Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Never block bypass IP #506

Merged
merged 8 commits into from
Jan 27, 2025
Merged
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 76 additions & 20 deletions end2end/tests/hono-xml-blocklists.test.js
Original file line number Diff line number Diff line change
@@ -14,22 +14,30 @@ t.beforeEach(async () => {
const body = await response.json();
token = body.token;

// Apply rate limiting
const updateConfigResponse = await fetch(
`${testServerUrl}/api/runtime/firewall/lists`,
{
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: token,
},
body: JSON.stringify({
blockedIPAddresses: ["1.3.2.0/24", "fe80::1234:5678:abcd:ef12/64"],
blockedUserAgents: "hacker|attacker|GPTBot",
}),
}
);
t.same(updateConfigResponse.status, 200);
const config = await fetch(`${testServerUrl}/api/runtime/config`, {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: token,
},
body: JSON.stringify({
allowedIPAddresses: ["1.3.2.1"],
}),
});
t.same(config.status, 200);

const lists = await fetch(`${testServerUrl}/api/runtime/firewall/lists`, {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: token,
},
body: JSON.stringify({
blockedIPAddresses: ["1.3.2.0/24", "fe80::1234:5678:abcd:ef12/64"],
blockedUserAgents: "hacker|attacker|GPTBot",
}),
});
t.same(lists.status, 200);
});

t.test("it blocks geo restricted IPs", (t) => {
@@ -48,7 +56,7 @@ t.test("it blocks geo restricted IPs", (t) => {
});

server.on("error", (err) => {
t.fail(err.message);
t.fail(err);
});

let stdout = "";
@@ -107,7 +115,7 @@ t.test("it blocks geo restricted IPs", (t) => {
t.same(await resp3.text(), JSON.stringify({ success: true }));
})
.catch((error) => {
t.fail(error.message);
t.fail(error);
})
.finally(() => {
server.kill();
@@ -130,7 +138,7 @@ t.test("it blocks bots", (t) => {
});

server.on("error", (err) => {
t.fail(err.message);
t.fail(err);
});

let stdout = "";
@@ -190,7 +198,55 @@ t.test("it blocks bots", (t) => {
}
})
.catch((error) => {
t.fail(error.message);
t.fail(error);
})
.finally(() => {
server.kill();
});
});

t.test("it does not block bypass IP if in blocklist", (t) => {
const server = spawn(`node`, [pathToApp, "4004"], {
env: {
...process.env,
AIKIDO_DEBUG: "true",
AIKIDO_BLOCKING: "true",
AIKIDO_TOKEN: token,
AIKIDO_URL: testServerUrl,
},
});

server.on("close", () => {
t.end();
});

server.on("error", (err) => {
t.fail(err);
});

let stdout = "";
server.stdout.on("data", (data) => {
stdout += data.toString();
});

let stderr = "";
server.stderr.on("data", (data) => {
stderr += data.toString();
});

// Wait for the server to start
timeout(2000)
.then(async () => {
const resp1 = await fetch("http://127.0.0.1:4004/", {
headers: {
"X-Forwarded-For": "1.3.2.1",
},
signal: AbortSignal.timeout(5000),
});
t.same(resp1.status, 200);
})
.catch((error) => {
t.fail(error);
})
.finally(() => {
server.kill();
9 changes: 9 additions & 0 deletions library/sources/http-server/checkIfRequestIsBlocked.ts
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/* eslint-disable max-lines-per-function */
import type { ServerResponse } from "http";
import { Agent } from "../../agent/Agent";
import { getContext } from "../../agent/Context";
@@ -25,6 +26,14 @@ export function checkIfRequestIsBlocked(
return false;
}

const isAllowedIP =
context.remoteAddress &&
agent.getConfig().isAllowedIP(context.remoteAddress);

if (isAllowedIP) {
return false;
willem-delbare marked this conversation as resolved.
Show resolved Hide resolved
}

const result = context.remoteAddress
? agent.getConfig().isIPAddressBlocked(context.remoteAddress)
: ({ blocked: false } as const);
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@
"scripts": {
"install": "node scripts/install.js",
"install-lib-only": "node scripts/install.js --lib-only",
"containers": "cd sample-apps && docker compose up -d --remove-orphans",
"containers": "cd sample-apps && docker compose up -d --remove-orphans --build",
"build": "node scripts/build.js",
"watch": "cd library && npm run build:watch",
"test": "cd library && npm run test",
Loading