@prizemates/http-firewall
Version:
HTTP Firewall based on Spring Security HttpFirewall
216 lines (215 loc) • 8.55 kB
TypeScript
type PredicateType<T> = (x: T) => boolean;
export declare class Predicate<T> {
private condition;
constructor(condition: PredicateType<T>);
static of: <T_1>(condition: PredicateType<T_1>) => Predicate<T_1>;
private static isInstance;
and: (input: Predicate<T> | PredicateType<T>) => Predicate<T>;
or: (input: Predicate<T> | PredicateType<T>) => Predicate<T>;
not: () => Predicate<T>;
test: (x: T) => boolean;
}
export declare type HttpMethod = 'GET' | 'HEAD' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'OPTIONS' | 'TRACE';
/** Firewall initialization options */
export interface HttpFirewallOptions {
/**
* Sets if any HTTP method is allowed. If this set to true, then no validation on the
* HTTP method will be performed. This can open the application up to
* <a href="https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)"> HTTP
* Verb tampering and XST attacks</a>
*/
unsafeAllowAnyHttpMethod?: boolean;
/**
* <p>
* Determines which HTTP methods should be allowed. The default is to allow "DELETE",
* "GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".
* </p>
*/
allowedHttpMethods?: HttpMethod[];
/**
* <p>
* Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
* is to disable this behavior because it is a common way of attempting to perform
* <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File
* Download Attacks</a>. It is also the source of many exploits which bypass URL based
* security.
* </p>
* <p>
* For example, the following CVEs are a subset of the issues related to ambiguities
* in the Servlet Specification on how to treat semicolons that led to CVEs:
* </p>
* <ul>
* <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>
* <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>
* <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>
* </ul>
*
* <p>
* If you are wanting to allow semicolons, please reconsider as it is a very common
* source of security bypasses. A few common reasons users want semicolons and
* alternatives are listed below:
* </p>
* <ul>
* <li>Including the JSESSIONID in the path - You should not include session id (or
* any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
* </li>
* <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider
* using HTTP parameters instead.</li>
* </ul>
*
* Default is false
*/
allowSemicolon?: boolean;
/**
* <p>
* Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path
* or not. The default is to not allow this behavior because it is a common way to
* bypass URL based security.
* </p>
* <p>
* For example, due to ambiguities in the servlet specification, the value is not
* parsed consistently which results in different values in {@code HttpServletRequest}
* path related values which allow bypassing certain security constraints.
* </p>
*
* Default is false.
*/
allowUrlEncodedSlash?: boolean;
/**
* <p>
* Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in
* the path or not. The default is to not allow.
* </p>
* Default is false.
*/
allowUrlEncodedDoubleSlash?: boolean;
/**
* <p>
* Determines if a period "." that is URL encoded "%2E" should be allowed in the path
* or not. The default is to not allow this behavior because it is a frequent source
* of security exploits.
* </p>
* <p>
* For example, due to ambiguities in the servlet specification a URL encoded period
* might lead to bypassing security constraints through a directory traversal attack.
* This is because the path is not parsed consistently which results in different
* values in {@code HttpServletRequest} path related values which allow bypassing
* certain security constraints.
* </p>
* Default is false.
*/
allowUrlEncodedPeriod?: boolean;
/**
* <p>
* Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in
* the path or not. The default is not to allow this behavior because it is a frequent
* source of security exploits.
* </p>
* <p>
* For example, due to ambiguities in the servlet specification a URL encoded period
* might lead to bypassing security constraints through a directory traversal attack.
* This is because the path is not parsed consistently which results in different
* values in {@code HttpServletRequest} path related values which allow bypassing
* certain security constraints.
* </p>
* Default is false
*/
allowBackSlash?: boolean;
/**
* <p>
* Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path
* or not. The default is not to allow this behavior because it is a frequent source
* of security exploits.
* </p>
* Default is false
*/
allowNull?: boolean;
/**
* <p>
* Determines if a percent "%" that is URL encoded "%25" should be allowed in the path
* or not. The default is not to allow this behavior because it is a frequent source
* of security exploits.
* </p>
* <p>
* For example, this can lead to exploits that involve double URL encoding that lead
* to bypassing security constraints.
* </p>
* Default is false
*/
allowUrlEncodedPercent?: boolean;
/**
* Determines if a URL encoded Carriage Return is allowed in the path or not. The
* default is not to allow this behavior because it is a frequent source of security
* exploits.
* Default is false.
*/
allowUrlEncodedCarriageReturn?: boolean;
/**
* Determines if a URL encoded Line Feed is allowed in the path or not. The default is
* not to allow this behavior because it is a frequent source of security exploits.
* Default is false.
*/
allowUrlEncodedLineFeed?: boolean;
/**
* Determines if a URL encoded paragraph separator is allowed in the path or not. The
* default is not to allow this behavior because it is a frequent source of security
* exploits.
* Default is false.
*/
allowUrlEncodedParagraphSeparator?: boolean;
/**
* Determines if a URL encoded line separator is allowed in the path or not. The
* default is not to allow this behavior because it is a frequent source of security
* exploits.
* Default is false.
*/
allowUrlEncodedLineSeparator?: boolean;
/**
* <p>
* Determines which header names should be allowed. The default is to reject header
* names that contain ISO control characters and characters that are not defined.
* </p>
*/
allowedHeaderNames?: Predicate<string>;
/**
* <p>
* Determines which header values should be allowed. The default is to reject header
* values that contain ISO control characters and characters that are not defined.
* </p>
*/
allowedHeaderValues?: Predicate<string>;
/**
* Determines which parameter names should be allowed. The default is to reject header
* names that contain ISO control characters and characters that are not defined.
*/
allowedParameterNames?: Predicate<string>;
/**
* <p>
* Determines which parameter values should be allowed. The default is to allow any
* parameter value.
* </p>
*/
allowedParameterValues?: Predicate<string>;
/**
* <p>
* Determines which hostnames should be allowed. The default is to allow any hostname.
* </p>
*/
allowedHostnames?: Predicate<string>;
/**
* Whether to log rejections to console.
* Default is false
*/
logToConsole?: boolean;
/**
* A list of strings that are considered malicious in URLs. If these strings are found in the request URL, the
* request will be rejected.
*/
decodedUrlBlockList?: string[];
/**
* A list of strings that are considered malicious in encoded URLs. If these strings are found in the request URL, the
* request will be rejected.
*/
encodedUrlBlockList?: string[];
}
export {};