UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

aikido.dev/zen

AikidoSec/firewall-node

52 lines (51 loc) 2.07 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.shouldDiscoverRoute = shouldDiscoverRoute; const getFileExtension_1 = require("../../helpers/getFileExtension"); const isWellKnownURI_1 = require("../../helpers/isWellKnownURI"); const EXCLUDED_METHODS = ["OPTIONS", "HEAD"]; const IGNORE_EXTENSIONS = ["properties", "config", "webmanifest"]; const IGNORE_STRINGS = ["cgi-bin"]; function shouldDiscoverRoute({ statusCode, route, method, }) { const validStatusCode = statusCode >= 200 && statusCode <= 399; if (!validStatusCode) { return false; } if (EXCLUDED_METHODS.includes(method)) { return false; } const segments = route.split("/"); // Do not discover routes with dot files like `/path/to/.file` or `/.directory/file` // We want to allow discovery of well-known URIs like `/.well-known/acme-challenge` if (!(0, isWellKnownURI_1.isWellKnownURI)(route) && segments.some(isDotFile)) { return false; } if (segments.some(containsIgnoredString)) { return false; } // Check for every file segment if it contains a file extension and if it should be discovered or ignored return segments.every(shouldDiscoverExtension); } // Ignore routes which contain file extensions function shouldDiscoverExtension(segment) { const extension = (0, getFileExtension_1.getFileExtension)(segment); // No file extension, allow discovery if (!extension) { return true; } // Do not discover files with extensions of 1 to 5 characters, e.g. file.css, file.js, file.woff2 if (extension.length > 1 && extension.length < 6) { return false; } // Ignore some file extensions that are longer than 5 characters or shorter than 2 chars if (IGNORE_EXTENSIONS.includes(extension)) { return false; } return true; } function isDotFile(segment) { return segment.startsWith(".") && segment.length > 1; } function containsIgnoredString(segment) { return IGNORE_STRINGS.some((str) => segment.includes(str)); }