UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

aikido.dev/zen

AikidoSec/firewall-node

27 lines (26 loc) 1.38 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.isIMDSIPAddress = isIMDSIPAddress; exports.isTrustedHostname = isTrustedHostname; const addIPv4MappedAddresses_1 = require("../../helpers/addIPv4MappedAddresses"); const IPMatcher_1 = require("../../helpers/ip-matcher/IPMatcher"); const normalizeHostname_1 = require("../../helpers/normalizeHostname"); // These IP addresses are used to access the instance metadata service (IMDS) // We should block any requests to these IP addresses // This prevents STORED SSRF attacks that try to access the instance metadata service // Small list, frequently accessed: add IPv4-mapped versions at creation time for fast lookups const IMDSAddresses = new IPMatcher_1.IPMatcher((0, addIPv4MappedAddresses_1.addIPv4MappedAddresses)([ "169.254.169.254", "fd00:ec2::254", "100.100.100.200", ])); function isIMDSIPAddress(ip) { return IMDSAddresses.has(ip); } // Google cloud uses the same IP addresses for its metadata service // However, you need to set specific headers to access it // In order to not block legitimate requests, we should allow the IP addresses for Google Cloud const trustedHosts = ["metadata.google.internal", "metadata.goog"]; function isTrustedHostname(hostname) { return trustedHosts.includes((0, normalizeHostname_1.normalizeHostname)(hostname.toLowerCase())); }