UNPKG

onguard

Version:

RegExp attack-defense & IP-blacklisting for ExpressJS and HarperDB

github.com/geekhunger/onguard

geekhunger/onguard

180 lines (154 loc) 7.52 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
const {HarperDB} = require("node-harperdb") const {check: type, assert} = require("type-approve") const clamp = function(value, min = 0, max = 1) { return Math.min(Math.max(value, min), max) } const trimDecimals = function(number, length) { const expression = new RegExp('^-?\\d+(?:\.\\d{0,' + (length || -1) + '})?') return number.toString().match(expression)[0] } const parseInfinity = function(value) { switch(value.toString().toLowerCase()) { case "infinity": return Infinity case "-infinity": return -Infinity default: return value } } module.exports = settings => config.call(module.exports, settings) module.exports.defend = (...params) => { if(!(module.exports.clients instanceof HarperDB && module.exports.requests instanceof HarperDB)) { return config.apply(module.exports, params) } return middleware.apply(module.exports, params) } module.exports.attacks = require("./collection") module.exports.Pattern = require("./attack") const config = function(settings) { assert( type({object: settings}) && type({ object: settings.harperdb, strings: [ settings.harperdb.instance, settings.harperdb.auth, settings.harperdb.schema ] }) && type( {nil: settings.attempts}, {integer: settings.attempts} ), "Malformed configuration!" ) this.clients = new HarperDB( settings.harperdb.instance, settings.harperdb.auth, settings.harperdb.schema, "clients" ) this.requests = new HarperDB( settings.harperdb.instance, settings.harperdb.auth, settings.harperdb.schema, "requests" ) this.attempts = clamp(settings.attempts ?? 10, 1, Infinity) this.rate = clamp(settings.attempts ?? 12, 1, Infinity) // maximal count of request per hour this.decorator = "violation" // express request decorator name return this.defend } const middleware = async function(request, response, next) { const url = request.protocol + '://' + request.headers.host + request.originalUrl let violation = {intent: "GOOD"} // have faith in humanity... xD try { assert( type({nil: request[this.decorator]}), "Request decorator already occupied!" ) assert( this.db instanceof HarperDB && type({ integer: this.attempts, string: this.decorator }), "Missing configuration!" ) request[this.decorator] = violation // add a new express request decorator for(const [name, attack] of this.attacks.entries()) { const patterns = attack.match(url) if(patterns.length > 0) { violation.name = name violation.patterns = patterns.map(regex => regex.toString()) violation.intent = "EVIL" // ...sometimes humanity will still disappoint you. response.status(403) // well, then cut the ropes! (403 Access Forbidden) break } } } catch(error) { //response.status(500) // 500 Internal Server Error //return next(`Couldn't verify the intent of the request from ${request.ip} to ${request.method.toUpperCase()} ${url} because of: ${error.message}`) console.warn(`Couldn't verify the intent of the request from ${request.ip} to ${request.method.toUpperCase()} ${url} because of: ${error.message}`) return next() } try { // TODO fetch timestamps as well and calculate rate-limit: if too many requests then return 429 Too Many Requests status code! // TODO don't show blacklisted requests in logfile when threshold exeeded by more than 10x! const suspects = await this.clients.select({ip: request.ip}) const attempts = await this.requests.select({ip: request.ip, intent: "EVIL"}, Math.max(this.attempts, this.rate)) const observed = suspects.length > 0 || attempts.length > 0 const blacklisted = observed ? suspects.some(client => client.blacklisted === true) : attempts.length >= this.attempts const whitelisted = observed ? suspects.some(client => client.whitelisted === true) : false const outpaced = attempts.filter(req => Date.now() / 1000 - req.__createdtime__ <= 3600).length >= this.rate //if(suspects.length > 1) {/*NOTICE: db has duplicates!*/} //if(blacklisted && whitelisted) {/*NOTICE: conflict (considered blacklisted)!*/} const query = await db.drain().catch(() => []) // siliently catch errors and convert response into an empty array! const record = Object.assign({}, ...query.flat()) const observed = record.length > 0 // client is being observed (low severity) const attempts = record .map(req => parseInfinity(req.attempts)) .reduce((sum, count) => sum + count, 0) const blacklisted = attempts >= this.attempts // attacker being observed (hight severity) if(violation.intent === "GOOD" && !blacklisted) { violation.attempts = attempts // show all previously/current recorded violations return next() } // NOTE: From here, the client has either a BAD intent or has already been blacklisted! response.status(403) // good becomes evil when blacklisted (403 Access Forbidden) const receipt = await this.db.upsert({ ip: request.ip, intent: violation.intent, method: request.method, url: url, violations: violation.patterns, // object with attack name and attack patterns that match the request.originalUrl attempts: 1, // NOTE: Every request happens only ones! But in case you want to blacklist an IP manually, you can set this to larger than this.attempts in your database and the client will be blocked every time. headers: request.headers, payload: request.body }) let notification = [ `Detected suspicious request from ${request.ip} with ${violation.intent} intent.`, `Request to ${request.method.toUpperCase()} ${url} has been rejected!` ] if(blacklisted) { notification.push( `Client IP ${request.ip} is a well-known blacklist candidate and has already exceeded the blacklisting quota limits (max attempts: ${this.attempts}) by a factor of ${trimDecimals(attempts / this.attempts, 1)}x.` ) } else if(attempts > 1) { notification.push( `Client IP ${request.ip} is a known suspect and has been blocked ${attempts}x so far.` ) if(observed) { notification.push( `(${this.attempts - attempts} attempts left until client becomes blacklisted!)` ) } } if(observed) notification.push(`Database record ${receipt.upserted_hashes.join(", ")} has been updated.`) else notification.push(`Database record ${receipt.upserted_hashes.join(", ")} has been created.`) return next(notification.join("\n")) } catch(error) { response.status(500) // 500 Internal Server Error return next(`Failed processing suspicious request from ${request.ip} to ${request.method.toUpperCase()} ${url} because of: ${error.message}`) } }