Merge pull request #12 from Reloadly/enable-user-specified-block-lists

Arun Patra · web-flow · commit b62c2d430e0d · 2023-02-16T14:44:12.000+05:30
Enable user specified block lists.
diff --git a/.gitignore b/.gitignore
@@ -26,3 +26,4 @@ node_modules/
 *.tgz
 
 lib
+*.iml
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@prizemates/http-firewall",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "HTTP Firewall based on Spring Security HttpFirewall",
   "private": false,
   "main": "./lib/index.js",
diff --git a/src/__tests__/strict-http-firewall.tests.ts b/src/__tests__/strict-http-firewall.tests.ts
@@ -147,6 +147,24 @@ describe('HttpStrictFirewall test suite', () => {
       expect(res.statusCode).toBe(403);
     });
 
+    it('Should reject request when user provided decoded url block list is provided', async () => {
+      const app = express();
+
+      const options: HttpFirewallOptions = {decodedUrlBlockList : ['.exe', '.pl']};
+      app.use(httpFirewall(options));
+      const res = await request(app).get('/test/some-file.exe').set('Content-Type', 'application/json');
+      expect(res.statusCode).toBe(403);
+    });
+
+    it('Should reject request when user provided encoded url block list is provided', async () => {
+      const app = express();
+
+      const options: HttpFirewallOptions = {encodedUrlBlockList : ['.exe', '.pl']};
+      app.use(httpFirewall(options));
+      const res = await request(app).get('/test/some-file.exe').set('Content-Type', 'application/json');
+      expect(res.statusCode).toBe(403);
+    });
+
     it('Should allow encoded period when permitted', async () => {
       const app = express();
 
diff --git a/src/strict-http-firewall.ts b/src/strict-http-firewall.ts
@@ -139,6 +139,14 @@ class StrictHttpFirewall {
       if (options.allowedHostnames !== undefined) {
         this.allowedHostnames = options.allowedHostnames;
       }
+
+      if (options.decodedUrlBlockList !== undefined && options.decodedUrlBlockList.length !== 0) {
+        this.decodedUrlBlocklist.push(... options.decodedUrlBlockList);
+      }
+
+      if (options.encodedUrlBlockList !== undefined && options.encodedUrlBlockList.length !== 0) {
+        this.encodedUrlBlocklist.push(... options.encodedUrlBlockList);
+      }
     }
   }
 
diff --git a/src/types/firewall.models.ts b/src/types/firewall.models.ts
@@ -231,4 +231,16 @@ export interface HttpFirewallOptions {
    * Default is false
    */
   logToConsole?: boolean;
+
+  /**
+   * A list of strings that are considered malicious in URLs. If these strings are found in the request URL, the
+   * request will be rejected.
+   */
+  decodedUrlBlockList?: string[];
+
+  /**
+   * A list of strings that are considered malicious in encoded URLs. If these strings are found in the request URL, the
+   * request will be rejected.
+   */
+  encodedUrlBlockList?: string[];
 }

Original file line number	Diff line number	Diff line change
`@@ -26,3 +26,4 @@ node_modules/`
`26`	`26`	`*.tgz`
`27`	`27`
`28`	`28`	`lib`
	`29`	`+*.iml`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@prizemates/http-firewall",`
`3`		`- "version": "1.0.2",`
	`3`	`+ "version": "1.0.3",`
`4`	`4`	`"description": "HTTP Firewall based on Spring Security HttpFirewall",`
`5`	`5`	`"private": false,`
`6`	`6`	`"main": "./lib/index.js",`
Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,14 @@ class StrictHttpFirewall {`
`139`	`139`	`if (options.allowedHostnames !== undefined) {`
`140`	`140`	`this.allowedHostnames = options.allowedHostnames;`
`141`	`141`	`}`
	`142`	`+`
	`143`	`+ if (options.decodedUrlBlockList !== undefined && options.decodedUrlBlockList.length !== 0) {`
	`144`	`+ this.decodedUrlBlocklist.push(... options.decodedUrlBlockList);`
	`145`	`+ }`
	`146`	`+`
	`147`	`+ if (options.encodedUrlBlockList !== undefined && options.encodedUrlBlockList.length !== 0) {`
	`148`	`+ this.encodedUrlBlocklist.push(... options.encodedUrlBlockList);`
	`149`	`+ }`
`142`	`150`	`}`
`143`	`151`	`}`
`144`	`152`