@aikidosec/firewall
Version:
Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.
54 lines (53 loc) • 2.1 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.Xml2js = void 0;
const Context_1 = require("../agent/Context");
const wrapExport_1 = require("../agent/hooks/wrapExport");
const isPlainObject_1 = require("../helpers/isPlainObject");
const addXmlToContext_1 = require("./xml/addXmlToContext");
const isXmlInContext_1 = require("./xml/isXmlInContext");
/**
* Wrapper for xml2js package.
* If the XML string is in the body of the request and parsed with xml2js, the parsed result is stored in the context.
* This prevents bypassing the firewall using XML. The XML is parsed only once keeping the performance impact low.
*/
class Xml2js {
modifyArgs(args) {
if (args.length < 2 ||
typeof args[0] !== "string" ||
typeof args[1] !== "function") {
return args;
}
const context = (0, Context_1.getContext)();
if (!context) {
// We expect the context to be set by the wrapped http server
return args;
}
const xmlString = args[0];
// Check if the XML string is in the request context
if (!(0, isXmlInContext_1.isXmlInContext)(xmlString, context)) {
return args;
}
// Wrap the callback to get the parsed result
const originalCallback = args[1];
args[1] = function wrapCallback(err, result) {
if (result && (0, isPlainObject_1.isPlainObject)(result)) {
(0, addXmlToContext_1.addXmlToContext)(result, context);
}
(0, Context_1.runWithContext)(context, () => originalCallback(err, result));
};
return args;
}
wrap(hooks) {
hooks
.addPackage("xml2js")
.withVersion("^0.6.0 || ^0.5.0 || ^0.4.18")
.onRequire((exports, pkgInfo) => {
(0, wrapExport_1.wrapExport)(exports.Parser.prototype, "parseString", pkgInfo, {
kind: "deserialize_op",
modifyArgs: (args) => this.modifyArgs(args),
});
});
}
}
exports.Xml2js = Xml2js;