UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

aikido.dev/zen

AikidoSec/firewall-node

58 lines (57 loc) 2.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.FastXmlParser = void 0; const Context_1 = require("../agent/Context"); const wrapExport_1 = require("../agent/hooks/wrapExport"); const wrapNewInstance_1 = require("../agent/hooks/wrapNewInstance"); const isPlainObject_1 = require("../helpers/isPlainObject"); const addXmlToContext_1 = require("./xml/addXmlToContext"); const isXmlInContext_1 = require("./xml/isXmlInContext"); /** * Wrapper for fast-xml-parser package. * If the XML string is in the body of the request and parsed with fast-xml-parser, the parsed result is stored in the context. * This prevents bypassing the firewall using XML. The XML is parsed only once keeping the performance impact low. */ class FastXmlParser { inspectParse(args, result) { if (!args.length || typeof args[0] !== "string") { return; } const context = (0, Context_1.getContext)(); if (!context) { // We expect the context to be set by the wrapped http server return; } const xmlString = args[0]; // Check if the XML string is in the request context if (!(0, isXmlInContext_1.isXmlInContext)(xmlString, context)) { return args; } // Add the parsed XML to the context if (result && (0, isPlainObject_1.isPlainObject)(result)) { (0, addXmlToContext_1.addXmlToContext)(result, context); } } wrap(hooks) { hooks .addPackage("fast-xml-parser") .withVersion("^4.0.0 || ^5.0.0") .onRequire((exports, pkgInfo) => { const parser = exports.XMLParser; // It's a getter in v5, so we can't directly pass it to wrapNewInstance const wrappedParser = (0, wrapNewInstance_1.wrapNewInstance)(parser, undefined, pkgInfo, (instance) => { (0, wrapExport_1.wrapExport)(instance, "parse", pkgInfo, { kind: "deserialize_op", modifyReturnValue: (args, returnValue) => { this.inspectParse(args, returnValue); return returnValue; }, }); }); return { ...exports, XMLParser: wrappedParser, }; }); } } exports.FastXmlParser = FastXmlParser;