Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for IP address blocking #447

Merged
merged 19 commits into from
Nov 27, 2024
Merged

Add support for IP address blocking #447

merged 19 commits into from
Nov 27, 2024

Conversation

timokoessler
Copy link
Member

No description provided.

@codecov Codecov
Copy link

codecov bot commented Nov 8, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 95.50173% with 13 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
library/agent/Agent.ts 75.00% 8 Missing ⚠️
...y/sources/http-server/checkIfIPAddressIsBlocked.ts 92.72% 4 Missing ⚠️
library/agent/api/fetchBlockedIPAddresses.ts 97.14% 0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@timokoessler timokoessler marked this pull request as ready for review November 11, 2024 09:05
@hansott
Merge branch 'beta' of github.com:AikidoSec/node-RASP into support-ip…
b6f12f5 
…-blocking

* 'beta' of github.com:AikidoSec/node-RASP: (38 commits)
  Remove console.log(...)
  Use fake credentials :)
  Add end2end test for n8n
  Upgrade to latest zen internals
  Use v4 of dd-trace (supports node v16 and higher)
  Add end2end test for compatibility with dd-trace
  Use fetch helper function instead of native
  Add comment why we use createServer
  Make non-owned props of express wrapped functions accessible
  Cleanup
  Preserve original handler name for Ghost
  Improve test
  Replace ULID
  Add test with operation name
  Add more tests
  Don't discover GraphQL queries from server-side rendering
  Fix tests (use createTestAgent utility fn)
  Fix lint
  Update comment
  Update comment
  ...
@hansott
Fetch IPs from separate endpoint
8b84f65
@hansott
There's already a try/catch inside updateBlockedIPAddresses
735edda
@hansott
Only update blocked IP address when there's a config update
18d4de2
@hansott
Fix lint
90be296
@hansott
Add test for fetch
a3625b7
@hansott
Add gzip support to fetch helper
b518459
@hansott
Remove unused function
f60c33b
@hansott hansott marked this pull request as draft November 26, 2024 12:39
@hansott hansott marked this pull request as ready for review November 26, 2024 16:44
willem-delbare
willem-delbare reviewed Nov 27, 2024
View reviewed changes
library/agent/Agent.ts Outdated
@@ -341,6 +365,7 @@ export class Agent {
lastUpdatedAt: this.serviceConfig.getLastUpdatedAt(),
onConfigUpdate: (config) => {
this.updateServiceConfig({ success: true, ...config });
this.updateBlockedIPAddresses().catch(() => {});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's not swallow but log?

willem-delbare
willem-delbare reviewed Nov 27, 2024
View reviewed changes
library/helpers/addIPAddressToBlocklist.ts Outdated
return undefined;
}

export function addIPAddressToBlocklist(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IP range?

willem-delbare
willem-delbare reviewed Nov 27, 2024
View reviewed changes
library/sources/http-server/checkIfIPAddressIsBlocked.ts Outdated
import { escapeHTML } from "../../helpers/escapeHTML";
import { ipAllowedToAccessRoute } from "./ipAllowedToAccessRoute";

export function checkIfIPAddressIsBlocked(res: ServerResponse, agent: Agent) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's state all kinds of checks performed by this function (it's goal) in comments

  • eg route based
  • geo/range list based

willem-delbare
willem-delbare reviewed Nov 27, 2024
View reviewed changes
library/agent/api/fetchBlockedIPAddresses.ts Outdated
"Accept-Encoding": "gzip",
Authorization: token.asString(),
},
timeoutInMS: 10000,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's set to 20s

@willem-delbare willem-delbare merged commit 77b0395 into beta Nov 27, 2024
7 of 9 checks passed
@willem-delbare willem-delbare deleted the support-ip-blocking branch November 27, 2024 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hansott hansott hansott approved these changes

@willem-delbare willem-delbare willem-delbare left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@timokoessler @hansott @willem-delbare