@aikidosec/firewall
Version:
Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks
54 lines (53 loc) • 2.1 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.Xml2js = void 0;
const Context_1 = require("../agent/Context");
const wrapExport_1 = require("../agent/hooks/wrapExport");
const isPlainObject_1 = require("../helpers/isPlainObject");
const addXmlToContext_1 = require("./xml/addXmlToContext");
const isXmlInContext_1 = require("./xml/isXmlInContext");
/**
* Wrapper for xml2js package.
* If the XML string is in the body of the request and parsed with xml2js, the parsed result is stored in the context.
* This prevents bypassing the firewall using XML. The XML is parsed only once keeping the performance impact low.
*/
class Xml2js {
modifyArgs(args) {
if (args.length < 2 ||
typeof args[0] !== "string" ||
typeof args[1] !== "function") {
return args;
}
const context = (0, Context_1.getContext)();
if (!context) {
// We expect the context to be set by the wrapped http server
return args;
}
const xmlString = args[0];
// Check if the XML string is in the request context
if (!(0, isXmlInContext_1.isXmlInContext)(xmlString, context)) {
return args;
}
// Wrap the callback to get the parsed result
const originalCallback = args[1];
args[1] = function wrapCallback(err, result) {
if (result && (0, isPlainObject_1.isPlainObject)(result)) {
(0, addXmlToContext_1.addXmlToContext)(result, context);
}
(0, Context_1.runWithContext)(context, () => originalCallback(err, result));
};
return args;
}
wrap(hooks) {
hooks
.addPackage("xml2js")
.withVersion("^0.6.0 || ^0.5.0 || ^0.4.18")
.onRequire((exports, pkgInfo) => {
(0, wrapExport_1.wrapExport)(exports.Parser.prototype, "parseString", pkgInfo, {
kind: "deserialize_op",
modifyArgs: (args) => this.modifyArgs(args),
});
});
}
}
exports.Xml2js = Xml2js;