UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

aikido.dev/zen

AikidoSec/firewall-node

62 lines (61 loc) 2.61 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.Shelljs = void 0; const Context_1 = require("../agent/Context"); const wrapExport_1 = require("../agent/hooks/wrapExport"); const isPlainObject_1 = require("../helpers/isPlainObject"); const checkContextForShellInjection_1 = require("../vulnerabilities/shell-injection/checkContextForShellInjection"); class Shelljs { inspectExec(operation, args) { const context = (0, Context_1.getContext)(); if (!context) { return undefined; } if (typeof args[0] !== "string") { return undefined; } // We do not have to check if it's run as async, because then shelljs directly calls child_process.exec which is already protected if (args.length > 1) { // async option is set to true if ((0, isPlainObject_1.isPlainObject)(args[1]) && args[1].async === true) { return undefined; } // callback function is passed as second argument if (typeof args[1] === "function") { return undefined; } // callback function is passed as third argument if (args.length > 2 && typeof args[2] === "function") { return undefined; } } return (0, checkContextForShellInjection_1.checkContextForShellInjection)({ command: args[0], operation: `shelljs.${operation}`, context: context, }); } wrap(hooks) { hooks .addPackage("shelljs") .withVersion("^0.9.0 || ^0.8.0 || ^0.7.0") // We need to wrap exec, because shelljs is not using child_process.exec directly, it spawns a subprocess and shares the command via a json file. That subprocess then executes the command. .onFileRequire("src/common.js", (exports, pkgInfo) => { (0, wrapExport_1.wrapExport)(exports, "register", pkgInfo, { kind: undefined, modifyArgs: (args) => { if (args.length > 0 && args[0] === "exec" && typeof args[1] === "function") { args[1] = (0, wrapExport_1.wrapExport)(args[1], undefined, pkgInfo, { kind: "exec_op", inspectArgs: (args) => this.inspectExec("exec", args), }); } return args; }, }); }); } } exports.Shelljs = Shelljs;