Merge branch 'patch-ssrf-enable' into undici-ssrf-fix-2

.github/CONTRIBUTING.md

@@ -1,4 +1,4 @@
-# Contributing to Aikido Security's firewall for Node.js
+# Contributing to Zen by Aikido for Node.js
 
 First off, thanks for taking the time to contribute! ❤️
 

.github/SECURITY.md

@@ -1,6 +1,6 @@
 # Reporting Security Issues
 
-The Aikido team and community take security bugs in firewall seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+The Aikido team and community take security bugs in Zen seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
 
 To report a security issue, register on Intigriti and navigate to https://app.intigriti.com/researcher/programs/aikido/aikidoruntime.
 

.github/workflows/benchmark.yml

@@ -21,7 +21,7 @@ jobs:
           "POSTGRES_DB": "main_db"
         ports:
           - "27016:5432"
-    timeout-minutes: 5
+    timeout-minutes: 10
     strategy:
       matrix:
         node-version: [18.x]
@@ -33,13 +33,21 @@ jobs:
           node-version: ${{ matrix.node-version }}
       - name: Install K6
         uses: grafana/setup-k6-action@v1
+      - name: Install wrk
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wrk
       - run: make install
       - run: make build
       - name: Run NoSQL Injection Benchmark
-        run: cd benchmarks/nosql-injection && AIKIDO_CI=true node benchmark.js
+        run: cd benchmarks/nosql-injection && AIKIDO_CI=true node --preserve-symlinks benchmark.js
       - name: Run SQL Injection Benchmark
-        run: cd benchmarks/sql-injection && node benchmark.js
+        run: cd benchmarks/sql-injection && node --preserve-symlinks benchmark.js
       - name: Run shell injection Benchmark
-        run: cd benchmarks/shell-injection && node benchmark.js
+        run: cd benchmarks/shell-injection && node --preserve-symlinks benchmark.js
       - name: Run Hono with Postgres Benchmark
-        run: cd benchmarks/hono-pg && node benchmark.js
+        run: cd benchmarks/hono-pg && node --preserve-symlinks benchmark.js
+      - name: Run API Discovery Benchmark
+        run: cd benchmarks/api-discovery && node --preserve-symlinks benchmark.js
+      - name: Run Express Benchmark
+        run: cd benchmarks/express && node --preserve-symlinks benchmark.js

.github/workflows/build-and-release.yml

@@ -26,13 +26,25 @@ jobs:
           node-version: "18.x"
           registry-url: "https://registry.npmjs.org"
           scope: "@aikidosec"
-      - run: make install
+      - name: Install dependencies
+        run: make install
       - name: Get the version
         id: get_version
-        run: echo ::set-output name=tag::${GITHUB_REF/refs\/tags\//}
-      - run: cd library && npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }}
-      - run: make build
-      - run: make lint
-      - run: cd build && npm publish --provenance --access public
+        run: echo "tag=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
+      - name: Set the version
+        run: cd library && npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }}
+      - name: Build the library
+        run: make build
+      - name: Linting
+        run: make lint
+      - name: Publish to NPM
+        run: |
+          if [ "${{ github.event.release.prerelease }}" = "true" ]; then
+            echo "Publishing beta version ${{ steps.get_version.outputs.tag }} to NPM"
+            cd build && npm publish --provenance --access public --tag beta
+          else
+            echo "Publishing version ${{ steps.get_version.outputs.tag }} to NPM"
+            cd build && npm publish --provenance --access public
+          fi
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.github/workflows/end-to-end-tests.yml

@@ -29,7 +29,23 @@ jobs:
         options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=5 -e MYSQL_ROOT_PASSWORD=mypassword -e MYSQL_DATABASE=catsdb --entrypoint sh mysql:8.0 -c "exec docker-entrypoint.sh mysqld --default-authentication-plugin=mysql_native_password"
         ports:
           - "27015:3306"
-    timeout-minutes: 5
+      mariadb:
+        image: mariadb:11
+        env:
+          MARIADB_ROOT_PASSWORD: mypassword
+          MARIADB_DATABASE: catsdb
+        ports:
+          - "27018:3306"
+      clickhouse:
+        image: clickhouse/clickhouse-server:24
+        env:
+          "CLICKHOUSE_USER": "clickhouse"
+          "CLICKHOUSE_PASSWORD": "clickhouse"
+          "CLICKHOUSE_DB": "main_db"
+          "CLICKHOUSE_DEFAULT_ACCESS": "MANAGEMENT=1"
+        ports:
+          - "27019:8123"
+    timeout-minutes: 10
     strategy:
       matrix:
         node-version: [18.x]
@@ -39,6 +55,12 @@ jobs:
         uses: actions/setup-node@v2
         with:
           node-version: ${{ matrix.node-version }}
+      - name: Add local.aikido.io to /etc/hosts
+        run: |
+          sudo echo "127.0.0.1 local.aikido.io" | sudo tee -a /etc/hosts
+      - name: Build and run server
+        run: |
+          cd end2end/server && docker build -t server . && docker run -d -p 5874:3000 server
       - run: make install
       - run: make build
       - run: make end2end

.github/workflows/lint-code.yml

@@ -12,5 +12,6 @@ jobs:
         uses: actions/setup-node@v2
         with:
           node-version: ${{ matrix.node-version }}
-      - run: make install
+      - run: make install-lib-only
+      - run: make build
       - run: make lint

.github/workflows/unit-test.yml

@@ -35,9 +35,36 @@ jobs:
         options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=5 -e MYSQL_ROOT_PASSWORD=mypassword -e MYSQL_DATABASE=catsdb --entrypoint sh mysql:8.0 -c "exec docker-entrypoint.sh mysqld --default-authentication-plugin=mysql_native_password"
         ports:
           - "27015:3306"
+      mariadb:
+        image: mariadb:11
+        env:
+          MARIADB_ROOT_PASSWORD: mypassword
+          MARIADB_DATABASE: catsdb
+        ports:
+          - "27018:3306"
+      clickhouse:
+        image: clickhouse/clickhouse-server:24
+        env:
+          "CLICKHOUSE_USER": "clickhouse"
+          "CLICKHOUSE_PASSWORD": "clickhouse"
+          "CLICKHOUSE_DB": "main_db"
+          "CLICKHOUSE_DEFAULT_ACCESS": "MANAGEMENT=1"
+        ports:
+          - "27019:8123"
+      mongodb-replica:
+        image: bitnami/mongodb:8.0
+        env:
+          MONGODB_ADVERTISED_HOSTNAME: 127.0.0.1
+          MONGODB_REPLICA_SET_MODE: primary
+          MONGODB_ROOT_USER: root
+          MONGODB_ROOT_PASSWORD: password
+          MONGODB_REPLICA_SET_KEY: replicasetkey123
+        ports:
+          - "27020:27017"
     strategy:
+      fail-fast: false
       matrix:
-        node-version: [16.x, 18.x, 20.x, 22.x]
+        node-version: [16.x, 18.x, 20.x, 22.x, 23.x]
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
@@ -47,7 +74,8 @@ jobs:
       - name: Add local.aikido.io to /etc/hosts
         run: |
           sudo echo "127.0.0.1 local.aikido.io" | sudo tee -a /etc/hosts
-      - run: make install
+      - run: make install-lib-only
+      - run: make build
       - run: make test-ci
       - name: "Upload coverage"
         uses: codecov/codecov-action@v4.0.1

LICENSE

@@ -1,7 +1,7 @@
 This program is offered under a commercial and under the AGPL license.
 You can be released from the requirements of the AGPL license by purchasing
 a commercial license. Buying such a license is mandatory as soon as you
-develop commercial activities involving the Aikido Firewall software without
+develop commercial activities involving Zen by Aikido software without
 disclosing the source code of your own applications. These activities include
 but are not limited to: offering paid services to customers in a web application
 or shipping Aikido with a closed source product.

Makefile

@@ -1,3 +1,9 @@
+INTERNALS_VERSION = v0.1.32
+INTERNALS_URL = https://github.com/AikidoSec/zen-internals/releases/download/$(INTERNALS_VERSION)
+TARBALL = zen_internals.tgz
+CHECKSUM_FILE = zen_internals.tgz.sha256sum
+INTERNALS_DIR = library/internals
+
 .PHONY: containers
 containers:
 	cd sample-apps && docker-compose up -d --remove-orphans
@@ -58,25 +64,64 @@ lambda-mongodb-nosql-injection:
 lambda-mongodb-safe:
 	cd sample-apps/lambda-mongodb && npx serverless@3.38.0 invoke local -e AIKIDO_BLOCKING=true -e AIKIDO_DEBUG=true --function login --path payloads/safe-request.json
 
-.PHONY: install
-install:
+.PHONY: nestjs-sentry
+nestjs-sentry:
+	cd sample-apps/nestjs-sentry && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true NODE_OPTIONS=--preserve-symlinks npm run start
+
+.PHONY: nestjs-fastify
+nestjs-fastify:
+	cd sample-apps/nestjs-fastify && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true NODE_OPTIONS=--preserve-symlinks npm run start
+
+.PHONY: fastify-mysql2
+fastify-mysql2:
+	cd sample-apps/fastify-mysql2 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+
+.PHONY: koa-sqlite3
+koa-sqlite3:
+	cd sample-apps/koa-sqlite3 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+
+.PHONY: fastify-clickhouse
+fastify-clickhouse:
+	cd sample-apps/fastify-clickhouse && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
+
+.PHONY: hono-prisma
+hono-prisma:
+	cd sample-apps/hono-prisma && AIKIDO_DEBUG=true AIKIDO_BLOCK=true node app.js
+
+.PHONY: install-lib-only
+install-lib-only:
 	mkdir -p build
 	node scripts/copyPackageJSON.js
 	touch build/index.js
 	cd build && npm link
 	npm install
 	cd library && npm install
+
+.PHONY: install
+install: install-lib-only
 	cd end2end && npm install
 	node scripts/install.js
 
 .PHONY: build
-build:
+build: $(INTERNALS_DIR)/zen_internals.js
 	mkdir -p build
 	rm -r build
 	cd library && npm run build
 	cp README.md build/README.md
 	cp LICENSE build/LICENSE
 	cp library/package.json build/package.json
+	mkdir -p build/internals
+	cp $(INTERNALS_DIR)/zen_internals_bg.wasm build/internals/zen_internals_bg.wasm
+
+$(INTERNALS_DIR)/zen_internals.js: Makefile
+	curl -L $(INTERNALS_URL)/$(TARBALL) -o $(INTERNALS_DIR)/$(TARBALL)
+	curl -L $(INTERNALS_URL)/$(CHECKSUM_FILE) -o $(INTERNALS_DIR)/$(CHECKSUM_FILE)
+	cd $(INTERNALS_DIR) && sha256sum -c $(CHECKSUM_FILE)
+	tar -xzf $(INTERNALS_DIR)/$(TARBALL) -C $(INTERNALS_DIR)
+	touch $@
+	rm $(INTERNALS_DIR)/zen_internals.d.ts
+	rm $(INTERNALS_DIR)/$(TARBALL)
+	rm $(INTERNALS_DIR)/$(CHECKSUM_FILE)
 
 .PHONY: watch
 watch: build
@@ -103,3 +148,5 @@ benchmark: build
 	cd benchmarks/shell-injection && node --preserve-symlinks benchmark.js
 	cd benchmarks/sql-injection && node --preserve-symlinks benchmark.js
 	cd benchmarks/hono-pg && node --preserve-symlinks benchmark.js
+	cd benchmarks/api-discovery && node --preserve-symlinks benchmark.js
+	cd benchmarks/express && node --preserve-symlinks benchmark.js