v0.4.0

See Changelog.md

CHANGELOG.md

@@ -1,16 +1,34 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [0.4.0] - 2023-01-23
+
+*HTTP Parameter Pollution, bug fixes and more*
+
+### Added
+
+- HTTP Parameter Pollution module - Replaces array parameters with their last value (req.query must be set by a web framework)
+- README.md with module descriptions to [lib/modules](lib/modules/)
+- Issue templates and [CONTRIBUTING.md](CONTRIBUTING.md)
+
+### Changed
+
+- Fixed critical bug in "Block Tor Exit Nodes" module
+- Improved tests and updated examples
+- Code refactoring
+
 ## [0.3.1] - 2022-12-17
 
+*Security Update*
+
 ### Changed
 
 - Update dependencies to fix CVE-2022-24999 (only devDependencies affected)
 - Improve prototype pollution detection
 
 ## [0.3.0] - 2022-11-06
 
-Hooks, log request method, improvements and bug fixes.
+*Hooks, log request method, improvements and bug fixes.*
 
 ### Added
 
@@ -28,7 +46,7 @@ Hooks, log request method, improvements and bug fixes.
 
 ## [0.2.0] - 2022-10-23
 
-The second beta release.
+*The second beta release.*
 
 ### Added
 
@@ -44,4 +62,4 @@ The second beta release.
 
 ## [0.1.0] - 2022-10-03
 
-This is the initial beta release.
+*This is the initial beta release.*

CONTRIBUTING.md

@@ -19,4 +19,4 @@ Read our [Code of Conduct](CODE_OF_CONDUCT.md) to keep our community approachabl
 - After cloning the repo run `npm i`
 - Run `npm run precommit` before every commit: this runs ESLint and TypeScript (this should normally be done automatically by a git hook)
 - If you add new modules or other features, please create tests
-- Before you create a PR, run `npm t` to run all tests
+- Before you create a PR, run `npm t` to run all tests

index.d.ts

@@ -70,7 +70,6 @@ declare module "modules/blockTorExitNodes" {
      * @returns {Boolean} Is false when a possible security incident has been found
      */
     export function check(data: EasyWAFRequestInfo): boolean;
-    export function updateTorExitNodesList(cb: any): void;
     export function info(): {
         name: string;
     };
@@ -144,9 +143,6 @@ declare module "modules/httpParameterPollution" {
      * @returns {Boolean} Is false when a possible security incident has been found
      */
     export function check(data: EasyWAFRequestInfo): boolean;
-    export function info(): {
-        name: string;
-    };
 }
 declare module "modules/noSqlInjection" {
     /**
@@ -221,7 +217,6 @@ declare module "modules/index" {
         info: () => {
             name: string;
         };
-        updateTorExitNodesList: (cb: any) => void;
     };
     export const crlfInjection: {
         check: (data: EasyWAFRequestInfo) => boolean;
@@ -245,9 +240,6 @@ declare module "modules/index" {
     };
     export const httpParameterPollution: {
         check: (data: EasyWAFRequestInfo) => boolean;
-        info: () => {
-            name: string;
-        };
     };
     export const noSqlInjection: {
         check: (data: EasyWAFRequestInfo) => boolean;

lib/modules/README.md

@@ -18,7 +18,7 @@ This module detects and blocks path traversal attacks. This vulnerability allows
 [OSWAP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
 
 ## Fake Search Crawlers
-This module blocks requests from bots that pretend to be a known search engine or similar. A up to date whitelist with IPS from Google, Bing and DuckDuckGo is used for this purpose. For other providers, the authenticity is checked by doing a reverse DNS lookup and the ip is then temporarily whitelisted.
+This module blocks requests from bots that pretend to be a known search engine or similar. For this purpose, a hourly updated whitelist with IPS from Google, Bing and DuckDuckGo is used. For other providers, the authenticity is checked by doing a reverse DNS lookup and the IP address is temporarily whitelisted.
 
 Whitelist sources: [Google](https://www.gstatic.com/ipranges/goog.json), [Bing](https://www.bing.com/toolbox/bingbot.json), [DuckDuckGo](https://raw.githubusercontent.com/duckduckgo/duckduckgo-help-pages/master/_docs/results/duckduckbot.md)  
 Supported companies: Google, Microsoft, DuckDuckGo, Yahoo!, Yandex, Baidu, Qwant
@@ -45,4 +45,4 @@ A JavaScript vulnerability that allows an attacker to add properties to global o
 
 ## SQL Injection
 An attempt to manipulate an SQL query, similar to NoSQL injections. Detection leads to blocking of the request.  
-[OSWAP: SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
+[OSWAP: SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)

lib/modules/blockTorExitNodes.js

@@ -18,16 +18,18 @@ function init(conf){
     }
 }
 
-function updateTorExitNodesList(cb){
+function updateTorExitNodesList(){
     try {
         utils.httpGET('https://check.torproject.org/torbulkexitlist', (data) => {
             data = data.split(/\r?\n/);
             data = data.filter(line => line.length != 0);
-            if(cb) cb(data);
+            if(!Array.isArray(data)){
+                throw new Error('Data is not an array');
+            }
+            torExitNodes = data;
         });
     } catch (e) /* istanbul ignore next */ {
         logger.log('Error', 'Exception while updating Tor Exit Nodes list: ' + e.message);
-        if(cb) cb([]);
     }
     setTimeout(updateTorExitNodesList, 3600000); //1 hour
 }
@@ -41,18 +43,16 @@ function check(data){
     if(torExitNodes.includes(data.ip)){
         return false;
     }
-
     return true;
 }
 
 module.exports = {
     init: init,
     check: check,
-    /* istanbul ignore next */
     info: () => {
+        /* istanbul ignore next */
         return {
             name: 'blockTorExitNodes'
         };
-    },
-    updateTorExitNodesList: updateTorExitNodesList
+    }
 };

lib/modules/httpParameterPollution.js

@@ -15,9 +15,4 @@ function check(data){
 
 module.exports = {
     check: check,
-    info: () => { /* istanbul ignore next */
-        return {
-            name: 'httpParameterPollution'
-        };
-    }
 };

package.json

@@ -1,6 +1,6 @@
 {
   "name": "easy-waf",
-  "version": "0.3.1",
+  "version": "0.4.0",
   "description": "An easy-to-use Web Application Firewall (WAF) for Node.js",
   "main": "index.js",
   "scripts": {
@@ -36,7 +36,7 @@
     "@types/ip6addr": "^0.2.3",
     "@types/node": "^18.0.5",
     "@types/proxy-addr": "^2.0.0",
-    "eslint": "^8.19.0",
+    "eslint": "^8.32.0",
     "eslint-plugin-jest": "^27.0.4",
     "eslint-plugin-security-node": "^1.1.1",
     "express": "^4.18.1",

test/tor.test.js

@@ -2,8 +2,12 @@
 const testServer = require('./test-server');
 const request = require('supertest');
 const blockTorExitNodes = require('../lib/modules/blockTorExitNodes');
+const utils = require('../lib/utils');
 
 jest.useFakeTimers();
+jest.setTimeout(5000);
+
+var torIP = '';
 
 testServer.init({
     allowedHTTPMethods: ['GET', 'POST'],
@@ -15,21 +19,40 @@ testServer.init({
     }
 });
 
+test('Get Tor IP', () => {
+    return new Promise(done => {
+        utils.httpGET('https://check.torproject.org/torbulkexitlist', (data) => {
+            data = data.split(/\r?\n/);
+            data = data.filter(line => line.length != 0);
+            expect(Array.isArray(data)).toBe(true);
+            torIP = data[0];
+            done();
+        });
+    });
+});
+test('Sleep 1 second', async () => {
+    const foo = true;
+    jest.useRealTimers();
+    await new Promise((r) => setTimeout(r, 1000));
+    expect(foo).toBeDefined();
+    jest.useFakeTimers();
+});
 test('Request should not be blocked', () => {
     return request(testServer.app)
         .get('/get')
         .then(response => {
             expect(response.statusCode).toBe(200);
-    });
+        });
 });
-
-// eslint-disable-next-line jest/no-done-callback, jest/expect-expect
-test('Test if Tor Exit Node List GET Request works', (done) => {
-    blockTorExitNodes.updateTorExitNodesList((torExitNodes) => {
-        if(torExitNodes.length == 0){
-            done(new Error());
-            return;
-        }
-        done();
+test('Test if Tor ip is blocked', () => {
+    const ok = blockTorExitNodes.check({
+        url: '/get',
+        body: undefined,
+        headers: {},
+        ip: torIP,
+        method: 'GET',
+        path: '/get',
+        ua: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0'
     });
+    expect(ok).toBe(false);
 });