UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

aikido.dev/zen

AikidoSec/firewall-node

88 lines (87 loc) 2.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
"use strict"; // Based on https://github.com/demskie/netparser // MIT License - Copyright (c) 2019 alex Object.defineProperty(exports, "__esModule", { value: true }); exports.IPMatcher = void 0; const shared = require("./shared"); const sort = require("./sort"); const Network_1 = require("./Network"); class IPMatcher { constructor(networks) { this.sorted = []; const subnets = []; if (networks) { for (const s of networks) { const net = shared.parseBaseNetwork(s, false); if (net && net.isValid()) { subnets.push(net); } } shared.sortNetworks(subnets); this.sorted = shared.summarizeSortedNetworks(subnets); } } // Checks if the given IP address is in the list of networks. has(network) { const net = shared.parseBaseNetwork(network, false); if (!net || !net.isValid()) { return false; } const idx = sort.binarySearchForInsertionIndex(net, this.sorted); if (idx < 0) { return false; } if (idx < this.sorted.length && this.sorted[idx].contains(net)) { return true; } if (idx - 1 >= 0 && this.sorted[idx - 1].contains(net)) { return true; } return false; } add(network) { const net = shared.parseBaseNetwork(network, false); if (!net || !net.isValid()) { return this; } const idx = sort.binarySearchForInsertionIndex(net, this.sorted); if (idx < this.sorted.length && this.sorted[idx].compare(net) === 0) { return this; } this.sorted.splice(idx, 0, net); return this; } // Checks if the given IP address is in the list of networks, // also checking the IPv4 address if it's an IPv4-mapped IPv6 address. hasWithMappedCheck(ip) { if (this.has(ip)) { return true; } const ipv4 = this.extractIPv4FromMapped(ip); if (ipv4) { return this.has(ipv4); } return false; } extractIPv4FromMapped(ip) { const net = new Network_1.Network(ip); if (!net.isValid()) { return null; } const bytes = net.addr.bytes(); if (bytes.length !== 16) { return null; } // Check IPv4-mapped: first 10 bytes = 0, bytes 10-11 = 0xffff for (let i = 0; i < 10; i++) { if (bytes[i] !== 0) { return null; } } if (bytes[10] !== 255 || bytes[11] !== 255) { return null; } return `${bytes[12]}.${bytes[13]}.${bytes[14]}.${bytes[15]}`; } } exports.IPMatcher = IPMatcher;