UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

aikido.dev/zen

AikidoSec/firewall-node

58 lines (57 loc) 2.14 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.preventPrototypePollution = preventPrototypePollution; exports.freezeBuiltinsIfPossible = freezeBuiltinsIfPossible; const AgentSingleton_1 = require("../../agent/AgentSingleton"); const getPackageVersion_1 = require("../../helpers/getPackageVersion"); const satisfiesVersion_1 = require("../../helpers/satisfiesVersion"); const INCOMPATIBLE_PACKAGE = { mongoose: "^1.0.0 || ^2.0.0 || ^3.0.0 || ^4.0.0", }; function preventPrototypePollution() { const result = freezeBuiltinsIfPossible(INCOMPATIBLE_PACKAGE); const agent = (0, AgentSingleton_1.getInstance)(); /* c8 ignore next 4 */ if (!result.success) { agent === null || agent === void 0 ? void 0 : agent.unableToPreventPrototypePollution(result.incompatiblePackages); return; } agent === null || agent === void 0 ? void 0 : agent.onPrototypePollutionPrevented(); } function freezeBuiltinsIfPossible(incompatiblePackageVersions) { const incompatiblePackages = {}; for (const pkg in incompatiblePackageVersions) { const version = (0, getPackageVersion_1.getPackageVersion)(pkg); if (!version) { continue; } const ranges = incompatiblePackageVersions[pkg]; if ((0, satisfiesVersion_1.satisfiesVersion)(ranges, version)) { incompatiblePackages[pkg] = version; } } if (Object.keys(incompatiblePackages).length > 0) { return { success: false, incompatiblePackages }; } freezeBuiltins(); return { success: true }; } function freezeBuiltins() { // Taken from https://github.com/snyk-labs/nopp/blob/main/index.js [ Object, Object.prototype, Function, // We don't freeze the prototype of Function, as it's used by mysql2 // We'll investigate later and see how this can be abused // Function.prototype, Array, Array.prototype, String, String.prototype, Number, Number.prototype, Boolean, Boolean.prototype, ].forEach(Object.freeze); }