wrapNewInstance_1 = require("../agent/hooks/wrapNewInstance");
const isPlainObject_1 = require("../helpers/isPlainObject");
const addXmlToContext_1 = require("./xml/addXmlToContext");
const isXmlInContext_1 = require("./xml/isXmlInContext");
/**
* Wrapper for fast-xml-parser package.
* If the XML string is in the body of the request and parsed with fast-xml-parser, the parsed result is stored in the context.
* This prevents bypassing the firewall using XML. The XML is parsed only once keeping the performance impact low.
*/
class FastXmlParser {
inspectParse(args, result) {
if (!args.length || typeof args[0] !== "string") {
return;
}
const context = (0, Context_1.getContext)();
if (!context) {
// We expect the context to be set by the wrapped http server
return;
}
const xmlString = args[0];
// Check if the XML string is in the request context
if (!(0, isXmlInContext_1.isXmlInContext)(xmlString, context)) {
return args;
}
// Add the parsed XML to the context
if (result && (0, isPlainObject_1.isPlainObject)(result)) {
(0, addXmlToContext_1.addXmlToContext)(result, context);
}
}
wrap(hooks) {
hooks
.addPackage("fast-xml-parser")
.withVersion("^4.0.0")
.onRequire((exports, pkgInfo) => {
(0, wrapNewInstance_1.wrapNewInstance)(exports, "XMLParser", pkgInfo, (instance) => {
(0, wrapExport_1.wrapExport)(instance, "parse", pkgInfo, {
modifyReturnValue: (args, returnValue) => {
this.inspectParse(args, returnValue);
return returnValue;
},
});
});
});
}
}
exports.FastXmlParser = FastXmlParser;