UNPKG

express-waf

Version:

A simple Web Application Firewall (WAF)

github.com/ToMMApps/express-waf

ToMMApps/express-waf

111 lines (96 loc) 3.05 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
(function() { var _config; var _blocker; var _logger; function CSRF(config, blocker, logger) { _config = config; _blocker = blocker; _logger = logger; } /** * This method is default called method by express-waf * @param req * @param res * @param next */ CSRF.prototype.check = function (req, res, next) { var _referer = req.headers['referer'] || req.headers['x-referer']; //filters by allowed origins if (!filterByOrigin(req)) { _config.attack.handle(req, res); return; } //filters by referer independent urls if (filterByUrls(req.url)) { next(); return; } //filters methods by configured blacklist or whitelist if (!filterByMethods(req)) { _config.attack.handle(req, res); return; } //allows everything that has no user-agent if (!req.headers['user-agent']) { next(); return; } //allows everything that has no referer if (!_referer) { next(); return; } //forbids the referer to be anything else than the host if (_referer && !new RegExp(_referer).test(req.headers.host) && !new RegExp(req.headers.host).test(_referer)) { _config.attack.handle(req, res); return; } next(); }; function filterByOrigin(req){ //handle cors request if(_config.allowedOrigins && req.headers['origin']){ if(_config.allowedOrigins.indexOf(req.headers['origin']) > -1){ return true; } else return false; } else{ return true; } } /** * This method checks by configured whitelist, if the url is in the list of allowed urls without a * referer in the header * @param url * @returns {boolean} */ function filterByUrls(url) { if(_config.refererIndependentUrls) { var isRefererIndependend = false; for(var i in _config.refererIndependentUrls) { if(new RegExp(_config.refererIndependentUrls[i]).test(url.split('?')[0])) { isRefererIndependend = true; break; } } return isRefererIndependend; } else { return url === '/'; } } /** * This Method checks by configured black or whitelist, if the REST-Method is allowed or not * If no black or whitelist exists it allows method by default * @param req * @returns {boolean} */ function filterByMethods(req) { if(_config.allowedMethods) { return _config.allowedMethods.indexOf(req.method) > -1; } else if(_config.blockedMethods){ return !(_config.blockedMethods.indexOf(req.method) > -1); } else { return true; } } module.exports = CSRF; })();