Merge branch 'main' of github.com:AikidoSec/node-RASP into poc-required-pkg

* 'main' of github.com:AikidoSec/node-RASP: (440 commits)
  Fix test coverage
  Report SQL dialect in event metadata
  Move to separate test with skip reason
  Skip express bench on v24.x
  Skip hono-pg bench on Node.js v24
  Remove --experimental-sqlite
  Run tests & benchmarks on Node.js v24
  Add comment to extractStringsFromUserInput
  Add new safeDecodeURIComponent function
  Update library/helpers/extractStringsFromUserInput.ts
  Fix tests
  Support Koa v3
  Extract safeDecodeURIComponent
  Add unit test
  Try decode possible uri encoded strings
  Add failing tests
  Prevent ReDoS
  Fix multiple control chars
  Remove unused code
  Check blocked users every time but log once
  ...

Author: hansott

.devcontainer/devcontainer.json

@@ -0,0 +1,40 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+{
+  "name": "Zen Node.js",
+  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+  "image": "mcr.microsoft.com/devcontainers/typescript-node:22",
+
+  // Features to add to the dev container. More info: https://containers.dev/features.
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/devcontainers/features/rust:1": {}
+  },
+
+  // Configure tool-specific properties.
+  "customizations": {
+    // Configure properties specific to VS Code.
+    "vscode": {
+      "settings": {},
+      "extensions": [
+        "ms-azuretools.vscode-docker",
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "YoavBls.pretty-ts-errors",
+        "rust-lang.rust-analyzer"
+      ]
+    }
+  },
+
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  "forwardPorts": [3000, 4000],
+
+  // Use 'portsAttributes' to set default properties for specific forwarded ports.
+  // More info: https://containers.dev/implementors/json_reference/#port-attributes
+  "portsAttributes": {},
+
+  // Use 'postCreateCommand' to run commands after the container is created.
+  "postCreateCommand": "./.devcontainer/postCreateCommand.sh"
+
+  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+  // "remoteUser": "root"
+}

.devcontainer/postCreateCommand.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Update
+sudo apt update -y && sudo apt upgrade -y
+rustup update
+source /usr/local/share/nvm/nvm.sh
+nvm install --lts
+nvm use --lts
+npm update -g
+
+# Install WASM pack
+curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
+
+# Install k6
+## k6 installation -- arm machines
+if [ "$(uname -m)" = "aarch64" ]; then
+	K6_TAR_LINK=https://github.com/grafana/k6/releases/download/v0.58.0/k6-v0.58.0-linux-arm64.tar.gz
+	curl -OL $K6_TAR_LINK
+	tar -xzf k6-v0.58.0-linux-arm64.tar.gz
+	sudo mv k6-v0.58.0-linux-arm64/k6 /usr/local/bin/k6
+	rm -rf k6-v0.58.0-linux-arm64*
+else ## k6 installation -- other architectures
+	sudo gpg -k
+	sudo gpg --no-default-keyring --keyring /usr/share/keyrings/k6-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys C5AD17C747E3415A3642D57D77C6C491D6AC1D69
+	echo "deb [signed-by=/usr/share/keyrings/k6-archive-keyring.gpg] https://dl.k6.io/deb stable main" | sudo tee /etc/apt/sources.list.d/k6.list
+	sudo apt-get update -y
+	sudo apt-get install k6 -y
+fi
+
+# Install wrk, sqlite3
+sudo apt install wrk sqlite3 -y
+
+# Install npm packages, build and run containers
+npm i
+npm run build
+npm run containers

.github/CONTRIBUTING.md

@@ -5,6 +5,7 @@ First off, thanks for taking the time to contribute! ❤️
 All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions. 🎉
 
 > And if you like the project, but just don't have time to contribute, that's fine. There are other easy ways to support the project and show your appreciation, which we would also be very happy about:
+>
 > - Star the project
 > - Tweet about it
 > - Refer this project in your project's readme
@@ -64,7 +65,7 @@ We use GitHub issues to track bugs and errors. If you run into an issue with the
 
 - Open an [Issue](https://github.com/AikidoSec/firewall-node/issues/new). (Since we can't be sure at this point whether it is a bug or not, we ask you not to talk about a bug yet and not to label the issue.)
 - Explain the behavior you would expect and the actual behavior.
-- Please provide as much context as possible and describe the *reproduction steps* that someone else can follow to recreate the issue on their own. This usually includes your code. For good bug reports you should isolate the problem and create a reduced test case.
+- Please provide as much context as possible and describe the _reproduction steps_ that someone else can follow to recreate the issue on their own. This usually includes your code. For good bug reports you should isolate the problem and create a reduced test case.
 - Provide the information you collected in the previous section.
 
 Once it's filed:
@@ -96,12 +97,12 @@ Enhancement suggestions are tracked as [GitHub issues](https://github.com/Aikido
 ### Your First Code Contribution
 
 - clone the repository to your local machine
-- run `$ make install` to install dependencies
-- run `$ make build` to build the library
-- run `$ make watch` to watch for changes and rebuild the library
-- run `$ make test` to run tests using tap
-- run `$ make end2end` to run end-to-end tests using tap
-- run `$ make lint` to run ESLint
+- run `$ npm install` to install dependencies
+- run `$ npm run build` to build the library
+- run `$ npm run watch` to watch for changes and rebuild the library
+- run `$ npm t` to run tests using tap
+- run `$ npm run end2end` to run end-to-end tests using tap
+- run `$ npm run lint` to run ESLint
 
 ## Styleguides
 

.github/workflows/benchmark.yml

@@ -3,7 +3,7 @@ on:
   push: {}
   workflow_call: {}
 jobs:
-  build:
+  benchmark:
     runs-on: ubuntu-latest
     services:
       mongodb:
@@ -24,30 +24,39 @@ jobs:
     timeout-minutes: 10
     strategy:
       matrix:
-        node-version: [18.x]
+        node-version: [20.x, 24.x]
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
       - name: Install K6
-        uses: grafana/setup-k6-action@v1
+        uses: grafana/setup-k6-action@ffe7d7290dfa715e48c2ccc924d068444c94bde2 # v1
       - name: Install wrk
         run: |
           sudo apt-get update
           sudo apt-get install -y wrk
-      - run: make install
-      - run: make build
+      - run: npm install
+      - run: npm run build
       - name: Run NoSQL Injection Benchmark
-        run: cd benchmarks/nosql-injection && AIKIDO_CI=true node --preserve-symlinks benchmark.js
+        run: cd benchmarks/nosql-injection && AIKIDO_CI=true node benchmark.js
       - name: Run SQL Injection Benchmark
-        run: cd benchmarks/sql-injection && node --preserve-symlinks benchmark.js
+        run: cd benchmarks/sql-injection && node benchmark.js
       - name: Run shell injection Benchmark
-        run: cd benchmarks/shell-injection && node --preserve-symlinks benchmark.js
+        run: cd benchmarks/shell-injection && node benchmark.js
       - name: Run Hono with Postgres Benchmark
-        run: cd benchmarks/hono-pg && node --preserve-symlinks benchmark.js
+        # Skip on Node 24.x due to a bug: https://github.com/honojs/node-server/issues/240
+        if: matrix.node-version != '24.x'
+        run: cd benchmarks/hono-pg && node benchmark.js
       - name: Run API Discovery Benchmark
-        run: cd benchmarks/api-discovery && node --preserve-symlinks benchmark.js
+        run: cd benchmarks/api-discovery && node benchmark.js
       - name: Run Express Benchmark
-        run: cd benchmarks/express && node --preserve-symlinks benchmark.js
+        # Skip on Node 24.x because benchmark currently fails.
+        # Big performance improve in comparison to older Node.js versions, but higher difference between usage with and without Zen
+        if: matrix.node-version != '24.x'
+        run: cd benchmarks/express && node benchmark.js
+      - name: Check Rate Limiter memory usage
+        run: cd benchmarks/rate-limiting && node --expose-gc memory.js

.github/workflows/build-and-release.yml

@@ -21,22 +21,22 @@ jobs:
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: "18.x"
           registry-url: "https://registry.npmjs.org"
           scope: "@aikidosec"
       - name: Install dependencies
-        run: make install
+        run: npm run install-lib-only
       - name: Get the version
         id: get_version
         run: echo "tag=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
       - name: Set the version
         run: cd library && npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }}
       - name: Build the library
-        run: make build
+        run: npm run build
       - name: Linting
-        run: make lint
+        run: npm run lint
       - name: Publish to NPM
         run: |
           if [ "${{ github.event.release.prerelease }}" = "true" ]; then

.github/workflows/end-to-end-tests.yml

@@ -3,7 +3,7 @@ on:
   push: {}
   workflow_call: {}
 jobs:
-  build:
+  test:
     runs-on: ubuntu-latest
     services:
       mongodb:
@@ -52,15 +52,17 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
       - name: Add local.aikido.io to /etc/hosts
         run: |
           sudo echo "127.0.0.1 local.aikido.io" | sudo tee -a /etc/hosts
       - name: Build and run server
         run: |
           cd end2end/server && docker build -t server . && docker run -d -p 5874:3000 server
-      - run: make install
-      - run: make build
-      - run: make end2end
+      - run: npm install
+      - run: npm run build
+      - run: npm run end2end

.github/workflows/lint-code.yml

@@ -1,17 +1,20 @@
 name: Lint code
 on: push
 jobs:
-  build:
+  lint:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     strategy:
       matrix:
         node-version: [18.x]
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-      - run: make install
-      - run: make build
-      - run: make lint
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
+      - run: npm run install-lib-only
+      - run: npm run build
+      - run: npm run lint

.github/workflows/unit-test.yml

@@ -3,7 +3,7 @@ on:
   push: {}
   workflow_call: {}
 jobs:
-  build:
+  test:
     runs-on: ubuntu-latest
     services:
       s3:
@@ -51,26 +51,39 @@ jobs:
           "CLICKHOUSE_DEFAULT_ACCESS": "MANAGEMENT=1"
         ports:
           - "27019:8123"
+      mongodb-replica:
+        image: bitnami/mongodb:8.0
+        env:
+          MONGODB_ADVERTISED_HOSTNAME: 127.0.0.1
+          MONGODB_REPLICA_SET_MODE: primary
+          MONGODB_ROOT_USER: root
+          MONGODB_ROOT_PASSWORD: password
+          MONGODB_REPLICA_SET_KEY: replicasetkey123
+        ports:
+          - "27020:27017"
     strategy:
       fail-fast: false
       matrix:
-        node-version: [16.x, 18.x, 20.x, 22.x, 23.x]
+        node-version: [16.x, 18.x, 20.x, 22.x, 24.x]
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
       - name: Add local.aikido.io to /etc/hosts
         run: |
           sudo echo "127.0.0.1 local.aikido.io" | sudo tee -a /etc/hosts
-      - run: make install
-      - run: make build
-      - run: make test-ci
+      - run: npm run install-lib-only
+      - run: npm run build
+      - run: npm run test:ci
       - name: "Upload coverage"
-        uses: codecov/codecov-action@v4.0.1
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5
         with:
-          file: ./library/.tap/report/lcov.info
+          files: ./library/.tap/report/lcov.info
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
           slug: AikidoSec/firewall-node

.nvmrc

@@ -1 +1 @@
-20.11
+22.12