Merge branch 'main' of github.com:AikidoSec/node-RASP into hansott-patch-1

* 'main' of github.com:AikidoSec/node-RASP: (34 commits)
  When Zen starts
  Add note about loading env variables in ESM mode
  Add separate heartbeat e2e test
  Fix e2e test
  Add e2e test
  Fix missing outbound hostname
  Add extra comment to make intent clear
  Reduce diff
  Format code after merge
  Update package.json
  Update .github/workflows/lint-code.yml
  Update .prettierignore
  Remove prettier config in adonis sample app
  Fix duplicate prettier install & format
  Add end2end tests for blocking outbound connections
  Fix test
  Fix tests
  Align message with expected test message
  Simplify InspectionResult and move domains to normal config
  Update ipAddress type for attack wave
  ...

Author: hansott

.github/CODE_OF_CONDUCT.md

@@ -17,23 +17,23 @@ diverse, inclusive, and healthy community.
 Examples of behavior that contributes to a positive environment for our
 community include:
 
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes,
   and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall
+- Focusing on what is best not just for us as individuals, but for the overall
   community
 
 Examples of unacceptable behavior include:
 
-* The use of sexualized language or imagery, and sexual attention or advances of
+- The use of sexualized language or imagery, and sexual attention or advances of
   any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email address,
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email address,
   without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
+- Other conduct which could reasonably be considered inappropriate in a
   professional setting
 
 ## Enforcement Responsibilities

.github/ISSUE_TEMPLATE/bug_report.md

@@ -11,6 +11,7 @@ A clear and concise description of what went wrong.
 
 **To Reproduce**
 Steps to reproduce the behavior:
+
 1. …
 2. …
 3. …
@@ -22,6 +23,7 @@ What you expected to happen.
 What actually happened (include logs or error messages if possible).
 
 **Environment**
+
 - OS: [e.g. Ubuntu 22.04, macOS 15.0, Windows 11]
 - Language version: [e.g. 18, 20, 22]
 - Framework: [e.g. Express, Hono, Fastify]

.github/workflows/lint-code.yml

@@ -33,7 +33,10 @@ jobs:
         run: npm i -g [email protected]
       - run: npm run install-lib-only
       - run: npm run build
-      - run: npm run lint
+      - name: Run Linter for JavaScript/TypeScript
+        run: npm run lint
+      - name: Check formatting
+        run: npm run format:check
       - name: Check Rust formatting
         run: cd instrumentation-wasm && cargo fmt --check
       - name: Run Rust Linter

.prettierignore

@@ -0,0 +1,9 @@
+.tap/
+internals/
+wasm/
+.next/
+out/
+build/
+dist/
+coverage/
+.esm-tests/

.prettierrc

@@ -4,4 +4,4 @@
   "useTabs": false,
   "semi": true,
   "singleQuote": false
-}
+}

README.md

@@ -2,12 +2,12 @@
 
 # Zen, in-app firewall for Node.js | by Aikido
 
-[![NPM Version](https://img.shields.io/npm/v/%40aikidosec%2Ffirewall?style=flat-square)](https://www.npmjs.com/package/@aikidosec/firewall) 
-[![Codecov](https://img.shields.io/codecov/c/github/AikidoSec/firewall-node?style=flat-square&token=AJK9LU35GY)](https://app.codecov.io/gh/aikidosec/firewall-node) 
-[![NPM License](https://img.shields.io/npm/l/%40aikidosec%2Ffirewall?style=flat-square)](https://github.com/AikidoSec/firewall-node/blob/main/LICENSE) 
-[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) 
-[![Unit tests](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml) 
-[![End to end tests](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml) 
+[![NPM Version](https://img.shields.io/npm/v/%40aikidosec%2Ffirewall?style=flat-square)](https://www.npmjs.com/package/@aikidosec/firewall)
+[![Codecov](https://img.shields.io/codecov/c/github/AikidoSec/firewall-node?style=flat-square&token=AJK9LU35GY)](https://app.codecov.io/gh/aikidosec/firewall-node)
+[![NPM License](https://img.shields.io/npm/l/%40aikidosec%2Ffirewall?style=flat-square)](https://github.com/AikidoSec/firewall-node/blob/main/LICENSE)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
+[![Unit tests](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml)
+[![End to end tests](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml)
 
 Zen, your in-app firewall for peace of mind– at runtime.
 
@@ -19,100 +19,100 @@ It protects your Node.js apps by scanning user input and where that data eventua
 
 Zen will autonomously protect your Node.js applications against:
 
-* 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities)
-* 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
-* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
-* 🛡️ [Prototype pollution](./docs/prototype-pollution.md)
-* 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
-* 🛡️ [Server-side request forgery (SSRF)](./docs/ssrf.md)
-* 🛡️ [Attack wave detection](https://help.aikido.dev/zen-firewall/zen-features/attack-wave-protection)
-* 🛡️ JS injection
+- 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities)
+- 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
+- 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
+- 🛡️ [Prototype pollution](./docs/prototype-pollution.md)
+- 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
+- 🛡️ [Server-side request forgery (SSRF)](./docs/ssrf.md)
+- 🛡️ [Attack wave detection](https://help.aikido.dev/zen-firewall/zen-features/attack-wave-protection)
+- 🛡️ JS injection
 
 Zen operates autonomously on the same server as your Node.js app to:
 
-* ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
-* ✅ Auto-generate API specifications
-* ✅ Block known threat actors and bots.
-* ✅ Geo-fencing to block or allow a selection of countries
-* ✅ Rate limit specific API endpoints by IP or by user
-* ✅ Allows you to block specific users manually
+- ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
+- ✅ Auto-generate API specifications
+- ✅ Block known threat actors and bots.
+- ✅ Geo-fencing to block or allow a selection of countries
+- ✅ Rate limit specific API endpoints by IP or by user
+- ✅ Allows you to block specific users manually
 
 ## Supported libraries and frameworks
 
 Zen for Node.js 16+ is compatible with:
 
 ### Web frameworks
 
-* ✅ [Express](docs/express.md) 4.x, 5.x
-* ✅ [Hono](docs/hono.md) 4.x
-* ✅ [hapi](docs/hapi.md) 21.x
-* ✅ [micro](docs/micro.md) 10.x
-* ✅ [Next.js](docs/next.md) 12.x, 13.x and 14.x
-* ✅ [Fastify](docs/fastify.md) 4.x and 5.x
-* ✅ [Koa](docs/koa.md) 3.x and 2.x
-* ✅ [NestJS](docs/nestjs.md) 10.x and 11.x
-* ✅ [Restify](docs/restify.md) 11.x, 10.x, 9.x and 8.x
+- ✅ [Express](docs/express.md) 4.x, 5.x
+- ✅ [Hono](docs/hono.md) 4.x
+- ✅ [hapi](docs/hapi.md) 21.x
+- ✅ [micro](docs/micro.md) 10.x
+- ✅ [Next.js](docs/next.md) 12.x, 13.x and 14.x
+- ✅ [Fastify](docs/fastify.md) 4.x and 5.x
+- ✅ [Koa](docs/koa.md) 3.x and 2.x
+- ✅ [NestJS](docs/nestjs.md) 10.x and 11.x
+- ✅ [Restify](docs/restify.md) 11.x, 10.x, 9.x and 8.x
 
 ### Database drivers
 
-* ✅ [`mongodb`](https://www.npmjs.com/package/mongodb) 4.x, 5.x and 6.x _(npm package versions, not MongoDB server versions)_
-* ✅ [`mongoose`](https://www.npmjs.com/package/mongoose) 8.x, 7.x and 6.x
-* ✅ [`pg`](https://www.npmjs.com/package/pg) 8.x and 7.x
-* ✅ [`mysql`](https://www.npmjs.com/package/mysql) 2.x
-* ✅ [`mysql2`](https://www.npmjs.com/package/mysql2) 3.x
-* ✅ [`mariadb`](https://www.npmjs.com/package/mariadb) 3.x
-* ✅ [`sqlite3`](https://www.npmjs.com/package/sqlite3) 5.x
-* ✅ [`node:sqlite`](https://nodejs.org/api/sqlite.html)
-* ✅ [`better-sqlite3`](https://www.npmjs.com/package/better-sqlite3) 12.x, 11.x, 10.x, 9.x and 8.x
-* ✅ [`postgres`](https://www.npmjs.com/package/postgres) 3.x
-* ✅ [`@clickhouse/client`](https://www.npmjs.com/package/@clickhouse/client) 1.x
-* ✅ [`@prisma/client`](https://www.npmjs.com/package/@prisma/client) 5.x
+- ✅ [`mongodb`](https://www.npmjs.com/package/mongodb) 4.x, 5.x and 6.x _(npm package versions, not MongoDB server versions)_
+- ✅ [`mongoose`](https://www.npmjs.com/package/mongoose) 8.x, 7.x and 6.x
+- ✅ [`pg`](https://www.npmjs.com/package/pg) 8.x and 7.x
+- ✅ [`mysql`](https://www.npmjs.com/package/mysql) 2.x
+- ✅ [`mysql2`](https://www.npmjs.com/package/mysql2) 3.x
+- ✅ [`mariadb`](https://www.npmjs.com/package/mariadb) 3.x
+- ✅ [`sqlite3`](https://www.npmjs.com/package/sqlite3) 5.x
+- ✅ [`node:sqlite`](https://nodejs.org/api/sqlite.html)
+- ✅ [`better-sqlite3`](https://www.npmjs.com/package/better-sqlite3) 12.x, 11.x, 10.x, 9.x and 8.x
+- ✅ [`postgres`](https://www.npmjs.com/package/postgres) 3.x
+- ✅ [`@clickhouse/client`](https://www.npmjs.com/package/@clickhouse/client) 1.x
+- ✅ [`@prisma/client`](https://www.npmjs.com/package/@prisma/client) 5.x
 
 ### Cloud providers
 
-* ✅ [`@google-cloud/functions-framework`](https://www.npmjs.com/package/@google-cloud/functions-framework) 4.x, 3.x
-* ✅ [`@google-cloud/pubsub`](https://www.npmjs.com/package/@google-cloud/pubsub) 5.x, 4.x
-* ✅ Google Cloud Functions
-* ✅ AWS Lambda
+- ✅ [`@google-cloud/functions-framework`](https://www.npmjs.com/package/@google-cloud/functions-framework) 4.x, 3.x
+- ✅ [`@google-cloud/pubsub`](https://www.npmjs.com/package/@google-cloud/pubsub) 5.x, 4.x
+- ✅ Google Cloud Functions
+- ✅ AWS Lambda
 
 ### ORMs and query builders
 
 See list above for supported database drivers.
 
-* ✅ [`sequelize`](https://www.npmjs.com/package/sequelize)
-* ✅ [`knex`](https://www.npmjs.com/package/knex)
-* ✅ [`typeorm`](https://www.npmjs.com/package/typeorm)
-* ✅ [`bookshelf`](https://www.npmjs.com/package/bookshelf)
-* ✅ [`drizzle-orm`](https://www.npmjs.com/package/drizzle-orm)
+- ✅ [`sequelize`](https://www.npmjs.com/package/sequelize)
+- ✅ [`knex`](https://www.npmjs.com/package/knex)
+- ✅ [`typeorm`](https://www.npmjs.com/package/typeorm)
+- ✅ [`bookshelf`](https://www.npmjs.com/package/bookshelf)
+- ✅ [`drizzle-orm`](https://www.npmjs.com/package/drizzle-orm)
 
 ### API tools
 
-* ✅ [`graphql`](https://www.npmjs.com/package/graphql) 15.x, 16.x
+- ✅ [`graphql`](https://www.npmjs.com/package/graphql) 15.x, 16.x
 
 ### Data serialization tools
 
-* ✅ [`xml2js`](https://www.npmjs.com/package/xml2js) 0.6.x, 0.5.x, ^0.4.18
-* ✅ [`fast-xml-parser`](https://www.npmjs.com/package/fast-xml-parser) 5.x, 4.x
-* ✅ [`xml-js`](https://www.npmjs.com/package/xml-js) 1.x
+- ✅ [`xml2js`](https://www.npmjs.com/package/xml2js) 0.6.x, 0.5.x, ^0.4.18
+- ✅ [`fast-xml-parser`](https://www.npmjs.com/package/fast-xml-parser) 5.x, 4.x
+- ✅ [`xml-js`](https://www.npmjs.com/package/xml-js) 1.x
 
 ### Shell tools
 
-* ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.9.x, 0.8.x, 0.7.x
+- ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.9.x, 0.8.x, 0.7.x
 
 ### Routers
 
-* ✅ [`@koa/router`](https://www.npmjs.com/package/@koa/router) 14.x, 13.x, 12.x, 11.x and 10.x
+- ✅ [`@koa/router`](https://www.npmjs.com/package/@koa/router) 14.x, 13.x, 12.x, 11.x and 10.x
 
 ### AI SDKs
 
 Zen instruments the following AI SDKs to track which models are used and how many tokens are consumed, allowing you to monitor your AI usage and costs:
 
-* ✅ [`openai`](https://www.npmjs.com/package/openai) 5.x, 4.x
-* ✅ [`@mistralai/mistralai`](https://www.npmjs.com/package/@mistralai/mistralai) 1.x
-* ✅ [`@anthropic-ai/sdk`](https://www.npmjs.com/package/@anthropic-ai/sdk) ^0.40.x
-* ✅ [`@aws-sdk/client-bedrock-runtime`](https://www.npmjs.com/package/@aws-sdk/client-bedrock-runtime) 3.x
-* ✅ [`ai`](https://www.npmjs.com/package/ai) 5.x, 4.x
-* ✅ [`@google/genai`](https://www.npmjs.com/package/@google/genai) ^1.6.0
+- ✅ [`openai`](https://www.npmjs.com/package/openai) 5.x, 4.x
+- ✅ [`@mistralai/mistralai`](https://www.npmjs.com/package/@mistralai/mistralai) 1.x
+- ✅ [`@anthropic-ai/sdk`](https://www.npmjs.com/package/@anthropic-ai/sdk) ^0.40.x
+- ✅ [`@aws-sdk/client-bedrock-runtime`](https://www.npmjs.com/package/@aws-sdk/client-bedrock-runtime) 3.x
+- ✅ [`ai`](https://www.npmjs.com/package/ai) 5.x, 4.x
+- ✅ [`@google/genai`](https://www.npmjs.com/package/@google/genai) ^1.6.0
 
 _Note: Prompt injection attacks are currently not covered by Zen._
 
@@ -154,18 +154,18 @@ If an attack on your application is detected, we report immediately allowing you
 
 You can easily select which IP addresses and/or bots to block from curated lists inside our Dashboard.
 
-
 You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can [sign up for free](https://app.aikido.dev/login). (No credit card required)
 
 Here's how:
-* [Log in to your Aikido account](https://app.aikido.dev/login).
-* Go to [Zen](https://app.aikido.dev/runtime/services).
-* Go to apps.
-* Click on **Add app**.
-* Choose a name for your app.
-* Click **Generate token**.
-* Copy the token.
-* Set the token as an environment variable, `AIKIDO_TOKEN`, using [dotenv](https://github.com/motdotla/dotenv) or another method of your choosing.
+
+- [Log in to your Aikido account](https://app.aikido.dev/login).
+- Go to [Zen](https://app.aikido.dev/runtime/services).
+- Go to apps.
+- Click on **Add app**.
+- Choose a name for your app.
+- Click **Generate token**.
+- Copy the token.
+- Set the token as an environment variable, `AIKIDO_TOKEN`, using [dotenv](https://github.com/motdotla/dotenv) or another method of your choosing.
 
 ## Running in production (blocking) mode
 
@@ -185,7 +185,7 @@ This program is offered under a commercial and under the AGPL license.
 You can be released from the requirements of the AGPL license by purchasing
 a commercial license. Buying such a license is mandatory as soon as you
 develop commercial activities involving the Zen software without
-disclosing the source code of your own applications. 
+disclosing the source code of your own applications.
 
 For more information, please contact Aikido Security at this
 address: [email protected] or create an account at https://app.aikido.dev.

benchmarks/hono-pg/app/posts.js

@@ -20,21 +20,21 @@ class Posts {
 
   async add(title, text, authors) {
     const articleRes = await this.db.query(
-      'INSERT INTO posts (title, text) VALUES ($1, $2) RETURNING id',
+      "INSERT INTO posts (title, text) VALUES ($1, $2) RETURNING id",
       [title, text]
     );
 
     const articleId = articleRes.rows[0].id;
 
     for (const author of authors) {
       const authorExists = await this.db.query(
-        'SELECT id FROM authors WHERE name = $1',
+        "SELECT id FROM authors WHERE name = $1",
         [author]
       );
       let authorId;
       if (authorExists.rows.length === 0) {
         const authorRes = await this.db.query(
-          'INSERT INTO authors (name) VALUES ($1) RETURNING id',
+          "INSERT INTO authors (name) VALUES ($1) RETURNING id",
           [author]
         );
         authorId = authorRes.rows[0].id;
@@ -43,15 +43,15 @@ class Posts {
       }
 
       await this.db.query(
-        'INSERT INTO post_authors (post_id, author_id) VALUES ($1, $2)',
+        "INSERT INTO post_authors (post_id, author_id) VALUES ($1, $2)",
         [articleId, authorId]
       );
     }
   }
 
   async find(title) {
     const post = await this.db.query(
-      'SELECT title, text FROM posts WHERE title = $1',
+      "SELECT title, text FROM posts WHERE title = $1",
       [title]
     );
 

docs/esm.md

@@ -15,9 +15,22 @@ Alternatively, you can set the `NODE_OPTIONS` environment variable to include th
 export NODE_OPTIONS='-r @aikidosec/firewall/instrument'
 ```
 
-> [!IMPORTANT]  
+> [!IMPORTANT]
 > Please also check the documentation on how to integrate Zen with your used web framework.
 
+## Loading environment variables
+
+When using `--require`/`-r` to preload the Zen firewall, the instrumentation hook runs before your application code. This means environment variables loaded by packages like `dotenv` will not be available when Zen starts.
+
+To ensure `AIKIDO_TOKEN` and other environment variables are available during instrumentation, use Node.js's native `--env-file` flag:
+
+```sh
+node --env-file=.env -r @aikidosec/firewall/instrument your-app.js
+```
+
+> [!NOTE]
+> The `--env-file` flag cannot be used in `NODE_OPTIONS`.
+
 ## Known issues
 
 - Zen can not protect ESM sub-dependencies of an ESM package. For example if an ESM package `foo` imports a sub-dependency `bar` that is also an ESM package, Zen will not be able to protect the code in `bar`. This is because the V8 engine does not allow Node.js to observe the evaluation of inner ESM packages (yet). Open issue: [Adding an evaluation hook for v8::Module](https://issues.chromium.org/u/1/issues/384413088). See a full example below.

docs/fastify.md

@@ -80,12 +80,16 @@ async function authenticate(request, reply) {
   });
 }
 
-fastify.get('/dashboard', {
-  preHandler: [authenticate, Zen.fastifyHook],
-                          // ^ Add the Zen hook after your authentication logic
-}, async (request, reply) => {
-  return { message: "Welcome to your dashboard!" };
-});
+fastify.get(
+  "/dashboard",
+  {
+    preHandler: [authenticate, Zen.fastifyHook],
+    // ^ Add the Zen hook after your authentication logic
+  },
+  async (request, reply) => {
+    return { message: "Welcome to your dashboard!" };
+  }
+);
 ```
 
 This approach allows user blocking and rate limiting to work properly when authentication runs in the `preHandler` stage where the request body is parsed.