@abtnode/router-provider 1.16.43-beta-20250427-232837-e671de06 → 1.16.43-beta-20250430-124448-4edc5502

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/lib/nginx/includes/security/crs4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +33 -10
  2. package/lib/nginx/index.js +10 -4
  3. package/package.json +6 -6
package/lib/nginx/includes/security/crs4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf CHANGED
@@ -207,9 +207,7 @@ SecRule REQUEST_FILENAME "@endsWith /api/gql" \
207
207
  nolog,\
208
208
  chain"
209
209
  SecRule REQUEST_METHOD "@pm POST" \
210
- "ctl:ruleRemoveByTag=attack-rce,\
211
- ctl:ruleRemoveById=930120,\
212
- ctl:ruleRemoveById=921110"
210
+ "ctl:ruleEngine=Off"
213
211
 
214
212
  # Disable some rules for websocket endpoint for blocklet server and service
215
213
  SecRule REQUEST_FILENAME "@endsWith /websocket" \
@@ -257,9 +255,7 @@ SecRule REQUEST_FILENAME "@endsWith /app-records.txt" \
257
255
  nolog,\
258
256
  chain"
259
257
  SecRule REQUEST_METHOD "@pm PUT" \
260
- "ctl:ruleRemoveById=942550,\
261
- ctl:ruleRemoveById=942151,\
262
- ctl:ruleRemoveById=934110"
258
+ "ctl:ruleEngine=Off"
263
259
 
264
260
  # Fix: did resolver false positive
265
261
  SecRule REQUEST_FILENAME "@contains /.well-known/did-resolver/resolve" \
@@ -309,10 +305,7 @@ SecRule REQUEST_FILENAME "@contains /api/space/" \
309
305
  nolog,\
310
306
  chain"
311
307
  SecRule REQUEST_METHOD "@pm PUT PATCH DELETE POST" \
312
- "ctl:ruleRemoveByTag=attack-rce,\
313
- ctl:ruleRemoveByTag=attack-xss,\
314
- ctl:ruleRemoveByTag=attack-protocol,\
315
- ctl:ruleRemoveByTag=language-php"
308
+ "ctl:ruleEngine=Off"
316
309
 
317
310
  # Fix: blocklet store upload false positive
318
311
  SecRule REQUEST_FILENAME "@endsWith /api/blocklets/upload" \
@@ -366,3 +359,33 @@ SecRule REQUEST_FILENAME "@endsWith /profile.vcf" \
366
359
  chain"
367
360
  SecRule REQUEST_METHOD "@pm GET" \
368
361
  "ctl:ruleRemoveById=930130"
362
+
363
+ # Fix: pages-kit data-source false positive
364
+ SecRule REQUEST_FILENAME "@contains /api/data-sources/" \
365
+ "id:1021,\
366
+ phase:1,\
367
+ pass,\
368
+ nolog,\
369
+ chain"
370
+ SecRule REQUEST_METHOD "@pm POST PUT" \
371
+ "ctl:ruleEngine=Off"
372
+
373
+ # Fix: payment-kit webhook false positive
374
+ SecRule REQUEST_FILENAME "@endsWith /api/integrations/stripe/webhook" \
375
+ "id:1022,\
376
+ phase:1,\
377
+ pass,\
378
+ nolog,\
379
+ chain"
380
+ SecRule REQUEST_METHOD "@pm POST" \
381
+ "ctl:ruleEngine=Off"
382
+
383
+ # Fix: discuss-kit bookmark false positive
384
+ SecRule REQUEST_FILENAME "@endsWith /api/comments" \
385
+ "id:1023,\
386
+ phase:1,\
387
+ pass,\
388
+ nolog,\
389
+ chain"
390
+ SecRule REQUEST_METHOD "@pm POST" \
391
+ "ctl:ruleRemoveById=921110"
package/lib/nginx/index.js CHANGED
@@ -209,12 +209,15 @@ class NginxProvider extends BaseProvider {
209
209
  conf.nginx.http._add('server_tokens', 'off');
210
210
  this._addCommonResHeaders(conf.nginx.http, commonHeaders);
211
211
  this._addExposeServices(conf, services);
212
- if (requestLimit && requestLimit.enabled) {
212
+
213
+ if (requestLimit) {
213
214
  this.requestLimit = requestLimit;
214
215
  this.addRequestLimiting(conf.nginx.http, requestLimit);
215
216
  }
216
- if (blockPolicy && blockPolicy?.enabled) {
217
- this.updateBlacklist(blockPolicy.blacklist);
217
+ if (blockPolicy) {
218
+ this.updateBlacklist(blockPolicy.enabled ? blockPolicy.blacklist : []);
219
+ } else {
220
+ this.updateBlacklist([]);
218
221
  }
219
222
  this.updateProxyPolicy(proxyPolicy);
220
223
 
@@ -835,7 +838,10 @@ class NginxProvider extends BaseProvider {
835
838
  _getLastLocation(server) {
836
839
  const location = server.location.length ? server.location[server.location.length - 1] : server.location;
837
840
  if (location && this.requestLimit?.enabled && !location.toString().includes('limit_req')) {
838
- location._add('limit_req', `zone=ip_rate_limit burst=${this.requestLimit.burst} delay=10`);
841
+ location._add(
842
+ 'limit_req',
843
+ `zone=ip_rate_limit burst=${this.requestLimit.burst} ${this.requestLimit.burstDelay > 0 ? `delay=${this.requestLimit.burstDelay}` : 'nodelay'}`
844
+ );
839
845
  location._add('limit_req', `zone=global_rate_limit burst=${this.requestLimit.burstGlobal} nodelay`);
840
846
  }
841
847
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@abtnode/router-provider",
3
- "version": "1.16.43-beta-20250427-232837-e671de06",
3
+ "version": "1.16.43-beta-20250430-124448-4edc5502",
4
4
  "description": "Routing engine implementations for abt node",
5
5
  "author": "polunzh <polunzh@gmail.com>",
6
6
  "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -32,10 +32,10 @@
32
32
  "url": "https://github.com/ArcBlock/blocklet-server/issues"
33
33
  },
34
34
  "dependencies": {
35
- "@abtnode/constant": "1.16.43-beta-20250427-232837-e671de06",
36
- "@abtnode/logger": "1.16.43-beta-20250427-232837-e671de06",
37
- "@abtnode/router-templates": "1.16.43-beta-20250427-232837-e671de06",
38
- "@abtnode/util": "1.16.43-beta-20250427-232837-e671de06",
35
+ "@abtnode/constant": "1.16.43-beta-20250430-124448-4edc5502",
36
+ "@abtnode/logger": "1.16.43-beta-20250430-124448-4edc5502",
37
+ "@abtnode/router-templates": "1.16.43-beta-20250430-124448-4edc5502",
38
+ "@abtnode/util": "1.16.43-beta-20250430-124448-4edc5502",
39
39
  "@arcblock/http-proxy": "^1.19.1",
40
40
  "@arcblock/is-valid-domain": "^1.0.5",
41
41
  "axios": "^1.7.9",
@@ -61,5 +61,5 @@
61
61
  "bluebird": "^3.7.2",
62
62
  "fs-extra": "^11.2.0"
63
63
  },
64
- "gitHead": "3644f271b67d5ebaa7a8b852173860a005f1d057"
64
+ "gitHead": "9b59264b5dc2c9450161be5a0ee4cdb981687cd7"
65
65
  }