Merge pull request #404 from AikidoSec/rate-limiting-user

Do not rate limit by ip if user is set

Author: hansott

end2end/server/app.js

@@ -1,9 +1,11 @@
+// This is a insecure mock server for testing purposes
 const express = require("express");
 const config = require("./src/handlers/getConfig");
 const captureEvent = require("./src/handlers/captureEvent");
 const listEvents = require("./src/handlers/listEvents");
 const createApp = require("./src/handlers/createApp");
 const checkToken = require("./src/middleware/checkToken");
+const updateConfig = require("./src/handlers/updateConfig");
 
 const app = express();
 
@@ -12,9 +14,11 @@ const port = process.env.PORT || 3000;
 app.use(express.json());
 
 app.get("/api/runtime/config", checkToken, config);
-app.post("/api/runtime/events", checkToken, captureEvent);
+app.post("/api/runtime/config", checkToken, updateConfig);
 
 app.get("/api/runtime/events", checkToken, listEvents);
+app.post("/api/runtime/events", checkToken, captureEvent);
+
 app.post("/api/runtime/apps", createApp);
 
 app.listen(port, () => {

end2end/server/src/handlers/captureEvent.js

@@ -1,4 +1,4 @@
-const { generateConfig } = require("../zen/config");
+const { getAppConfig } = require("../zen/config");
 const { captureEvent: capture } = require("../zen/events");
 
 module.exports = function captureEvent(req, res) {
@@ -14,5 +14,5 @@ module.exports = function captureEvent(req, res) {
     });
   }
 
-  return res.json(generateConfig(req.app));
+  return res.json(getAppConfig(req.app));
 };

end2end/server/src/handlers/getConfig.js

@@ -1,8 +1,8 @@
-const { generateConfig } = require("../zen/config");
+const { getAppConfig } = require("../zen/config");
 module.exports = function getConfig(req, res) {
   if (!req.app) {
     throw new Error("App is missing");
   }
 
-  res.json(generateConfig(req.app));
+  res.json(getAppConfig(req.app));
 };

end2end/server/src/handlers/updateConfig.js

@@ -0,0 +1,19 @@
+const { updateAppConfig, getAppConfig } = require("../zen/config");
+module.exports = function updateConfig(req, res) {
+  if (!req.app) {
+    throw new Error("App is missing");
+  }
+
+  // Insecure input validation - but this is only a mock server
+  if (
+    !req.body ||
+    typeof req.body !== "object" ||
+    Array.isArray(req.body) ||
+    !Object.keys(req.body).length
+  ) {
+    return res.status(400).json({
+      message: "Request body is missing or invalid",
+    });
+  }
+  res.json({ success: updateAppConfig(req.app, req.body) });
+};

end2end/server/src/zen/config.js

@@ -1,3 +1,5 @@
+const configs = [];
+
 function generateConfig(app) {
   return {
     success: true,
@@ -11,6 +13,27 @@ function generateConfig(app) {
   };
 }
 
+function getAppConfig(app) {
+  const existingConf = configs.find((config) => config.serviceId === app.id);
+  if (existingConf) {
+    return existingConf;
+  }
+  const newConf = generateConfig(app);
+  configs.push(newConf);
+  return newConf;
+}
+
+function updateAppConfig(app, newConfig) {
+  let index = configs.findIndex((config) => config.serviceId === app.serviceId);
+  if (index === -1) {
+    getAppConfig(app);
+    index = configs.length - 1;
+  }
+  configs[index] = { ...configs[index], ...newConfig };
+  return true;
+}
+
 module.exports = {
-  generateConfig,
+  getAppConfig,
+  updateAppConfig,
 };

end2end/tests/hono-xml-rate-limiting.test.js

@@ -0,0 +1,176 @@
+const t = require("tap");
+const { spawn } = require("child_process");
+const { resolve } = require("path");
+const timeout = require("../timeout");
+
+const pathToApp = resolve(__dirname, "../../sample-apps/hono-xml", "app.js");
+const testServerUrl = "http://localhost:5874";
+
+let token;
+t.beforeEach(async () => {
+  const response = await fetch(`${testServerUrl}/api/runtime/apps`, {
+    method: "POST",
+  });
+  const body = await response.json();
+  token = body.token;
+
+  // Apply rate limiting
+  const updateConfigResponse = await fetch(
+    `${testServerUrl}/api/runtime/config`,
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: token,
+      },
+      body: JSON.stringify({
+        endpoints: [
+          {
+            route: "/add",
+            method: "POST",
+            forceProtectionOff: false,
+            rateLimiting: {
+              enabled: true,
+              maxRequests: 1,
+              windowSizeInMS: 60 * 1000,
+            },
+          },
+        ],
+      }),
+    }
+  );
+  t.same(updateConfigResponse.status, 200);
+});
+
+t.test("it rate limits requests", (t) => {
+  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4002"], {
+    env: {
+      ...process.env,
+      AIKIDO_DEBUG: "true",
+      AIKIDO_BLOCKING: "true",
+      AIKIDO_TOKEN: token,
+      AIKIDO_URL: testServerUrl,
+    },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err.message);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(async () => {
+      const resp1 = await fetch("http://127.0.0.1:4002/add", {
+        method: "POST",
+        body: "<cat><name>Njuska</name></cat>",
+        headers: {
+          "Content-Type": "application/xml",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp1.status, 200);
+
+      const resp2 = await fetch("http://127.0.0.1:4002/add", {
+        method: "POST",
+        body: "<cat><name>Harry</name></cat>",
+        headers: {
+          "Content-Type": "application/xml",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp2.status, 429);
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});
+
+t.test("user rate limiting works", (t) => {
+  const server = spawn(`node`, ["--preserve-symlinks", pathToApp, "4003"], {
+    env: {
+      ...process.env,
+      AIKIDO_DEBUG: "true",
+      AIKIDO_BLOCKING: "true",
+      AIKIDO_TOKEN: token,
+      AIKIDO_URL: testServerUrl,
+    },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err.message);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(async () => {
+      const resp1 = await fetch("http://127.0.0.1:4003/add", {
+        method: "POST",
+        body: "<cat><name>Njuska</name></cat>",
+        headers: {
+          "Content-Type": "application/xml",
+          "X-User-Id": "user1",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp1.status, 200);
+
+      const resp2 = await fetch("http://127.0.0.1:4003/add", {
+        method: "POST",
+        body: "<cat><name>Harry</name></cat>",
+        headers: {
+          "Content-Type": "application/xml",
+          "X-User-Id": "user2",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp2.status, 200);
+
+      const resp3 = await fetch("http://127.0.0.1:4003/add", {
+        method: "POST",
+        body: "<cat><name>Njuska</name></cat>",
+        headers: {
+          "Content-Type": "application/xml",
+          "X-User-Id": "user1",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp3.status, 429);
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});

library/agent/Context.ts

@@ -16,8 +16,7 @@ export type Context = {
   body: unknown; // Can be an object, string or undefined (the body is parsed by something like body-parser)
   cookies: Record<string, string>;
   attackDetected?: boolean;
-  consumedRateLimitForIP?: boolean;
-  consumedRateLimitForUser?: boolean;
+  consumedRateLimit?: boolean;
   user?: { id: string; name?: string };
   source: string;
   route: string | undefined;

library/agent/context/user.test.ts

@@ -92,7 +92,7 @@ t.test("it logs when setUser has invalid input", async () => {
   // @ts-expect-error User is undefined
   setUser(undefined);
   t.same(logger.getMessages(), [
-    "setUser(...) expects an object with 'id' and 'name' properties, found undefined instead.",
+    "setUser(...) can not be called with null or undefined.",
   ]);
   logger.clear();
 
@@ -115,6 +115,12 @@ t.test("it logs when setUser has invalid input", async () => {
     "setUser(...) expects an object with 'id' property.",
   ]);
   logger.clear();
+
+  // @ts-expect-error Testing invalid input
+  setUser(null);
+  t.same(logger.getMessages(), [
+    "setUser(...) can not be called with null or undefined.",
+  ]);
 });
 
 t.test(

library/agent/context/user.ts

@@ -1,3 +1,4 @@
+/* eslint-disable max-lines-per-function */
 import { isPlainObject } from "../../helpers/isPlainObject";
 import { getInstance } from "../AgentSingleton";
 import type { User } from "../Context";
@@ -12,6 +13,11 @@ export function setUser(u: { id: string | number; name?: string }) {
 
   const user = u as unknown;
 
+  if (user === null || user === undefined) {
+    agent.log(`setUser(...) can not be called with null or undefined.`);
+    return;
+  }
+
   if (!isPlainObject(user)) {
     agent.log(
       `setUser(...) expects an object with 'id' and 'name' properties, found ${typeof user} instead.`