@aikidosec/firewall/sinks/Function.js

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.Function = void 0;
const Context_1 = require("../agent/Context");
const checkContextForJsInjection_1 = require("../vulnerabilities/js-injection/checkContextForJsInjection");
class Function {
    inspectFunction(args) {
        const context = (0, Context_1.getContext)();
        if (!context || !Array.isArray(args) || args.length === 0) {
            return undefined;
        }
        const findLastStringArg = (args) => {
            for (let i = args.length - 1; i >= 0; --i) {
                if (typeof args[i] === "string") {
                    return args[i];
                }
            }
            return undefined;
        };
        const lastStringArg = findLastStringArg(args);
        if (lastStringArg) {
            return (0, checkContextForJsInjection_1.checkContextForJsInjection)({
                js: lastStringArg,
                operation: "new Function",
                context,
            });
        }
        return undefined;
    }
    wrap(hooks) {
        hooks.addGlobal("Function", {
            kind: "eval_op",
            inspectArgs: this.inspectFunction,
        });
    }
}
exports.Function = Function;