Merge pull request #463 from AikidoSec/mark-unsafe

Mark JS values as unsafe

Author: hansott

docs/markUnsafe.md

@@ -0,0 +1,80 @@
+# Marking Unsafe Input
+
+To flag input as unsafe, you can use the `markUnsafe` function. This is useful when you want to explicitly label data as potentially dangerous, such as output from an LLM being used to generate a file name. Here's an example using OpenAI's function calling feature:
+
+```js
+import Zen from "@aikidosec/firewall";
+import OpenAI from "openai";
+import { readFile } from "fs/promises";
+
+const openai = new OpenAI();
+
+const completion = await openai.chat.completions.create({
+  model: "gpt-4",
+  messages: [
+    {
+      role: "user",
+      content: "Read the contents of the config file"
+    }
+  ],
+  tools: [
+    {
+      type: "function",
+      function: {
+        name: "read_file",
+        description: "Read the contents of a file",
+        parameters: {
+          type: "object",
+          properties: {
+            filepath: {
+              type: "string",
+              description: "The path to the file to read"
+            }
+          },
+          required: ["filepath"]
+        }
+      }
+    }
+  ]
+});
+
+const toolCall = completion.choices[0].message.tool_calls[0];
+const filepath = JSON.parse(toolCall.function.arguments).filepath;
+
+// Mark the filepath as unsafe since it came from the LLM
+Zen.markUnsafe(filepath);
+
+// This will be blocked if the LLM tries to perform path traversal
+// e.g. if filepath is "../../../etc/passwd"
+await readFile(filepath);
+```
+
+This example shows how to protect against path traversal attacks when using OpenAI's function calling feature. The LLM might try to access sensitive files using path traversal (e.g., `../../../etc/passwd`), but Zen will detect and block these attempts.
+
+You can also pass multiple arguments to `markUnsafe`:
+
+```js
+Zen.markUnsafe(a, b, c);
+```
+
+You can pass strings, objects, and arrays to `markUnsafe`. Zen will track the marked data across your application and will be able to detect any attacks that may be attempted using the marked data.
+
+## Caveats when marking data as unsafe
+
+⚠️ Be careful when marking data as unsafe, as it may lead to false positives. If you generate a full SQL query using an LLM and mark it as unsafe, Zen will flag all queries using that SQL as an attack.
+
+BAD:
+
+```js
+Zen.markUnsafe("SELECT * FROM users WHERE id = '' OR 1=1 -- '");
+
+await db.query("SELECT * FROM users WHERE id = '' OR 1=1 -- '");
+```
+
+GOOD:
+
+```js
+Zen.markUnsafe("' OR 1=1 -- ");
+
+await db.query("SELECT * FROM users WHERE id = '' OR 1=1 -- '");
+```

library/agent/Context.ts

@@ -23,6 +23,7 @@ export type Context = {
   graphql?: string[];
   xml?: unknown[];
   subdomains?: string[]; // https://expressjs.com/en/5x/api.html#req.subdomains
+  markUnsafe?: unknown[];
   cache?: Map<Source, ReturnType<typeof extractStringsFromUserInput>>;
   /**
    * Used to store redirects in outgoing http(s) requests that are started by a user-supplied input (hostname and port / url) to prevent SSRF redirect attacks.
@@ -84,6 +85,7 @@ export function runWithContext<T>(context: Context, fn: () => T) {
     current.xml = context.xml;
     current.subdomains = context.subdomains;
     current.outgoingRequestRedirects = context.outgoingRequestRedirects;
+    current.markUnsafe = context.markUnsafe;
 
     // Clear all the cached user input strings
     delete current.cache;

library/agent/Source.ts

@@ -7,6 +7,7 @@ export const SOURCES = [
   "graphql",
   "xml",
   "subdomains",
+  "markUnsafe",
 ] as const;
 
 export type Source = (typeof SOURCES)[number];

library/agent/context/markUnsafe.test.ts

@@ -0,0 +1,154 @@
+import * as t from "tap";
+import { createTestAgent } from "../../helpers/createTestAgent";
+import { wrap } from "../../helpers/wrap";
+import { checkContextForSqlInjection } from "../../vulnerabilities/sql-injection/checkContextForSqlInjection";
+import { SQLDialectPostgres } from "../../vulnerabilities/sql-injection/dialects/SQLDialectPostgres";
+import { Context, getContext, runWithContext } from "../Context";
+import { markUnsafe } from "./markUnsafe";
+
+function createContext(): Context {
+  return {
+    remoteAddress: "::1",
+    method: "POST",
+    url: "http://localhost:4000",
+    query: {},
+    headers: {},
+    body: {
+      image: "http://localhost:4000/api/internal",
+    },
+    cookies: {},
+    routeParams: {},
+    source: "express",
+    route: "/posts/:id",
+  };
+}
+
+t.test("it works", async () => {
+  const agent = createTestAgent({});
+  agent.start([]);
+
+  // No unsafe input
+  runWithContext(createContext(), () => {
+    const context = getContext();
+
+    if (!context) {
+      throw new Error("Context is not defined");
+    }
+
+    const result = checkContextForSqlInjection({
+      sql: 'SELECT * FROM "users" WHERE id = 1',
+      operation: "pg.query",
+      dialect: new SQLDialectPostgres(),
+      context: context,
+    });
+    t.same(result, undefined);
+  });
+
+  // Unsafe string
+  runWithContext(createContext(), () => {
+    markUnsafe("id = 1");
+
+    const context = getContext();
+
+    if (!context) {
+      throw new Error("Context is not defined");
+    }
+
+    const result = checkContextForSqlInjection({
+      sql: 'SELECT * FROM "users" WHERE id = 1',
+      operation: "pg.query",
+      dialect: new SQLDialectPostgres(),
+      context: context,
+    });
+    t.same(result, {
+      kind: "sql_injection",
+      operation: "pg.query",
+      source: "markUnsafe",
+      metadata: {
+        sql: 'SELECT * FROM "users" WHERE id = 1',
+      },
+      payload: "id = 1",
+      pathsToPayload: [".[0]"],
+    });
+  });
+
+  // Unsafe object
+  runWithContext(createContext(), () => {
+    markUnsafe({ somePropertyThatContainsSQL: "id = 1" });
+
+    const context = getContext();
+
+    if (!context) {
+      throw new Error("Context is not defined");
+    }
+
+    const result = checkContextForSqlInjection({
+      sql: 'SELECT * FROM "users" WHERE id = 1',
+      operation: "pg.query",
+      dialect: new SQLDialectPostgres(),
+      context: context,
+    });
+    t.same(result, {
+      kind: "sql_injection",
+      operation: "pg.query",
+      source: "markUnsafe",
+      metadata: {
+        sql: 'SELECT * FROM "users" WHERE id = 1',
+      },
+      payload: "id = 1",
+      pathsToPayload: [".[0].somePropertyThatContainsSQL"],
+    });
+  });
+
+  // Test markUnsafe called without context
+  const logs: string[] = [];
+  wrap(console, "warn", function warn() {
+    return function warn(message: string) {
+      logs.push(message);
+    };
+  });
+  markUnsafe("id = 1");
+  t.same(logs, [
+    "markUnsafe(...) was called without a context. The data will not be tracked. Make sure to call markUnsafe(...) within an HTTP request. If you're using serverless functions, make sure to use the handler wrapper provided by Zen.",
+  ]);
+
+  // Warning logged only once
+  markUnsafe("id = 1");
+  t.same(logs.length, 1);
+
+  // Test if serialize fails
+  runWithContext(createContext(), () => {
+    // Define an object with a circular reference
+    const obj: Record<string, any> = {};
+    obj.self = obj;
+    markUnsafe(obj);
+  });
+  t.same(logs, [
+    "markUnsafe(...) was called without a context. The data will not be tracked. Make sure to call markUnsafe(...) within an HTTP request. If you're using serverless functions, make sure to use the handler wrapper provided by Zen.",
+    "markUnsafe(...) failed to serialize the data",
+  ]);
+
+  runWithContext(createContext(), () => {
+    markUnsafe();
+  });
+  t.same(logs, [
+    "markUnsafe(...) was called without a context. The data will not be tracked. Make sure to call markUnsafe(...) within an HTTP request. If you're using serverless functions, make sure to use the handler wrapper provided by Zen.",
+    "markUnsafe(...) failed to serialize the data",
+    "markUnsafe(...) was called without any data.",
+  ]);
+
+  runWithContext(createContext(), () => {
+    markUnsafe(1, true, null, undefined, () => {}, Symbol("test"));
+  });
+  t.same(logs, [
+    "markUnsafe(...) was called without a context. The data will not be tracked. Make sure to call markUnsafe(...) within an HTTP request. If you're using serverless functions, make sure to use the handler wrapper provided by Zen.",
+    "markUnsafe(...) failed to serialize the data",
+    "markUnsafe(...) was called without any data.",
+    "markUnsafe(...) expects an object, array, or string. Received: number",
+    "markUnsafe(...) expects an object, array, or string. Received: boolean",
+    "markUnsafe(...) expects an object, array, or string. Received: null",
+    "markUnsafe(...) expects an object, array, or string. Received: undefined",
+    "markUnsafe(...) expects an object, array, or string. Received: function",
+    "markUnsafe(...) expects an object, array, or string. Received: symbol",
+  ]);
+});

library/agent/context/markUnsafe.ts

@@ -0,0 +1,79 @@
+import { isPlainObject } from "../../helpers/isPlainObject";
+import { getInstance } from "../AgentSingleton";
+import { Context, updateContext } from "../Context";
+import { ContextStorage } from "./ContextStorage";
+
+export function markUnsafe(...data: unknown[]) {
+  const agent = getInstance();
+
+  if (!agent) {
+    return;
+  }
+
+  const context = ContextStorage.getStore();
+
+  if (!context) {
+    logWarningMarkUnsafeWithoutContext();
+    return;
+  }
+
+  if (data.length === 0) {
+    // eslint-disable-next-line no-console
+    console.warn("markUnsafe(...) was called without any data.");
+  }
+
+  for (const item of data) {
+    if (
+      !isPlainObject(item) &&
+      !Array.isArray(item) &&
+      typeof item !== "string"
+    ) {
+      const type = item === null ? "null" : typeof item;
+      // eslint-disable-next-line no-console
+      console.warn(
+        `markUnsafe(...) expects an object, array, or string. Received: ${type}`
+      );
+      continue;
+    }
+
+    addPayloadToContext(context, item);
+  }
+}
+
+function addPayloadToContext(context: Context, payload: unknown) {
+  try {
+    const current = context.markUnsafe || [];
+    const a = JSON.stringify(payload);
+
+    if (
+      !current.some((item) => {
+        // JSON.stringify is used to compare objects
+        // without having to copy a deep equality function
+        return JSON.stringify(item) === a;
+      })
+    ) {
+      current.push(payload);
+      updateContext(context, "markUnsafe", current);
+    }
+  } catch (e: unknown) {
+    if (e instanceof Error) {
+      // eslint-disable-next-line no-console
+      console.warn("markUnsafe(...) failed to serialize the data");
+    }
+  }
+}
+
+let loggedWarningMarkUnsafeWithoutContext = false;
+
+function logWarningMarkUnsafeWithoutContext() {
+  if (loggedWarningMarkUnsafeWithoutContext) {
+    return;
+  }
+
+  // eslint-disable-next-line no-console
+  console.warn(
+    "markUnsafe(...) was called without a context. The data will not be tracked. Make sure to call markUnsafe(...) within an HTTP request. If you're using serverless functions, make sure to use the handler wrapper provided by Zen."
+  );
+
+  loggedWarningMarkUnsafeWithoutContext = true;
+}

library/index.ts

@@ -2,6 +2,7 @@
 import isFirewallSupported from "./helpers/isFirewallSupported";
 import shouldEnableFirewall from "./helpers/shouldEnableFirewall";
 import { setUser } from "./agent/context/user";
+import { markUnsafe } from "./agent/context/markUnsafe";
 import { shouldBlockRequest } from "./middleware/shouldBlockRequest";
 import { addExpressMiddleware } from "./middleware/express";
 import { addHonoMiddleware } from "./middleware/hono";
@@ -18,6 +19,7 @@ if (supported && shouldEnable) {
 
 export {
   setUser,
+  markUnsafe,
   shouldBlockRequest,
   addExpressMiddleware,
   addHonoMiddleware,