@anomira/node-sdk 0.2.6 → 0.2.7

package/dist/index.cjs

@@ -399,6 +399,8 @@ var EventName = {
   RATE_LIMIT: "http.ratelimit.exceeded",
   XSS_DETECTED: "http.xss.detected",
   PATH_TRAVERSAL: "http.path.traversal",
+  SSRF_ATTEMPT: "http.ssrf.attempt",
+  JWT_MANIPULATION: "http.jwt.manipulation",
   SCAN_DETECTED: "http.scan.detected",
   IDOR_ATTEMPT: "user.idor.attempt",
   SQL_ERROR: "db.sql.error",
@@ -622,6 +624,261 @@ function str(v) {
   if (v === void 0) return "";
   return Array.isArray(v) ? v[0] ?? "" : v;
 }
+
+// src/ssrf.ts
+var URL_PARAM_PATTERN = /^(url|uri|path|link|next|target|src|href|redirect|redirecturl|returnurl|successurl|callback|fetch|image|imageurl|avatar|photo|webhook|endpoint|to|host|domain|site|page|file|load|open|download|import|include|embed|source|proxy|destination|dest|resource|location|goto|return|referer|origin|remote|ping|pull)$/i;
+var DANGEROUS_SCHEMES = /* @__PURE__ */ new Set([
+  "file",
+  "gopher",
+  "dict",
+  "ftp",
+  "sftp",
+  "ldap",
+  "ldaps",
+  "netdoc",
+  "jar",
+  "mailto",
+  "telnet",
+  "tftp",
+  "finger"
+]);
+function intToIp(n) {
+  return [
+    n >>> 24 & 255,
+    n >>> 16 & 255,
+    n >>> 8 & 255,
+    n & 255
+  ].join(".");
+}
+function parseOctet(s) {
+  s = s.trim();
+  if (/^0x[0-9a-fA-F]+$/.test(s)) return parseInt(s, 16);
+  if (/^0[0-9]+$/.test(s)) return parseInt(s, 8);
+  if (/^[0-9]+$/.test(s)) return parseInt(s, 10);
+  return null;
+}
+function normalizeIp(hostname) {
+  const h = hostname.trim().toLowerCase();
+  const v6mapped = h.match(/^(?:::ffff:)([0-9a-f]{1,4}:[0-9a-f]{1,4})$/i) ?? h.match(/^(?:0{0,4}:){5}ffff:(\d+\.\d+\.\d+\.\d+)$/i);
+  if (v6mapped?.[1]) {
+    const parts2 = v6mapped[1].split(":");
+    if (parts2.length === 2) {
+      const hi = parseInt(parts2[0], 16);
+      const lo = parseInt(parts2[1], 16);
+      if (!isNaN(hi) && !isNaN(lo)) return intToIp(hi << 16 | lo);
+    }
+    return normalizeIp(v6mapped[1]);
+  }
+  if (h === "::1" || h === "0:0:0:0:0:0:0:1") return "127.0.0.1";
+  if (/^0x[0-9a-f]+$/i.test(h)) {
+    const n = parseInt(h, 16);
+    if (!isNaN(n) && n >= 0 && n <= 4294967295) return intToIp(n);
+  }
+  if (/^\d+$/.test(h)) {
+    const n = parseInt(h, 10);
+    if (!isNaN(n) && n >= 0 && n <= 4294967295) return intToIp(n);
+  }
+  const parts = h.split(".");
+  if (parts.length >= 1 && parts.length <= 4) {
+    const octets = [];
+    for (const p of parts) {
+      const v = parseOctet(p);
+      if (v === null || v < 0 || v > 255) break;
+      octets.push(v);
+    }
+    if (octets.length === 4) return octets.join(".");
+    if (octets.length === 2) return `${octets[0]}.0.0.${octets[1]}`;
+  }
+  return null;
+}
+function ipToInt(ip) {
+  const parts = ip.split(".").map(Number);
+  return (parts[0] << 24 | parts[1] << 16 | parts[2] << 8 | parts[3]) >>> 0;
+}
+var PRIVATE_RANGES2 = [
+  { start: ipToInt("0.0.0.0"), end: ipToInt("0.255.255.255"), label: "unspecified" },
+  { start: ipToInt("10.0.0.0"), end: ipToInt("10.255.255.255"), label: "private-10" },
+  { start: ipToInt("100.64.0.0"), end: ipToInt("100.127.255.255"), label: "carrier-nat" },
+  { start: ipToInt("127.0.0.0"), end: ipToInt("127.255.255.255"), label: "loopback" },
+  { start: ipToInt("169.254.0.0"), end: ipToInt("169.254.255.255"), label: "link-local" },
+  // AWS/GCP metadata lives here
+  { start: ipToInt("172.16.0.0"), end: ipToInt("172.31.255.255"), label: "private-172" },
+  { start: ipToInt("192.0.0.0"), end: ipToInt("192.0.0.255"), label: "iana-special" },
+  // Oracle Cloud metadata
+  { start: ipToInt("192.168.0.0"), end: ipToInt("192.168.255.255"), label: "private-192" },
+  { start: ipToInt("198.18.0.0"), end: ipToInt("198.19.255.255"), label: "benchmark" },
+  { start: ipToInt("240.0.0.0"), end: ipToInt("255.255.255.255"), label: "reserved" },
+  // Specific cloud metadata endpoints not covered by ranges above
+  { start: ipToInt("100.100.100.200"), end: ipToInt("100.100.100.200"), label: "alibaba-metadata" },
+  { start: ipToInt("168.63.129.16"), end: ipToInt("168.63.129.16"), label: "azure-metadata" }
+];
+function isPrivateIp2(ip) {
+  const n = ipToInt(ip);
+  for (const range of PRIVATE_RANGES2) {
+    if (n >= range.start && n <= range.end) return { private: true, label: range.label };
+  }
+  return { private: false, label: "" };
+}
+var INTERNAL_HOSTNAMES = /* @__PURE__ */ new Set([
+  "localhost",
+  "local",
+  "localdomain",
+  "metadata",
+  "metadata.google.internal",
+  "169.254.169.254",
+  // canonical — also caught by range check
+  "instance-data"
+  // AWS internal alias
+]);
+function checkUrl(rawUrl, fieldName) {
+  if (!rawUrl.includes("://") && !rawUrl.startsWith("//")) return null;
+  let parsed;
+  try {
+    const withScheme = rawUrl.startsWith("//") ? `https:${rawUrl}` : rawUrl;
+    parsed = new URL(withScheme);
+  } catch {
+    return null;
+  }
+  const scheme = parsed.protocol.replace(":", "").toLowerCase();
+  const hostname = parsed.hostname.toLowerCase().replace(/\[|\]/g, "");
+  if (DANGEROUS_SCHEMES.has(scheme)) {
+    return { detected: true, payload: rawUrl, field: fieldName, reason: `dangerous-scheme:${scheme}` };
+  }
+  if (scheme !== "http" && scheme !== "https") return null;
+  if (INTERNAL_HOSTNAMES.has(hostname)) {
+    return { detected: true, payload: rawUrl, field: fieldName, reason: `internal-hostname:${hostname}` };
+  }
+  const normalized = normalizeIp(hostname);
+  if (normalized) {
+    const { private: isPrivate, label } = isPrivateIp2(normalized);
+    if (isPrivate) {
+      return { detected: true, payload: rawUrl, field: fieldName, reason: `private-ip:${label}` };
+    }
+  }
+  return null;
+}
+function scanForSsrf(body, query) {
+  const candidates = [];
+  for (const [key, val] of Object.entries(query)) {
+    if (!URL_PARAM_PATTERN.test(key)) continue;
+    const v = Array.isArray(val) ? val[0] : val;
+    if (typeof v === "string" && v.length > 0) candidates.push({ name: key, value: v });
+  }
+  if (body && typeof body === "object" && !Array.isArray(body)) {
+    const flat = body;
+    for (const [key, val] of Object.entries(flat)) {
+      if (!URL_PARAM_PATTERN.test(key)) continue;
+      if (typeof val === "string" && val.length > 0) candidates.push({ name: key, value: val });
+    }
+  }
+  for (const { name, value } of candidates) {
+    const signal = checkUrl(value, name);
+    if (signal) return signal;
+  }
+  return null;
+}
+
+// src/jwt-detect.ts
+var STANDARD_ALGORITHMS = /* @__PURE__ */ new Set([
+  // HMAC (symmetric)
+  "HS256",
+  "HS384",
+  "HS512",
+  // RSA PKCS#1 (asymmetric)
+  "RS256",
+  "RS384",
+  "RS512",
+  // ECDSA (asymmetric)
+  "ES256",
+  "ES384",
+  "ES512",
+  // RSA-PSS (asymmetric)
+  "PS256",
+  "PS384",
+  "PS512",
+  // Edwards-curve (RFC 8037)
+  "EdDSA"
+]);
+var HMAC_ALGORITHMS = /* @__PURE__ */ new Set(["HS256", "HS384", "HS512"]);
+var MAX_HMAC_SIG_LENGTH = 128;
+function decodeBase64Url(s) {
+  const padded = s.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = (4 - padded.length % 4) % 4;
+  return Buffer.from(padded + "=".repeat(pad), "base64").toString("utf8");
+}
+function analyseJwt(token) {
+  const clean = token.trim();
+  const parts = clean.split(".");
+  if (parts.length < 3 || parts[2] === "") {
+    return {
+      detected: true,
+      attack: "missing_signature",
+      alg: null,
+      detail: `JWT has ${parts.length} segment(s) \u2014 signature is missing or empty.`
+    };
+  }
+  let header;
+  try {
+    header = JSON.parse(decodeBase64Url(parts[0]));
+  } catch {
+    return { detected: false, attack: null, alg: null, detail: "" };
+  }
+  const alg = typeof header["alg"] === "string" ? header["alg"] : null;
+  if (!alg) {
+    return { detected: false, attack: null, alg: null, detail: "" };
+  }
+  if (alg.toLowerCase() === "none") {
+    return {
+      detected: true,
+      attack: "alg_none",
+      alg,
+      detail: `JWT header specifies alg="${alg}" \u2014 server told to skip signature verification.`
+    };
+  }
+  if (!STANDARD_ALGORITHMS.has(alg)) {
+    return {
+      detected: true,
+      attack: "unknown_algorithm",
+      alg,
+      detail: `JWT header specifies non-standard alg="${alg}" \u2014 not in RFC 7518 algorithm set.`
+    };
+  }
+  if (HMAC_ALGORITHMS.has(alg) && parts[2].length > MAX_HMAC_SIG_LENGTH) {
+    return {
+      detected: true,
+      attack: "algorithm_confusion",
+      alg,
+      detail: `JWT claims ${alg} (HMAC) but signature is ${parts[2].length} chars \u2014 characteristic of RSA key used as HMAC secret (algorithm confusion attack).`
+    };
+  }
+  return { detected: false, attack: null, alg, detail: "" };
+}
+function scanRequestForJwtAttacks(headers, body, query) {
+  const candidates = [];
+  const auth = headers["authorization"];
+  const authStr = Array.isArray(auth) ? auth[0] : auth;
+  if (typeof authStr === "string" && authStr.toLowerCase().startsWith("bearer ")) {
+    candidates.push(authStr.slice(7).trim());
+  }
+  const TOKEN_FIELDS = /* @__PURE__ */ new Set(["token", "jwt", "access_token", "accessToken", "id_token", "idToken", "refresh_token", "refreshToken"]);
+  if (body && typeof body === "object" && !Array.isArray(body)) {
+    for (const [key, val] of Object.entries(body)) {
+      if (TOKEN_FIELDS.has(key) && typeof val === "string" && val.includes(".")) {
+        candidates.push(val);
+      }
+    }
+  }
+  for (const field of ["token", "jwt", "access_token"]) {
+    const val = query[field];
+    const str2 = Array.isArray(val) ? val[0] : val;
+    if (typeof str2 === "string" && str2.includes(".")) candidates.push(str2);
+  }
+  for (const token of candidates) {
+    const result = analyseJwt(token);
+    if (result.detected) return result;
+  }
+  return null;
+}
 function detectHoneypotType(path) {
   const p = path.toLowerCase().split("?")[0] ?? path.toLowerCase();
   if (/\/\.env(\.[\w]+)?$/.test(p) || p.endsWith("/.env")) return "env_file";
@@ -1314,7 +1571,7 @@ var AnomiraClient = class {
         service: "app",
         getUserId: defaultGetUserId,
         getIp: defaultGetIp,
-        detect: { bruteForce: true, rateAbuse: true, pathTraversal: true, xss: true, scanDetection: true, geoVelocity: true },
+        detect: { bruteForce: true, rateAbuse: true, pathTraversal: true, xss: true, scanDetection: true, geoVelocity: true, ssrf: true, jwtManipulation: true },
         autoBlock: { enabled: true, communityThreshold: 85 }
       };
       this.buffer = new EventBuffer({ appId: "", apiKey: "", ingestUrl: DEFAULT_INGEST_URL, maxBatchSize: 0, flushIntervalMs: 999999999, maxRetries: 0, debug: false });
@@ -1339,7 +1596,9 @@ var AnomiraClient = class {
         pathTraversal: config.detect?.pathTraversal ?? true,
         xss: config.detect?.xss ?? true,
         scanDetection: config.detect?.scanDetection ?? true,
-        geoVelocity: config.detect?.geoVelocity ?? true
+        geoVelocity: config.detect?.geoVelocity ?? true,
+        ssrf: config.detect?.ssrf ?? true,
+        jwtManipulation: config.detect?.jwtManipulation ?? true
       },
       autoBlock: {
         enabled: config.autoBlock?.enabled ?? true,
@@ -1696,7 +1955,7 @@ var AnomiraClient = class {
     if (this.disabled) return;
     const ctx = requestContext.getStore();
     const resolvedIp = data.ip && data.ip !== "0.0.0.0" && data.ip !== "" ? data.ip : ctx?.ip ?? "0.0.0.0";
-    if (this.config.debug && data.ip && isPrivateIp2(data.ip)) {
+    if (this.config.debug && data.ip && isPrivateIp3(data.ip)) {
       this._origWarn(
         `[Anomira] Warning: track() received a private/loopback IP "${data.ip}" for event "${eventName}". Behind a reverse proxy, req.ip is the proxy's address \u2014 use sentinel.getClientIp(req) instead.`
       );
@@ -1935,13 +2194,13 @@ function pickId(obj) {
   obj["accountId"] ?? obj["account_id"] ?? obj["customerId"] ?? obj["customer_id"];
   return typeof id === "string" && id.length > 0 ? id : void 0;
 }
-function normalizeIp(raw) {
+function normalizeIp2(raw) {
   if (raw === "::1") return "127.0.0.1";
   if (raw === "::ffff:127.0.0.1") return "127.0.0.1";
   if (raw.startsWith("::ffff:")) return raw.slice(7);
   return raw;
 }
-function isPrivateIp2(ip) {
+function isPrivateIp3(ip) {
   return ip === "127.0.0.1" || ip === "::1" || ip === "0.0.0.0" || ip.startsWith("10.") || ip.startsWith("192.168.") || /^172\.(1[6-9]|2\d|3[01])\./.test(ip);
 }
 function defaultGetIp(req) {
@@ -1961,7 +2220,7 @@ function defaultGetIp(req) {
   firstHdr("x-client-ip") ?? // Generic reverse proxies
   firstHdr("x-cluster-client-ip") ?? // Cluster / k8s ingress
   r["socket"]?.remoteAddress ?? "0.0.0.0";
-  return normalizeIp(ip);
+  return normalizeIp2(ip);
 }
 function sendFakeResponse(res, fakeResponse) {
   const allHeaders = {
@@ -2204,6 +2463,31 @@ function createExpressMiddleware(client) {
         client.track(EventName.XSS_DETECTED, { ip, userId, meta: { url, method } });
       }
     }
+    if (client.config.detect.ssrf) {
+      const query = req["query"] ?? {};
+      const body = req["body"] ?? {};
+      const signal = scanForSsrf(body, query);
+      if (signal) {
+        client.track(EventName.SSRF_ATTEMPT, {
+          ip,
+          userId,
+          meta: { url, method, ssrfPayload: signal.payload, ssrfField: signal.field, ssrfReason: signal.reason }
+        });
+      }
+    }
+    if (client.config.detect.jwtManipulation) {
+      const reqHeaders = headers ?? {};
+      const reqBody = req["body"] ?? {};
+      const reqQuery = req["query"] ?? {};
+      const jwtResult = scanRequestForJwtAttacks(reqHeaders, reqBody, reqQuery);
+      if (jwtResult?.detected) {
+        client.track(EventName.JWT_MANIPULATION, {
+          ip,
+          userId,
+          meta: { url, method, jwtAttack: jwtResult.attack, jwtAlg: jwtResult.alg, jwtDetail: jwtResult.detail }
+        });
+      }
+    }
     const onFinish = () => {
       const lateUserId = client.config.getUserId(req) || browserFp?.uid || "";
       if (!userIdWarnFired && userIdCheckCount < 20) {
@@ -2430,6 +2714,31 @@ function createFastifyPlugin(client) {
           client.track(EventName.XSS_DETECTED, { ip, userId, meta: { url, method } });
         }
       }
+      if (client.config.detect.ssrf) {
+        const query = req["query"] ?? {};
+        const body = req["body"] ?? {};
+        const signal = scanForSsrf(body, query);
+        if (signal) {
+          client.track(EventName.SSRF_ATTEMPT, {
+            ip,
+            userId,
+            meta: { url, method, ssrfPayload: signal.payload, ssrfField: signal.field, ssrfReason: signal.reason }
+          });
+        }
+      }
+      if (client.config.detect.jwtManipulation) {
+        const fHeaders = req["headers"] ?? {};
+        const fBody = req["body"] ?? {};
+        const fQuery = req["query"] ?? {};
+        const jwtRes = scanRequestForJwtAttacks(fHeaders, fBody, fQuery);
+        if (jwtRes?.detected) {
+          client.track(EventName.JWT_MANIPULATION, {
+            ip,
+            userId,
+            meta: { url, method, jwtAttack: jwtRes.attack, jwtAlg: jwtRes.alg, jwtDetail: jwtRes.detail }
+          });
+        }
+      }
     });
     fastify.addHook("onResponse", (req, reply) => {
       const ip = client.config.getIp(req);
@@ -2585,23 +2894,40 @@ function createExpressMiddleware2(client) {
       } catch {
       }
     }
+    const startTs = process.hrtime.bigint();
+    let resSize = 0;
+    let resFieldCount = 0;
+    const origJson = res.json.bind(res);
+    res.json = function anomiraJson(body) {
+      try {
+        if (body !== null && typeof body === "object" && !Array.isArray(body)) {
+          resFieldCount = Object.keys(body).length;
+        }
+        const serialised = JSON.stringify(body);
+        resSize = Buffer.byteLength(serialised, "utf8");
+      } catch {
+      }
+      return origJson(body);
+    };
+    const origSend = res.send.bind(res);
+    res.send = function anomiraSend(body) {
+      if (resSize === 0) {
+        if (typeof body === "string") resSize = Buffer.byteLength(body, "utf8");
+        else if (Buffer.isBuffer(body)) resSize = body.length;
+      }
+      return origSend(body);
+    };
     const onFinish = () => {
       res.off("finish", onFinish);
       const { statusCode } = res;
+      const resTimeMs = Math.round(Number(process.hrtime.bigint() - startTs) / 1e6);
+      const resMeta = { url, method, statusCode, resTimeMs, resSize, resFieldCount };
       if (client.config.detect.rateAbuse && statusCode === 429) {
-        client.track(EventName.RATE_LIMIT, {
-          ip,
-          userId,
-          meta: { url, method, statusCode }
-        });
+        client.track(EventName.RATE_LIMIT, { ip, userId, meta: resMeta });
       }
       if (client.config.detect.bruteForce && statusCode === 401) {
         if (/\/(login|signin|auth|token|session)/i.test(url)) {
-          client.track(EventName.LOGIN_FAILED, {
-            ip,
-            userId,
-            meta: { url, method, statusCode }
-          });
+          client.track(EventName.LOGIN_FAILED, { ip, userId, meta: resMeta });
         }
       }
       if (client.config.detect.scanDetection && statusCode === 404) {
@@ -2610,14 +2936,14 @@ function createExpressMiddleware2(client) {
           client.track(EventName.SCAN_DETECTED, {
             ip,
             userId,
-            meta: { url, method, userAgent: ua }
+            meta: { ...resMeta, userAgent: ua }
           });
         }
       }
       if (client.config.detect.geoVelocity && statusCode === 200 && /\/(login|signin|auth|token)/i.test(url) && method === "POST") {
         const resolvedUserId = client.config.getUserId(req);
         if (resolvedUserId) {
-          void client.trackLogin({ ip, userId: resolvedUserId, meta: { url } });
+          void client.trackLogin({ ip, userId: resolvedUserId, meta: resMeta });
         }
       }
     };
@@ -2657,30 +2983,52 @@ function createFastifyPlugin2(client) {
         }
       }
     });
+    fastify.addHook("onSend", async (_req, _reply, payload) => {
+      try {
+        if (typeof payload === "string") {
+          _req._anomiraResSize = Buffer.byteLength(payload, "utf8");
+          try {
+            const parsed = JSON.parse(payload);
+            if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+              _req._anomiraResFields = Object.keys(parsed).length;
+            }
+          } catch {
+          }
+        } else if (Buffer.isBuffer(payload)) {
+          _req._anomiraResSize = payload.length;
+        }
+      } catch {
+      }
+      return payload;
+    });
     fastify.addHook("onResponse", async (req, reply) => {
       const ip = client.config.getIp(req);
       const userId = client.config.getUserId(req);
       const url = req.url;
       const method = req.method.toUpperCase();
       const statusCode = reply.statusCode;
+      const resTimeMs = Math.round(reply.elapsedTime ?? 0);
+      const resSize = req._anomiraResSize ?? 0;
+      const resFieldCount = req._anomiraResFields ?? 0;
+      const resMeta = { url, method, statusCode, resTimeMs, resSize, resFieldCount };
       if (client.config.detect.rateAbuse && statusCode === 429) {
-        client.track(EventName.RATE_LIMIT, { ip, userId, meta: { url, method, statusCode } });
+        client.track(EventName.RATE_LIMIT, { ip, userId, meta: resMeta });
       }
       if (client.config.detect.bruteForce && statusCode === 401) {
         if (/\/(login|signin|auth|token|session)/i.test(url)) {
-          client.track(EventName.LOGIN_FAILED, { ip, userId, meta: { url, method, statusCode } });
+          client.track(EventName.LOGIN_FAILED, { ip, userId, meta: resMeta });
         }
       }
       if (client.config.detect.scanDetection && statusCode === 404) {
         const ua = req.headers["user-agent"] ?? "";
         if (!ua || /curl|wget|python|go-http|nuclei|sqlmap|nikto/i.test(ua)) {
-          client.track(EventName.SCAN_DETECTED, { ip, userId, meta: { url, method, userAgent: ua } });
+          client.track(EventName.SCAN_DETECTED, { ip, userId, meta: { ...resMeta, userAgent: ua } });
         }
       }
       if (client.config.detect.geoVelocity && statusCode === 200 && method === "POST" && /\/(login|signin|auth|token)/i.test(url)) {
         const resolvedUserId = client.config.getUserId(req);
         if (resolvedUserId) {
-          void client.trackLogin({ ip, userId: resolvedUserId, meta: { url } });
+          void client.trackLogin({ ip, userId: resolvedUserId, meta: resMeta });
         }
       }
     });