v0.5.1

timokoessler · Oct 7, 2023 · c359785 · c359785
1 parent 9ebdf0f
commit c359785
Show file tree

Hide file tree

Showing 10 changed files with 746 additions and 678 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,28 @@
+name: Publish Package to npm
+on:
+    release:
+        types: [created]
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            id-token: write
+        steps:
+            - uses: actions/checkout@v3
+            - name: Use Node.js 20
+              uses: actions/setup-node@v3
+              with:
+                  node-version: 20.x
+                  cache: 'npm'
+                  registry-url: 'https://registry.npmjs.org'
+            - name: Ensure latest npm version
+              run: npm install -g npm
+            - name: Install dependencies
+              run: npm ci
+            - name: Build
+              run: npm run build
+            - name: Publish to npm
+              run: npm publish --provenance --access public
+              env:
+                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,7 @@
+{
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "editor.formatOnSave": true,
+    "[typescript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,19 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.5.1] - 2023-10-07
+
+_Async Hooks, GitHub Actions and some improvements_
+
+### Changed
+
+-   Hooks can now be async functions
+-   Minimal improvements to sql detection
+-   Prevent false positive xss detection
+-   Publish via GitHub Actions
+-   Added prettier
+-   Updated dependencies
+
 ## [0.5.0] - 2023-07-03
 
 _TypeScript, ESM and Fake Crawlers_

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "easy-waf",
-    "version": "0.5.0",
+    "version": "0.5.1",
     "description": "An easy-to-use Web Application Firewall (WAF) for Node.js",
     "main": "dist/index.cjs",
     "module": "dist/index.js",

diff --git a/src/block.ts b/src/block.ts
@@ -1,15 +1,15 @@
 import { sha256 } from './utils';
-import * as logger from './logger';
+import { logBlockedRequest } from './logger';
 import type { EasyWaf } from './types';
 
 /**
  *
  */
-export function block(req: EasyWaf.Request, res: EasyWaf.Response, moduleName: string, config: EasyWaf.Config): boolean {
+export async function block(req: EasyWaf.Request, res: EasyWaf.Response, moduleName: string, config: EasyWaf.Config): Promise<boolean> {
     const date = new Date();
     const referenceID = sha256(req.ip + date.getTime());
 
-    if (typeof config.preBlockHook === 'function' && config.preBlockHook(req, moduleName, req.ip) === false) {
+    if (typeof config.preBlockHook === 'function' && await config.preBlockHook(req, moduleName, req.ip) === false) {
         return false;
     }
 
@@ -64,10 +64,10 @@ export function block(req: EasyWaf.Request, res: EasyWaf.Response, moduleName: s
         res.end();
     }
 
-    logger.requestBlocked(moduleName, req, referenceID, config);
+    logBlockedRequest(moduleName, req, referenceID, config);
 
     if (typeof config.postBlockHook === 'function') {
-        config.postBlockHook(req, moduleName, req.ip);
+        await config.postBlockHook(req, moduleName, req.ip);
     }
 
     if (config.dryMode) {

diff --git a/src/index.ts b/src/index.ts
@@ -3,7 +3,7 @@ import { Matcher as IPMatcher } from 'netparser';
 import { compileProxyTrust } from './utils';
 import * as modules from './modules';
 import { block } from './block';
-import * as logger from './logger';
+import { log } from './logger';
 import type { EasyWaf } from './types';
 
 let config: EasyWaf.Config = {
@@ -41,7 +41,7 @@ export default function easyWaf(conf?: EasyWaf.Config) {
             /* istanbul ignore next */
             throw new Error('EasyWafConfig: dryMode is not a boolean');
         } else if (conf.dryMode && !conf.disableLogging) {
-            logger.log('Warn', 'DryMode is enabled. Suspicious requests are only logged and not blocked!');
+            log('Warn', 'DryMode is enabled. Suspicious requests are only logged and not blocked!');
         }
 
         if (typeof conf.ipBlacklist !== 'undefined') {
@@ -102,7 +102,7 @@ export default function easyWaf(conf?: EasyWaf.Config) {
             req.url = decodeURIComponent(rawReq.url as string);
         } catch (e) {
             req.url = typeof rawReq.url === 'string' ? rawReq.url : '';
-            if (!block(req, res, 'uriMalformed', config)) {
+            if (!await block(req, res, 'uriMalformed', config)) {
                 next();
             }
             return;
@@ -111,13 +111,13 @@ export default function easyWaf(conf?: EasyWaf.Config) {
         req.path = Array.isArray(pathRegexRes) && typeof pathRegexRes[0] === 'string' ? pathRegexRes[0] : '';
 
         if (typeof ipBlacklist !== 'undefined' && ipBlacklist.get(ip)) {
-            if (block(req, res, 'IPBlacklist', config)) {
+            if (await block(req, res, 'IPBlacklist', config)) {
                 return;
             }
         }
 
         if (Array.isArray(config.allowedHTTPMethods) && !config.allowedHTTPMethods.includes(req.method)) {
-            if (block(req, res, 'HTTPMethod', config)) {
+            if (await block(req, res, 'HTTPMethod', config)) {
                 return;
             }
         }
@@ -143,7 +143,7 @@ export default function easyWaf(conf?: EasyWaf.Config) {
                 }
             }
             const ok = await module.check(req);
-            if (!ok && block(req, res, moduleName, config)) {
+            if (!ok && await block(req, res, moduleName, config)) {
                 return;
             }
         }

diff --git a/src/logger.ts b/src/logger.ts
@@ -18,7 +18,7 @@ export function log(type: EasyWaf.LogType, msg: string) {
 /**
  *
  */
-export function requestBlocked(moduleName: string, req: EasyWaf.Request, referenceID: string, config: EasyWaf.Config) {
+export function logBlockedRequest(moduleName: string, req: EasyWaf.Request, referenceID: string, config: EasyWaf.Config) {
     if (config.disableLogging) return;
     const url = req.url.replace(/(\n|\r|\v)/gi, '').replace(/"/g, '&quot;');
     const ua = req.ua.replace(/(\n|\r|\v)/gi, '').replace(/"/g, '&quot;');

diff --git a/src/types.d.ts b/src/types.d.ts
@@ -37,11 +37,11 @@ export namespace EasyWaf {
         /**
          * Run your own code after a request is blocked (e.g. send a notification).
          */
-        postBlockHook?: (req: EasyWaf.Request, moduleName: string, ip: string) => void;
+        postBlockHook?: (req: EasyWaf.Request, moduleName: string, ip: string) => void | Promise<void>;
         /**
          * Run your own code before a request is blocked. Return false if the request should not be blocked.
          */
-        preBlockHook?: (req: EasyWaf.Request, moduleName: string, ip: string) => boolean;
+        preBlockHook?: (req: EasyWaf.Request, moduleName: string, ip: string) => boolean | Promise<boolean>;
         /**
          * If a reverse proxy is used, this setting must be configured. See https://www.npmjs.com/package/proxy-addr for possible values.
          */

diff --git a/test/hooks.test.ts b/test/hooks.test.ts
@@ -11,7 +11,7 @@ testServer.init({
             enabled: false,
         },
     },
-    preBlockHook: (req, moduleName, ip) => {
+    preBlockHook: async (req, moduleName, ip) => {
         const path = req.url.match('^[^?]*');
         if (moduleName === 'xss' && ['::1', '127.0.0.1', '::ffff:127.0.0.1'].includes(ip) && path?.length && path[0] === '/test') {
             //Do not block xss from localhost at path /test