Enable SSRF redirect protection and add breaking test for AWS SDK v3 #346
+1,998
−468
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
📢 Thoughts on this report? Let us know! |
…to patch-ssrf-enable * 'patch-ssrf-enable' of github.com:AikidoSec/node-RASP: Delete library/sinks/AwsSDKVersion3.ts
Cause you can have multiple event handlers for "response"
timokoessler
reviewed
Sep 2, 2024
timokoessler
approved these changes
Sep 2, 2024
…-enable * 'beta' of github.com:AikidoSec/node-RASP: (421 commits) Upgrade to latest zen internals Use v4 of dd-trace (supports node v16 and higher) Add end2end test for compatibility with dd-trace Use fetch helper function instead of native Add comment why we use createServer Make non-owned props of express wrapped functions accessible Cleanup Preserve original handler name for Ghost Improve test Replace ULID Add test with operation name Add more tests Don't discover GraphQL queries from server-side rendering Fix tests (use createTestAgent utility fn) Fix lint Update comment Update comment Update comment Update comment Additional main branch test fixes ...
library/sinks/HTTPRequest.ts
Outdated
Comment on lines
149
to
151
| // Wrap the response handler if there is one | ||
| // so that we can inspect the response for SSRF attacks (using redirects) | ||
| // e.g. http.request("http://example.com", (response) => {}) |
There was a problem hiding this comment.
comments: wrapping callback with the goal of wrapping the inner callback
…-enable * 'main' of github.com:AikidoSec/node-RASP: (113 commits) Add performance test Shorten function Shorten methods Fix tests for attackPath Add failing tests Add breaking test Add test Add more tests Improve test coverage Extend and fix tests Link to Aikido Blog for Command Injection attacks Use more efficient ip matcher Fix tests Fix again fix: Wrong payload path after merge Fix tests Delete jwt.iss Add test Use new Zen internals JS parser Update Zen Internals ...
…-enable * 'main' of github.com:AikidoSec/node-RASP: Fix broken link in Next.js docs Increase to 25% Fix flaky performance test Remove eval sink
…-enable * 'main' of github.com:AikidoSec/node-RASP: Fix merge Fix unit tests Add install-lib-only to Makefile Fix Prisma tests using Node v16 Skip tests on Node v16 Support prisma v6 Update t.fail usage in e2e tests Apply suggestions of reviewer Fix e2e tests Add e2e tests and improve unit tests Protect raw Prisma MongoDB methods Rewrite Prisma sink using client extensions Fix tests in Node v23 Add initial prisma mongodb test Add prisma postgres test Fix Prisma sqlite test Add initial prisma support
timokoessler
reviewed
Jan 6, 2025
timokoessler
approved these changes
Jan 6, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.