UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

aikido.dev/zen

AikidoSec/firewall-node

32 lines (31 loc) 1.45 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.isSafelyEncapsulated = isSafelyEncapsulated; const getCurrentAndNextSegments_1 = require("../../helpers/getCurrentAndNextSegments"); const escapeChars = ['"', "'"]; const dangerousCharsInsideDoubleQuotes = ["$", "`", "\\", "!"]; function isSafelyEncapsulated(command, userInput) { return (0, getCurrentAndNextSegments_1.getCurrentAndNextSegments)(command.split(userInput)).every(({ currentSegment, nextSegment }) => { const charBeforeUserInput = currentSegment.slice(-1); const charAfterUserInput = nextSegment.slice(0, 1); const isEscapeChar = escapeChars.find((char) => char === charBeforeUserInput); if (!isEscapeChar) { return false; } if (charBeforeUserInput !== charAfterUserInput) { return false; } if (userInput.includes(charBeforeUserInput)) { return false; } // There are no dangerous characters inside single quotes // You can use certain characters inside double quotes // https://www.gnu.org/software/bash/manual/html_node/Single-Quotes.html // https://www.gnu.org/software/bash/manual/html_node/Double-Quotes.html if (isEscapeChar === '"' && dangerousCharsInsideDoubleQuotes.some((char) => userInput.includes(char))) { return false; } return true; }); }