UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

aikido.dev/zen

AikidoSec/firewall-node

165 lines (164 loc) 8.64 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.inspectDNSLookupCalls = inspectDNSLookupCalls; const net_1 = require("net"); const Attack_1 = require("../../agent/Attack"); const Context_1 = require("../../agent/Context"); const cleanupStackTrace_1 = require("../../helpers/cleanupStackTrace"); const escapeHTML_1 = require("../../helpers/escapeHTML"); const isPlainObject_1 = require("../../helpers/isPlainObject"); const getMetadataForSSRFAttack_1 = require("./getMetadataForSSRFAttack"); const isPrivateIP_1 = require("./isPrivateIP"); const imds_1 = require("./imds"); const RequestContextStorage_1 = require("../../sinks/undici/RequestContextStorage"); const findHostnameInContext_1 = require("./findHostnameInContext"); const getRedirectOrigin_1 = require("./getRedirectOrigin"); const getPortFromURL_1 = require("../../helpers/getPortFromURL"); const getLibraryRoot_1 = require("../../helpers/getLibraryRoot"); const cleanError_1 = require("../../helpers/cleanError"); function inspectDNSLookupCalls(lookup, agent, module, operation, url, stackTraceCallingLocation) { return function inspectDNSLookup(...args) { const hostname = args.length > 0 && typeof args[0] === "string" ? args[0] : undefined; const callback = args.find((arg) => typeof arg === "function"); // If the hostname is an IP address, or if the callback is missing, we don't need to inspect the resolved IPs if (!hostname || (0, net_1.isIP)(hostname) || !callback) { return lookup(...args); } const options = args.find((arg) => (0, isPlainObject_1.isPlainObject)(arg)); const argsToApply = options ? [ hostname, options, wrapDNSLookupCallback(callback, hostname, module, agent, operation, url, stackTraceCallingLocation), ] : [ hostname, wrapDNSLookupCallback(callback, hostname, module, agent, operation, url, stackTraceCallingLocation), ]; lookup(...argsToApply); }; } // eslint-disable-next-line max-lines-per-function function wrapDNSLookupCallback(callback, hostname, module, agent, operation, urlArg, callingLocationStackTrace) { // eslint-disable-next-line max-lines-per-function return function wrappedDNSLookupCallback(err, addresses, family) { if (err) { return callback(err); } const context = (0, Context_1.getContext)(); if (context) { const matches = agent.getConfig().getEndpoints(context); if (matches.find((endpoint) => endpoint.forceProtectionOff)) { // User disabled protection for this endpoint, we don't need to inspect the resolved IPs // Just call the original callback to allow the DNS lookup return callback(err, addresses, family); } } const resolvedIPAddresses = getResolvedIPAddresses(addresses); if (resolvesToIMDSIP(resolvedIPAddresses, hostname)) { // Block stored SSRF attack that target IMDS IP addresses // An attacker could have stored a hostname in a database that points to an IMDS IP address // We don't check if the user input contains the hostname because there's no context if (agent.shouldBlock()) { return callback(new Error(`Zen has blocked ${(0, Attack_1.attackKindHumanName)("ssrf")}: ${operation}(...) originating from unknown source`)); } } if (!context) { // If there's no context, we can't check if the hostname is in the context // Just call the original callback to allow the DNS lookup return callback(err, addresses, family); } // This is set if this resolve is part of an outgoing request that we are inspecting const requestContext = RequestContextStorage_1.RequestContextStorage.getStore(); let port; if (urlArg) { port = (0, getPortFromURL_1.getPortFromURL)(urlArg); } else if (requestContext) { port = requestContext.port; } const privateIP = resolvedIPAddresses.find(isPrivateIP_1.isPrivateIP); if (!privateIP) { // If the hostname doesn't resolve to a private IP address, it's not an SSRF attack // Just call the original callback to allow the DNS lookup return callback(err, addresses, family); } let found = (0, findHostnameInContext_1.findHostnameInContext)(hostname, context, port); // The hostname is not found in the context, check if it's a redirect if (!found && context.outgoingRequestRedirects) { let url; // Url arg is passed when wrapping node:http(s), but not for undici / fetch because of the way they are wrapped // For undici / fetch we need to get the url from the request context, which is an additional async context for outgoing requests, // not to be confused with the "normal" context used in wide parts of this library if (urlArg) { url = urlArg; } else if (requestContext) { url = new URL(requestContext.url); } if (url) { // Get the origin of the redirect chain (the first URL in the chain), if the URL is the result of a redirect const redirectOrigin = (0, getRedirectOrigin_1.getRedirectOrigin)(context.outgoingRequestRedirects, url); // If the URL is the result of a redirect, get the origin of the redirect chain for reporting the attack source if (redirectOrigin) { found = (0, findHostnameInContext_1.findHostnameInContext)(redirectOrigin.hostname, context, (0, getPortFromURL_1.getPortFromURL)(redirectOrigin)); } } } if (!found) { // If we can't find the hostname in the context, it's not an SSRF attack // Just call the original callback to allow the DNS lookup return callback(err, addresses, family); } const isBypassedIP = context && context.remoteAddress && agent.getConfig().isBypassedIP(context.remoteAddress); if (isBypassedIP) { // If the IP address is allowed, we don't need to block the request // Just call the original callback to allow the DNS lookup return callback(err, addresses, family); } // Used to get the stack trace of the calling location // We don't throw the error, we just use it to get the stack trace const stackTraceError = callingLocationStackTrace || new Error(); agent.onDetectedAttack({ module: module, operation: operation, kind: "ssrf", source: found.source, blocked: agent.shouldBlock(), stack: (0, cleanupStackTrace_1.cleanupStackTrace)(stackTraceError.stack, (0, getLibraryRoot_1.getLibraryRoot)()), paths: found.pathsToPayload, metadata: (0, getMetadataForSSRFAttack_1.getMetadataForSSRFAttack)({ hostname, port }), request: context, payload: found.payload, }); if (agent.shouldBlock()) { return callback((0, cleanError_1.cleanError)(new Error(`Zen has blocked ${(0, Attack_1.attackKindHumanName)("ssrf")}: ${operation}(...) originating from ${found.source}${(0, escapeHTML_1.escapeHTML)((found.pathsToPayload || []).join())}`))); } // If the attack should not be blocked // Just call the original callback to allow the DNS lookup return callback(err, addresses, family); }; } function getResolvedIPAddresses(addresses) { const resolvedIPAddresses = []; for (const address of Array.isArray(addresses) ? addresses : [addresses]) { if (typeof address === "string") { resolvedIPAddresses.push(address); continue; } if ((0, isPlainObject_1.isPlainObject)(address) && address.address) { resolvedIPAddresses.push(address.address); } } return resolvedIPAddresses; } function resolvesToIMDSIP(resolvedIPAddresses, hostname) { // Allow access to Google Cloud metadata service as you need to set specific headers to access it // We don't want to block legitimate requests if ((0, imds_1.isTrustedHostname)(hostname)) { return false; } return resolvedIPAddresses.some((ip) => (0, imds_1.isIMDSIPAddress)(ip)); }