@aikidosec/firewall
Version:
Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks
58 lines (57 loc) • 2.14 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.preventPrototypePollution = preventPrototypePollution;
exports.freezeBuiltinsIfPossible = freezeBuiltinsIfPossible;
const AgentSingleton_1 = require("../../agent/AgentSingleton");
const getPackageVersion_1 = require("../../helpers/getPackageVersion");
const satisfiesVersion_1 = require("../../helpers/satisfiesVersion");
const INCOMPATIBLE_PACKAGE = {
mongoose: "^1.0.0 || ^2.0.0 || ^3.0.0 || ^4.0.0",
};
function preventPrototypePollution() {
const result = freezeBuiltinsIfPossible(INCOMPATIBLE_PACKAGE);
const agent = (0, AgentSingleton_1.getInstance)();
/* c8 ignore next 4 */
if (!result.success) {
agent === null || agent === void 0 ? void 0 : agent.unableToPreventPrototypePollution(result.incompatiblePackages);
return;
}
agent === null || agent === void 0 ? void 0 : agent.onPrototypePollutionPrevented();
}
function freezeBuiltinsIfPossible(incompatiblePackageVersions) {
const incompatiblePackages = {};
for (const pkg in incompatiblePackageVersions) {
const version = (0, getPackageVersion_1.getPackageVersion)(pkg);
if (!version) {
continue;
}
const ranges = incompatiblePackageVersions[pkg];
if ((0, satisfiesVersion_1.satisfiesVersion)(ranges, version)) {
incompatiblePackages[pkg] = version;
}
}
if (Object.keys(incompatiblePackages).length > 0) {
return { success: false, incompatiblePackages };
}
freezeBuiltins();
return { success: true };
}
function freezeBuiltins() {
// Taken from https://github.com/snyk-labs/nopp/blob/main/index.js
[
Object,
Object.prototype,
Function,
// We don't freeze the prototype of Function, as it's used by mysql2
// We'll investigate later and see how this can be abused
// Function.prototype,
Array,
Array.prototype,
String,
String.prototype,
Number,
Number.prototype,
Boolean,
Boolean.prototype,
].forEach(Object.freeze);
}