UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

aikido.dev/zen

AikidoSec/firewall-node

61 lines (60 loc) 2.48 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import type { ParsedQs } from "qs"; import { extractStringsFromUserInput } from "../helpers/extractStringsFromUserInput"; import { Source } from "./Source"; import type { Endpoint } from "./Config"; export type User = { id: string; name?: string; }; export type Context = { url: string | undefined; method: string | undefined; query: ParsedQs; headers: Record<string, string | string[] | undefined>; routeParams: Record<string, string> | undefined; remoteAddress: string | undefined; body: unknown; cookies: Record<string, string>; attackDetected?: boolean; consumedRateLimit?: boolean; user?: User; source: string; route: string | undefined; graphql?: string[]; xml?: unknown[]; subdomains?: string[]; markUnsafe?: unknown[]; cache?: Map<Source, ReturnType<typeof extractStringsFromUserInput>>; /** * Used to store redirects in outgoing http(s) requests that are started by a user-supplied input (hostname and port / url) to prevent SSRF redirect attacks. */ outgoingRequestRedirects?: { source: URL; destination: URL; }[]; executedMiddleware?: boolean; rateLimitGroup?: string; rateLimitedEndpoint?: Endpoint; }; /** * Get the current request context that is being handled * * We don't want to allow the user to modify the context directly, so we use `Readonly<Context>` */ export declare function getContext(): Readonly<Context> | undefined; export declare function updateContext<K extends keyof Context>(context: Context, key: K, value: Context[K]): void; /** * Executes a function with a given request context * * The code executed inside the function will have access to the context using {@link getContext} * * This is needed because Node.js is single-threaded, so we can't use a global variable to store the context. */ export declare function runWithContext<T>(context: Context, fn: () => T): T; /** * Binds the given function to the current execution context. * This fixes the issue that context is not available in event handlers that are called outside of runWithContext * Static method AsyncLocalStorage.bind(fn) was added in Node.js v19.8.0 and v18.16.0, so we can't use it yet, but it does the same thing. * Also done by OpenTelemetry: https://github.com/open-telemetry/opentelemetry-js/blob/a6020fb113a60ae6abc1aa925fa6744880e7fa15/api/src/api/context.ts#L86 */ export declare function bindContext<T>(fn: () => T): () => T;