UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

aikido.dev/zen

AikidoSec/firewall-node

72 lines (71 loc) 2.98 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.checkIfRequestIsBlocked = checkIfRequestIsBlocked; const Context_1 = require("../../agent/Context"); const escapeHTML_1 = require("../../helpers/escapeHTML"); const ipAllowedToAccessRoute_1 = require("./ipAllowedToAccessRoute"); /** * Inspects the IP address of the request: * - Whether the IP address is blocked by an IP blocklist (e.g. Geo restrictions) * - Whether the IP address is allowed to access the current route (e.g. Admin panel) */ function checkIfRequestIsBlocked(res, agent) { if (res.headersSent) { // The headers have already been sent, so we can't block the request // This might happen if the server has multiple listeners return false; } const context = (0, Context_1.getContext)(); if (!context) { return false; } if (!(0, ipAllowedToAccessRoute_1.ipAllowedToAccessRoute)(context, agent)) { res.statusCode = 403; res.setHeader("Content-Type", "text/plain"); let message = "Your IP address is not allowed to access this resource."; if (context.remoteAddress) { message += ` (Your IP: ${(0, escapeHTML_1.escapeHTML)(context.remoteAddress)})`; } res.end(message); return true; } const isBypassedIP = context.remoteAddress && agent.getConfig().isBypassedIP(context.remoteAddress); if (isBypassedIP) { return false; } if (context.remoteAddress && !agent.getConfig().isAllowedIPAddress(context.remoteAddress).allowed) { res.statusCode = 403; res.setHeader("Content-Type", "text/plain"); let message = "Your IP address is not allowed to access this resource."; if (context.remoteAddress) { message += ` (Your IP: ${(0, escapeHTML_1.escapeHTML)(context.remoteAddress)})`; } res.end(message); return true; } const result = context.remoteAddress ? agent.getConfig().isIPAddressBlocked(context.remoteAddress) : { blocked: false }; if (result.blocked) { res.statusCode = 403; res.setHeader("Content-Type", "text/plain"); let message = `Your IP address is blocked due to ${(0, escapeHTML_1.escapeHTML)(result.reason)}.`; if (context.remoteAddress) { message += ` (Your IP: ${(0, escapeHTML_1.escapeHTML)(context.remoteAddress)})`; } res.end(message); return true; } const isUserAgentBlocked = context.headers && typeof context.headers["user-agent"] === "string" ? agent.getConfig().isUserAgentBlocked(context.headers["user-agent"]) : { blocked: false }; if (isUserAgentBlocked.blocked) { res.statusCode = 403; res.setHeader("Content-Type", "text/plain"); res.end("You are not allowed to access this resource because you have been identified as a bot."); return true; } return false; }