UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

aikido.dev/zen

AikidoSec/firewall-node

39 lines (38 loc) 1.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.isRequestToItself = isRequestToItself; const getPortFromURL_1 = require("../../helpers/getPortFromURL"); const trustProxy_1 = require("../../helpers/trustProxy"); const tryParseURL_1 = require("../../helpers/tryParseURL"); // We don't want to block outgoing requests to the same host as the server // (often happens that we have a match on headers like `Host`, `Origin`, `Referer`, etc.) // We have to check the port as well, because the hostname can be the same but with a different port function isRequestToItself({ serverUrl, outboundHostname, outboundPort, }) { // When Node.js is not behind a reverse proxy, we can't trust the hostname inside `serverUrl` // The hostname in `serverUrl` is built from the request headers // The headers can be manipulated by the client if Node.js is directly exposed to the internet if (!(0, trustProxy_1.trustProxy)()) { return false; } const baseURL = (0, tryParseURL_1.tryParseURL)(serverUrl); if (!baseURL) { return false; } if (baseURL.hostname !== outboundHostname) { return false; } const baseURLPort = (0, getPortFromURL_1.getPortFromURL)(baseURL); // If the port is the same, the server is making a request to itself if (baseURLPort === outboundPort) { return true; } // Special case for HTTP/HTTPS ports // In production, the app will be served on port 80 and 443 if (baseURLPort === 80 && outboundPort === 443) { return true; } if (baseURLPort === 443 && outboundPort === 80) { return true; } return false; }