Simplify setup

Makefile

@@ -4,27 +4,27 @@ containers:
 
 .PHONY: express-mongodb
 express-mongodb:
-	cd sample-apps/express-mongodb && node app.js
+	cd sample-apps/express-mongodb && AIKIDO_DEBUG=true node app.js
 
 .PHONY: express-mongoose
 express-mongoose:
-	cd sample-apps/express-mongoose && node app.js
+	cd sample-apps/express-mongoose && AIKIDO_DEBUG=true node app.js
 
 .PHONY: express-postgres
 express-postgres:
-	cd sample-apps/express-postgres && node app.js
+	cd sample-apps/express-postgres && AIKIDO_DEBUG=true node app.js
 
 .PHONY: express-mysql
 express-mysql:
-	cd sample-apps/express-mysql && node app.js
+	cd sample-apps/express-mysql && AIKIDO_DEBUG=true node app.js
 
 .PHONY: express-mysql2
 express-mysql2:
-	cd sample-apps/express-mysql2 && node app.js
+	cd sample-apps/express-mysql2 && AIKIDO_DEBUG=true node app.js
 
 .PHONY: express-mariadb
 express-mariadb:
-	cd sample-apps/express-mariadb && node app.js
+	cd sample-apps/express-mariadb && AIKIDO_DEBUG=true node app.js
 
 .PHONY: lambda-mongodb-nosql-injection
 lambda-mongodb-nosql-injection:

docs/cloud-functions.md

@@ -3,9 +3,7 @@
 If you're using the `@google-cloud/functions-framework` package to register your handlers, your cloud function will be protected by Aikido runtime automatically:
 
 ```js
-const { protect } = require("@aikidosec/runtime");
-
-protect(); // <-- Call this before any other code or imports
+require("@aikidosec/runtime"); // <-- Call this before any other code or imports
 
 const functions = require("@google-cloud/functions-framework");
 
@@ -14,14 +12,20 @@ functions.http("handler", async (req, res) => {
 });
 ```
 
+or ESM import style:
+
+```js
+import '@aikidosec/runtime';
+
+// ...
+```
+
 If you're using the `exports.handler` style, you'll need to wrap your handler manually.
 
 At the very beginning of the file that contains your handler, add the following line:
 
 ```js
-const { cloudFunction } = require("@aikidosec/runtime");
-
-const protect = cloudFunction(); // <-- Call this before any other code or imports
+const protect = require("@aikidosec/runtime/cloud-function"); // <-- Call this before any other code or imports
 
 const dependency = require("dependency");
 
@@ -33,7 +37,9 @@ exports.handler = protect(async (event, context) => { // <-- Wrap your handler w
 or ESM import style:
 
 ```js
-import { cloudFunction } from '@aikidosec/runtime';
+import protect from '@aikidosec/runtime/cloud-function';
+
+// ...
 ```
 
 That's it! Your cloud function is now protected by Aikido runtime.
@@ -48,10 +54,6 @@ Read [Protect against prototype pollution](./prototype-pollution.md) to learn ho
 
 ## Debug mode
 
-If you need to debug the runtime, you can set the `debug` option to `true`:
-
-```js
-protect({ debug: true });
-```
+If you need to debug the runtime, you can run your cloud function with the environment variable `AIKIDO_DEBUG` set to `true`.
 
 This will output debug information to the console (e.g. if the agent failed to start, no token was found, unsupported packages, ...).

docs/express.md

@@ -3,9 +3,7 @@
 At the very beginning of your app.js file, add the following line:
 
 ```js
-const { protect } = require('@aikidosec/runtime');
-
-protect(); // <-- Call this before any other code or imports
+require('@aikidosec/runtime'); // <-- Call this before any other code or imports
 
 const express = require('express');
 
@@ -17,7 +15,7 @@ const app = express();
 or ESM import style:
 
 ```js
-import { protect } from '@aikidosec/runtime';
+import '@aikidosec/runtime';
 
 // ...
 ```
@@ -34,10 +32,10 @@ Read [Protect against prototype pollution](./prototype-pollution.md) to learn ho
 
 ## Debug mode
 
-If you need to debug the runtime, you can set the `debug` option to `true`:
+If you need to debug the runtime, you can run your express app with the environment variable `AIKIDO_DEBUG` set to `true`:
 
-```js
-protect({ debug: true });
+```sh
+AIKIDO_DEBUG=true node app.js
 ```
 
 This will output debug information to the console (e.g. if the agent failed to start, no token was found, unsupported packages, ...).

docs/lambda.md

@@ -3,9 +3,7 @@
 At the very beginning of the file that contains your handler, add the following line:
 
 ```js
-const { lambda } = require("@aikidosec/runtime");
-
-const protect = lambda(); // <-- Call this before any other code or imports
+const protect = require("@aikidosec/runtime/lambda"); // <-- Call this before any other code or imports
 
 const dependency = require("dependency");
 
@@ -17,13 +15,16 @@ exports.handler = protect(async (event, context) => { // <-- Wrap your handler w
 or ESM import style:
 
 ```js
-import { lambda } from '@aikidosec/runtime';
+import protect from '@aikidosec/runtime/lambda';
+
+// ...
 ```
 
-In order for the runtime to work properly, we need the following event properties to be present:
+Right now, we support the following triggers:
+- Gateway API
+- SQS (Simple Queue Service)
 
-* `event.body`
-* `event.headers`
+- If you're using a different trigger, please let us know.
 
 That's it! Your AWS Lambda function is now protected by Aikido runtime.
 
@@ -37,10 +38,6 @@ Read [Protect against prototype pollution](./prototype-pollution.md) to learn ho
 
 ## Debug mode
 
-If you need to debug the runtime, you can set the `debug` option to `true`:
-
-```js
-protect({ debug: true });
-```
+If you need to debug the runtime, you can run your lambda with the environment variable `AIKIDO_DEBUG` set to `true`.
 
 This will output debug information to the console (e.g. if the agent failed to start, no token was found, unsupported packages, ...).

docs/prototype-pollution.md

@@ -6,14 +6,12 @@ It works by calling [Object.freeze](https://developer.mozilla.org/en-US/docs/Web
 
 > The `Object.freeze()` method freezes an object. A frozen object can no longer be changed; freezing an object prevents new properties from being added to it, existing properties from being removed, prevents changing the enumerability, configurability, or writability of existing properties, and prevents the values of existing properties from being changed.
 
-We believe that there are legitimate cases of prototype changes, but they should happen only during the initialization step. Hence, we recommend calling `preventPrototypePollution` when your application is initialised.
+We believe that there are legitimate cases of prototype changes, but they should happen only during the initialization step. Hence, we recommend requiring `@aikidosec/runtime/nopp` after your main imports.
 
 ```js
-import { preventPrototypePollution } from '@aikidosec/runtime';
+const express = require('express');
 
-import express from 'express';
-
-preventPrototypePollution(); // <-- Call this after your main imports
+require('@aikidosec/runtime/nopp'); // <-- Call this after your main imports
 
 const app = express();
 
@@ -26,34 +24,32 @@ app.listen(3000, () => {
 });
 ```
 
-using CommonJS:
+or ESM import style:
 
 ```js
-const { preventPrototypePollution } = require('@aikidosec/runtime');
+import '@aikidosec/runtime/nopp';
 ```
 
 together with `protect`:
 
 ```js
-import { protect, preventPrototypePollution } from '@aikidosec/runtime';
-
-protect(); // <-- Call this before any other code or imports
+import '@aikidosec/runtime'; // <-- Call this before any other code or imports
 
 import express from 'express';
 
-preventPrototypePollution(); // <-- Call this after your main imports
+import '@aikidosec/runtime/nopp'; // <-- Call this after your main imports
 
 // ...
 ```
 
-## WARNING: Read this before using `preventPrototypePollution`
+## WARNING: Read this before using `@aikidosec/runtime/nopp`
 
-This might break your application or result in strange errors if you are using libraries that rely on changing the prototype of built-in objects after your application has started. We recommend testing your application thoroughly after calling `preventPrototypePollution`.
+This might break your application or result in strange errors if you are using libraries that rely on changing the prototype of built-in objects after your application has started. We recommend testing your application thoroughly after requiring `@aikidosec/runtime/nopp`.
 
 You should enable this on your staging environment for a considerable amount of time before enabling it on your production environment (e.g. one week).
 
 ## Incompatible packages
 
-Some packages may not work properly when `preventPrototypePollution` is called, these are some of the known packages:
+Some packages may not work properly when `@aikidosec/runtime/nopp` is required, these are some of the known packages:
 
 * [mongoose](https://www.npmjs.com/package/mongoose) (versions 1.x to 4.x)

docs/pubsub.md

@@ -3,9 +3,7 @@
 At the very beginning of your app.js file, add the following line:
 
 ```js
-const { protect } = require('@aikidosec/guard');
-
-protect(); // <-- Call this before any other code or imports
+require('@aikidosec/runtime'); // <-- Call this before any other code or imports
 
 const { PubSub } = require('@google-cloud/pubsub');
 
@@ -24,7 +22,7 @@ subscription.on('message', (message) => {
 or ESM import style:
 
 ```js
-import { protect } from '@aikidosec/guard';
+import '@aikidosec/runtime';
 
 // ...
 ```
@@ -41,10 +39,6 @@ Read [Protect against prototype pollution](./prototype-pollution.md) to learn ho
 
 ## Debug mode
 
-If you need to debug the guard, you can set the `debug` option to `true`:
-
-```js
-protect({ debug: true });
-```
+If you need to debug the runtime, you can run your consumer with the environment variable `AIKIDO_DEBUG` set to `true`.
 
 This will output debug information to the console (e.g. if the agent failed to start, no token was found, unsupported packages, ...).

end2end/tests/big-payloads.test.js

@@ -11,7 +11,9 @@ const pathToApp = resolve(
 );
 
 t.test("it does not crash if many attacks with big payloads", (t) => {
-  const server = spawn(`node`, [pathToApp, "4000"]);
+  const server = spawn(`node`, [pathToApp, "4000"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true" },
+  });
 
   server.on("close", () => {
     t.end();

end2end/tests/express-mongodb.shell-injection.test.js

@@ -10,7 +10,9 @@ const pathToApp = resolve(
 );
 
 t.test("it blocks in blocking mode", (t) => {
-  const server = spawn(`node`, [pathToApp, "4000"]);
+  const server = spawn(`node`, [pathToApp, "4000"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true" },
+  });
 
   server.on("close", () => {
     t.end();
@@ -72,7 +74,7 @@ t.test("it blocks in blocking mode", (t) => {
 
 t.test("it does not block in dry mode", (t) => {
   const server = spawn(`node`, [pathToApp, "4001"], {
-    env: { ...process.env, AIKIDO_NO_BLOCKING: "true" },
+    env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_NO_BLOCKING: "true" },
   });
 
   server.on("close", () => {

end2end/tests/express-mongodb.test.js

@@ -10,7 +10,9 @@ const pathToApp = resolve(
 );
 
 t.test("it blocks in blocking mode", (t) => {
-  const server = spawn(`node`, [pathToApp, "4000"]);
+  const server = spawn(`node`, [pathToApp, "4000"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true" },
+  });
 
   server.on("close", () => {
     t.end();
@@ -58,7 +60,7 @@ t.test("it blocks in blocking mode", (t) => {
 
 t.test("it does not block in dry mode", (t) => {
   const server = spawn(`node`, [pathToApp, "4001"], {
-    env: { ...process.env, AIKIDO_NO_BLOCKING: "true" },
+    env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_NO_BLOCKING: "true" },
   });
 
   server.on("close", () => {

end2end/tests/express-mongoose.test.js

@@ -10,7 +10,9 @@ const pathToApp = resolve(
 );
 
 t.test("it blocks in blocking mode", (t) => {
-  const server = spawn(`node`, [pathToApp, "4000"]);
+  const server = spawn(`node`, [pathToApp, "4000"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true" },
+  });
 
   server.on("close", () => {
     t.end();
@@ -58,7 +60,7 @@ t.test("it blocks in blocking mode", (t) => {
 
 t.test("it does not block in dry mode", (t) => {
   const server = spawn(`node`, [pathToApp, "4001"], {
-    env: { ...process.env, AIKIDO_NO_BLOCKING: "true" },
+    env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_NO_BLOCKING: "true" },
   });
 
   server.on("close", () => {

end2end/tests/express-mysql.test.js

@@ -10,7 +10,9 @@ const pathToApp = resolve(
 );
 
 t.test("it blocks in blocking mode", (t) => {
-  const server = spawn(`node`, [pathToApp, "4000"]);
+  const server = spawn(`node`, [pathToApp, "4000"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true" },
+  });
 
   server.on("close", () => {
     t.end();
@@ -61,7 +63,7 @@ t.test("it blocks in blocking mode", (t) => {
 
 t.test("it does not block in dry mode", (t) => {
   const server = spawn(`node`, [pathToApp, "4001"], {
-    env: { ...process.env, AIKIDO_NO_BLOCKING: "true" },
+    env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_NO_BLOCKING: "true" },
   });
 
   server.on("close", () => {

end2end/tests/express-mysql2.test.js

@@ -10,7 +10,9 @@ const pathToApp = resolve(
 );
 
 t.test("it blocks in blocking mode", (t) => {
-  const server = spawn(`node`, [pathToApp, "4000"]);
+  const server = spawn(`node`, [pathToApp, "4000"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true" },
+  });
 
   server.on("close", () => {
     t.end();
@@ -61,7 +63,7 @@ t.test("it blocks in blocking mode", (t) => {
 
 t.test("it does not block in dry mode", (t) => {
   const server = spawn(`node`, [pathToApp, "4001"], {
-    env: { ...process.env, AIKIDO_NO_BLOCKING: "true" },
+    env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_NO_BLOCKING: "true" },
   });
 
   server.on("close", () => {

end2end/tests/express-postgres.test.js

@@ -10,7 +10,9 @@ const pathToApp = resolve(
 );
 
 t.test("it blocks in blocking mode", (t) => {
-  const server = spawn(`node`, [pathToApp, "4000"]);
+  const server = spawn(`node`, [pathToApp, "4000"], {
+    env: { ...process.env, AIKIDO_DEBUG: "true" },
+  });
 
   server.on("close", () => {
     t.end();
@@ -61,7 +63,7 @@ t.test("it blocks in blocking mode", (t) => {
 
 t.test("it does not block in dry mode", (t) => {
   const server = spawn(`node`, [pathToApp, "4001"], {
-    env: { ...process.env, AIKIDO_NO_BLOCKING: "true" },
+    env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_NO_BLOCKING: "true" },
   });
 
   server.on("close", () => {