Merge branch 'main' into log-levels

.github/workflows/benchmark.yml

@@ -3,7 +3,7 @@ on:
   push: {}
   workflow_call: {}
 jobs:
-  build:
+  benchmark:
     runs-on: ubuntu-latest
     services:
       mongodb:
@@ -28,9 +28,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
       - name: Install K6
         uses: grafana/setup-k6-action@v1
       - name: Install wrk
@@ -40,14 +42,14 @@ jobs:
       - run: make install
       - run: make build
       - name: Run NoSQL Injection Benchmark
-        run: cd benchmarks/nosql-injection && AIKIDO_CI=true node --preserve-symlinks benchmark.js
+        run: cd benchmarks/nosql-injection && AIKIDO_CI=true node benchmark.js
       - name: Run SQL Injection Benchmark
-        run: cd benchmarks/sql-injection && node --preserve-symlinks benchmark.js
+        run: cd benchmarks/sql-injection && node benchmark.js
       - name: Run shell injection Benchmark
-        run: cd benchmarks/shell-injection && node --preserve-symlinks benchmark.js
+        run: cd benchmarks/shell-injection && node benchmark.js
       - name: Run Hono with Postgres Benchmark
-        run: cd benchmarks/hono-pg && node --preserve-symlinks benchmark.js
+        run: cd benchmarks/hono-pg && node benchmark.js
       - name: Run API Discovery Benchmark
-        run: cd benchmarks/api-discovery && node --preserve-symlinks benchmark.js
+        run: cd benchmarks/api-discovery && node benchmark.js
       - name: Run Express Benchmark
-        run: cd benchmarks/express && node --preserve-symlinks benchmark.js
+        run: cd benchmarks/express && node benchmark.js

.github/workflows/build-and-release.yml

@@ -21,7 +21,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: "18.x"
           registry-url: "https://registry.npmjs.org"

.github/workflows/end-to-end-tests.yml

@@ -3,7 +3,7 @@ on:
   push: {}
   workflow_call: {}
 jobs:
-  build:
+  test:
     runs-on: ubuntu-latest
     services:
       mongodb:
@@ -52,9 +52,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
       - name: Add local.aikido.io to /etc/hosts
         run: |
           sudo echo "127.0.0.1 local.aikido.io" | sudo tee -a /etc/hosts

.github/workflows/lint-code.yml

@@ -1,17 +1,19 @@
 name: Lint code
 on: push
 jobs:
-  build:
+  lint:
     runs-on: ubuntu-latest
     strategy:
       matrix:
         node-version: [18.x]
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-      - run: make install
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
+      - run: make install-lib-only
       - run: make build
       - run: make lint

.github/workflows/unit-test.yml

@@ -3,7 +3,7 @@ on:
   push: {}
   workflow_call: {}
 jobs:
-  build:
+  test:
     runs-on: ubuntu-latest
     services:
       s3:
@@ -51,20 +51,32 @@ jobs:
           "CLICKHOUSE_DEFAULT_ACCESS": "MANAGEMENT=1"
         ports:
           - "27019:8123"
+      mongodb-replica:
+        image: bitnami/mongodb:8.0
+        env:
+          MONGODB_ADVERTISED_HOSTNAME: 127.0.0.1
+          MONGODB_REPLICA_SET_MODE: primary
+          MONGODB_ROOT_USER: root
+          MONGODB_ROOT_PASSWORD: password
+          MONGODB_REPLICA_SET_KEY: replicasetkey123
+        ports:
+          - "27020:27017"
     strategy:
       fail-fast: false
       matrix:
         node-version: [16.x, 18.x, 20.x, 22.x, 23.x]
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
       - name: Add local.aikido.io to /etc/hosts
         run: |
           sudo echo "127.0.0.1 local.aikido.io" | sudo tee -a /etc/hosts
-      - run: make install
+      - run: make install-lib-only
       - run: make build
       - run: make test-ci
       - name: "Upload coverage"

Makefile

@@ -10,51 +10,51 @@ containers:
 
 .PHONY: express-mongodb
 express-mongodb:
-	cd sample-apps/express-mongodb && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/express-mongodb && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: express-mongoose
 express-mongoose:
-	cd sample-apps/express-mongoose && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/express-mongoose && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: express-postgres
 express-postgres:
-	cd sample-apps/express-postgres && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/express-postgres && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: express-mysql
 express-mysql:
-	cd sample-apps/express-mysql && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/express-mysql && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: express-mysql2
 express-mysql2:
-	cd sample-apps/express-mysql2 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/express-mysql2 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: express-mariadb
 express-mariadb:
-	cd sample-apps/express-mariadb && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/express-mariadb && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: express-path-traversal
 express-path-traversal:
-	cd sample-apps/express-path-traversal && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/express-path-traversal && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: express-graphql
 express-graphql:
-	cd sample-apps/express-graphql && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/express-graphql && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: hono-xml
 hono-xml:
-	cd sample-apps/hono-xml && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/hono-xml && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: hono-sqlite3
 hono-sqlite3:
-	cd sample-apps/hono-sqlite3 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/hono-sqlite3 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: hapi-postgres
 hapi-postgres:
-	cd sample-apps/hapi-postgres && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/hapi-postgres && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: micro
 micro:
-	cd sample-apps/micro && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks --require @aikidosec/firewall ./node_modules/.bin/micro
+	cd sample-apps/micro && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --require @aikidosec/firewall ./node_modules/.bin/micro
 
 .PHONY: lambda-mongodb-nosql-injection
 lambda-mongodb-nosql-injection:
@@ -66,33 +66,41 @@ lambda-mongodb-safe:
 
 .PHONY: nestjs-sentry
 nestjs-sentry:
-	cd sample-apps/nestjs-sentry && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true NODE_OPTIONS=--preserve-symlinks npm run start
+	cd sample-apps/nestjs-sentry && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true NODE_OPTIONS=npm run start
 
 .PHONY: nestjs-fastify
 nestjs-fastify:
-	cd sample-apps/nestjs-fastify && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true NODE_OPTIONS=--preserve-symlinks npm run start
+	cd sample-apps/nestjs-fastify && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true NODE_OPTIONS=npm run start
 
 .PHONY: fastify-mysql2
 fastify-mysql2:
-	cd sample-apps/fastify-mysql2 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/fastify-mysql2 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: koa-sqlite3
 koa-sqlite3:
-	cd sample-apps/koa-sqlite3 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node --preserve-symlinks app.js
+	cd sample-apps/koa-sqlite3 && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
 .PHONY: fastify-clickhouse
 fastify-clickhouse:
 	cd sample-apps/fastify-clickhouse && AIKIDO_DEBUG=true AIKIDO_BLOCKING=true node app.js
 
-.PHONY: install
-install:
+.PHONY: hono-prisma
+hono-prisma:
+	cd sample-apps/hono-prisma && AIKIDO_DEBUG=true AIKIDO_BLOCK=true node app.js
+
+NPM_INSTALL_CMD := $(if $(CI),ci,install)
+
+.PHONY: install-lib-only
+install-lib-only:
 	mkdir -p build
 	node scripts/copyPackageJSON.js
 	touch build/index.js
-	cd build && npm link
-	npm install
-	cd library && npm install
-	cd end2end && npm install
+	npm $(NPM_INSTALL_CMD)
+	cd library && npm $(NPM_INSTALL_CMD)
+
+.PHONY: install
+install: install-lib-only
+	cd end2end && npm $(NPM_INSTALL_CMD)
 	node scripts/install.js
 
 .PHONY: build
@@ -137,9 +145,9 @@ end2end:
 	cd end2end && npm run test
 
 benchmark: build
-	cd benchmarks/nosql-injection && AIKIDO_CI=true node --preserve-symlinks benchmark.js
-	cd benchmarks/shell-injection && node --preserve-symlinks benchmark.js
-	cd benchmarks/sql-injection && node --preserve-symlinks benchmark.js
-	cd benchmarks/hono-pg && node --preserve-symlinks benchmark.js
-	cd benchmarks/api-discovery && node --preserve-symlinks benchmark.js
-	cd benchmarks/express && node --preserve-symlinks benchmark.js
+	cd benchmarks/nosql-injection && AIKIDO_CI=true node benchmark.js
+	cd benchmarks/shell-injection && node benchmark.js
+	cd benchmarks/sql-injection && node benchmark.js
+	cd benchmarks/hono-pg && node benchmark.js
+	cd benchmarks/api-discovery && node benchmark.js
+	cd benchmarks/express && node benchmark.js

README.md

@@ -21,7 +21,7 @@ Zen will autonomously protect your Node.js applications against:
 
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities)
 * 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
-* 🛡️ [Command injection attacks](https://owasp.org/www-community/attacks/Command_Injection)
+* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
 * 🛡️ [Prototype pollution](./docs/prototype-pollution.md)
 * 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
 * 🛡️ [Server-side request forgery (SSRF)](./docs/ssrf.md)
@@ -61,6 +61,7 @@ Zen for Node.js 16+ is compatible with:
 * ✅ [`better-sqlite3`](https://www.npmjs.com/package/better-sqlite3) 11.x, 10.x, 9.x and 8.x
 * ✅ [`postgres`](https://www.npmjs.com/package/postgres) 3.x
 * ✅ [`@clickhouse/client`](https://www.npmjs.com/package/@clickhouse/client) 1.x
+* ✅ [`@prisma/client`](https://www.npmjs.com/package/@prisma/client) 5.x
 
 ### Cloud providers
 

benchmarks/hono-pg/benchmark.js

@@ -16,7 +16,7 @@ async function startServer(firewallEnabled) {
     };
   }
 
-  const server = spawn("node", ["--preserve-symlinks", "server.js", "4000"], {
+  const server = spawn("node", ["server.js", "4000"], {
     env,
     cwd: join(__dirname, "app"),
   });

docs/next.md

@@ -48,7 +48,7 @@ Note: Including `@aikidosec/firewall` in `middleware.js` or `instrumentation.js`
 
 1. Rate limiting by user ID is not supported because `setUser` is not supported due to the bundling process of Next.js.
 2. Same for blocking of specific users (requires `setUser`).
-3. Attack detection only works for modules that are listed in the [`serverComponentsExternalPackages`](https://nextjs.org/docs/app/api-reference/next-config-js/serverComponentsExternalPackages). For example, `pg` is supported, but `mysql` is not.
+3. Attack detection only works for modules that are listed in the [`serverExternalPackages`](https://nextjs.org/docs/app/api-reference/config/next-config-js/serverExternalPackages). For example, `pg` is supported, but `mysql` is not.
 
 ## Blocking mode
 

end2end/tests/big-payloads.test.js

@@ -11,7 +11,7 @@ const pathToApp = resolve(
 );
 
 t.test("it does not crash if many attacks with big payloads", (t) => {
-  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4000"], {
+  const server = spawn(`node`, [pathToApp, "4000"], {
     env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCKING: "true" },
   });
 

end2end/tests/express-graphql.test.js

@@ -72,7 +72,7 @@ t.test("it blocks in blocking mode", (t) => {
 });
 
 t.test("it does not block in dry mode", (t) => {
-  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4001"], {
+  const server = spawn(`node`, [pathToApp, "4001"], {
     env: { ...process.env, AIKIDO_DEBUG: "true" },
   });
 

end2end/tests/express-mariadb.test.js

@@ -10,7 +10,7 @@ const pathToApp = resolve(
 );
 
 t.test("it blocks in blocking mode", (t) => {
-  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4000"], {
+  const server = spawn(`node`, [pathToApp, "4000"], {
     env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCKING: "true" },
   });
 
@@ -62,7 +62,7 @@ t.test("it blocks in blocking mode", (t) => {
 });
 
 t.test("it does not block in dry mode", (t) => {
-  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4001"], {
+  const server = spawn(`node`, [pathToApp, "4001"], {
     env: { ...process.env, AIKIDO_DEBUG: "true" },
   });
 

end2end/tests/express-mongodb.shell-injection.test.js

@@ -10,7 +10,7 @@ const pathToApp = resolve(
 );
 
 t.test("it blocks in blocking mode", (t) => {
-  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4000"], {
+  const server = spawn(`node`, [pathToApp, "4000"], {
     env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCK: "true" },
   });
 
@@ -73,7 +73,7 @@ t.test("it blocks in blocking mode", (t) => {
 });
 
 t.test("it does not block in dry mode", (t) => {
-  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4001"], {
+  const server = spawn(`node`, [pathToApp, "4001"], {
     env: { ...process.env, AIKIDO_DEBUG: "true" },
   });
 

end2end/tests/express-mongodb.ssrf.test.js

@@ -51,7 +51,7 @@ t.beforeEach(async () => {
 });
 
 t.test("it blocks in blocking mode", (t) => {
-  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4000"], {
+  const server = spawn(`node`, [pathToApp, "4000"], {
     env: {
       ...process.env,
       AIKIDO_DEBUG: "true",
@@ -129,7 +129,7 @@ t.test("it blocks in blocking mode", (t) => {
 });
 
 t.test("it does not block in dry mode", (t) => {
-  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4001"], {
+  const server = spawn(`node`, [pathToApp, "4001"], {
     env: {
       ...process.env,
       AIKIDO_DEBUG: "true",