npm - @opensecurity/zonzon-core - Versions diffs - 0.1.1 → 0.1.3 - Mend

@opensecurity/zonzon-core 0.1.1 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/dist/audit.d.ts +10 -0
package/dist/audit.js +39 -0
package/dist/cache-layer.test.d.ts +1 -0
package/dist/cache-layer.test.js +205 -0
package/dist/cache-multi-question.test.d.ts +1 -0
package/dist/cache-multi-question.test.js +187 -0
package/dist/dns-handler.d.ts +27 -0
package/dist/dns-handler.js +323 -0
package/dist/dns-service.d.ts +45 -0
package/dist/dns-service.js +546 -0
package/dist/dns-service.test.d.ts +1 -0
package/dist/dns-service.test.js +306 -0
package/dist/dns-wireformat.test.d.ts +1 -0
package/dist/dns-wireformat.test.js +669 -0
package/dist/firewall.d.ts +9 -0
package/dist/firewall.js +62 -0
package/dist/http-body-forwarding-integration.test.d.ts +1 -0
package/dist/http-body-forwarding-integration.test.js +318 -0
package/dist/http-body-forwarding.test.d.ts +1 -0
package/dist/http-body-forwarding.test.js +84 -0
package/dist/http-handler.d.ts +21 -0
package/dist/http-handler.js +429 -0
package/dist/http-proxy.d.ts +14 -0
package/dist/http-proxy.js +135 -0
package/dist/http-proxy.test.d.ts +1 -0
package/dist/http-proxy.test.js +375 -0
package/{src/index.ts → dist/index.d.ts} +1 -1
package/dist/index.js +10 -0
package/dist/rate-limiter.d.ts +11 -0
package/dist/rate-limiter.js +33 -0
package/dist/rate-limiter.test.d.ts +1 -0
package/dist/rate-limiter.test.js +149 -0
package/dist/schema.d.ts +12 -0
package/dist/schema.js +124 -0
package/dist/schema.test.d.ts +1 -0
package/dist/schema.test.js +586 -0
package/dist/sni-proxy.d.ts +12 -0
package/dist/sni-proxy.js +141 -0
package/dist/srv-record.test.d.ts +1 -0
package/dist/srv-record.test.js +186 -0
package/dist/tcp-connection-limit.test.d.ts +1 -0
package/dist/tcp-connection-limit.test.js +89 -0
package/dist/types.d.ts +145 -0
package/dist/types.js +34 -0
package/dist/wildcard-matching.test.d.ts +1 -0
package/dist/wildcard-matching.test.js +162 -0
package/package.json +4 -1
package/src/audit.ts +0 -43
package/src/cache-layer.test.ts +0 -236
package/src/cache-multi-question.test.ts +0 -263
package/src/dns-handler.ts +0 -355
package/src/dns-service.test.ts +0 -371
package/src/dns-service.ts +0 -655
package/src/dns-wireformat.test.ts +0 -771
package/src/env.d.ts +0 -1
package/src/firewall.ts +0 -66
package/src/http-body-forwarding-integration.test.ts +0 -357
package/src/http-body-forwarding.test.ts +0 -101
package/src/http-handler.ts +0 -489
package/src/http-proxy.test.ts +0 -440
package/src/http-proxy.ts +0 -148
package/src/rate-limiter.test.ts +0 -144
package/src/rate-limiter.ts +0 -50
package/src/schema.test.ts +0 -685
package/src/schema.ts +0 -137
package/src/sni-proxy.ts +0 -164
package/src/srv-record.test.ts +0 -211
package/src/tcp-connection-limit.test.ts +0 -110
package/src/types.ts +0 -168
package/src/wildcard-matching.test.ts +0 -196
package/tsconfig.json +0 -9

package/dist/firewall.js ADDED Viewed

@@ -0,0 +1,62 @@
+import * as net from "net";
+export class FirewallEngine {
+    ipToInt(ip) {
+        return ip.split('.').reduce((int, octet) => (int << 8) + parseInt(octet, 10), 0) >>> 0;
+    }
+    matchCidr(ip, cidr) {
+        try {
+            const [range, bits] = cidr.split('/');
+            const mask = bits ? ~(Math.pow(2, 32 - parseInt(bits, 10)) - 1) : 0xFFFFFFFF;
+            return (this.ipToInt(ip) & mask) === (this.ipToInt(range) & mask);
+        }
+        catch {
+            return false;
+        }
+    }
+    matchDomain(domain, pattern) {
+        if (pattern === "*")
+            return true;
+        const normDomain = domain.toLowerCase().replace(/\.$/, "");
+        const normPattern = pattern.toLowerCase().replace(/\.$/, "");
+        if (normPattern === normDomain)
+            return true;
+        if (normPattern.startsWith("*.")) {
+            const suffix = normPattern.slice(2);
+            return normDomain === suffix || normDomain.endsWith("." + suffix);
+        }
+        return false;
+    }
+    evaluateIp(ip, fw) {
+        if (!fw)
+            return "ALLOW";
+        if (!net.isIPv4(ip))
+            return "DENY";
+        if (fw.blocklist_ips && fw.blocklist_ips.includes(ip))
+            return "DENY";
+        for (const range of fw.blocklist_ranges || []) {
+            if (this.matchCidr(ip, range))
+                return "DENY";
+        }
+        if (fw.allowlist_ips && fw.allowlist_ips.includes(ip))
+            return "ALLOW";
+        for (const range of fw.allowlist_ranges || []) {
+            if (this.matchCidr(ip, range))
+                return "ALLOW";
+        }
+        return fw.defaultPolicy === "allow" ? "ALLOW" : "DENY";
+    }
+    evaluateDomain(domain, fw) {
+        if (!fw)
+            return "ALLOW";
+        for (const pattern of fw.blocklist_domains || []) {
+            if (this.matchDomain(domain, pattern))
+                return "DENY";
+        }
+        for (const pattern of fw.allowlist_domains || []) {
+            if (this.matchDomain(domain, pattern))
+                return "ALLOW";
+        }
+        return fw.defaultPolicy === "allow" ? "ALLOW" : "DENY";
+    }
+}
+export const firewallEngine = new FirewallEngine();

package/dist/http-body-forwarding-integration.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/http-body-forwarding-integration.test.js ADDED Viewed

@@ -0,0 +1,318 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import * as http from "http";
+describe("HTTP Body Forwarding Integration", () => {
+    let upstreamServer;
+    let receivedBodies = [];
+    const TEST_PORT = 19876;
+    const PROXY_PORT = 19877;
+    function startUpstreamServer() {
+        return new Promise((resolve) => {
+            upstreamServer = http.createServer((req, res) => {
+                if (req.method !== "GET" && req.method !== "HEAD") {
+                    const chunks = [];
+                    req.on("data", (chunk) => {
+                        chunks.push(chunk);
+                    });
+                    req.on("end", () => {
+                        const body = Buffer.concat(chunks).toString("utf-8");
+                        if (body.length > 0) {
+                            receivedBodies.push(body);
+                        }
+                        res.writeHead(200, { "Content-Type": "text/plain" });
+                        res.end(`upstream ${req.method} body size: ${Buffer.concat(chunks).length}`);
+                    });
+                }
+                else {
+                    res.writeHead(200, { "Content-Type": "text/plain" });
+                    res.end("GET/HEAD received");
+                }
+            });
+            upstreamServer.listen(TEST_PORT, "127.0.0.1", () => {
+                resolve(TEST_PORT);
+            });
+        });
+    }
+    function stopUpstreamServer() {
+        return new Promise((resolve) => {
+            if (upstreamServer) {
+                upstreamServer.close(() => resolve());
+            }
+            else {
+                resolve();
+            }
+        });
+    }
+    function sendPostRequest(url, body) {
+        return new Promise((resolve, reject) => {
+            const parsed = new URL(url);
+            const postData = Buffer.from(body);
+            const options = {
+                hostname: "127.0.0.1",
+                port: parsed.port ? parseInt(parsed.port, 10) : PROXY_PORT,
+                path: parsed.pathname + parsed.search,
+                method: "POST",
+                headers: {
+                    Host: parsed.hostname,
+                    "Content-Type": "text/plain",
+                    "Content-Length": postData.length,
+                },
+            };
+            const req = http.request(options, (res) => {
+                let responseBody = "";
+                res.on("data", (chunk) => {
+                    responseBody += chunk.toString();
+                });
+                res.on("end", () => {
+                    resolve({ status: res.statusCode || 500, response: responseBody });
+                });
+            });
+            req.on("error", reject);
+            req.write(postData);
+            req.end();
+        });
+    }
+    function sendPutRequest(url, body) {
+        return new Promise((resolve, reject) => {
+            const parsed = new URL(url);
+            const putData = Buffer.from(body);
+            const options = {
+                hostname: "127.0.0.1",
+                port: parsed.port ? parseInt(parsed.port, 10) : PROXY_PORT,
+                path: parsed.pathname + parsed.search,
+                method: "PUT",
+                headers: {
+                    Host: parsed.hostname,
+                    "Content-Type": "text/plain",
+                    "Content-Length": putData.length,
+                },
+            };
+            const req = http.request(options, (res) => {
+                let responseBody = "";
+                res.on("data", (chunk) => {
+                    responseBody += chunk.toString();
+                });
+                res.on("end", () => {
+                    resolve({ status: res.statusCode || 500, response: responseBody });
+                });
+            });
+            req.on("error", reject);
+            req.write(putData);
+            req.end();
+        });
+    }
+    function get(url) {
+        return new Promise((resolve, reject) => {
+            const parsed = new URL(url);
+            const req = http.request({
+                hostname: "127.0.0.1",
+                port: parsed.port ? parseInt(parsed.port, 10) : PROXY_PORT,
+                path: parsed.pathname + parsed.search,
+                method: "GET",
+                headers: { Host: parsed.hostname },
+            }, (res) => {
+                let responseBody = "";
+                res.on("data", (chunk) => {
+                    responseBody += chunk.toString();
+                });
+                res.on("end", () => {
+                    resolve({ status: res.statusCode || 500, response: responseBody });
+                });
+            });
+            req.on("error", reject);
+            req.end();
+        });
+    }
+    it("forwards POST body to upstream when forwardRequestBody is enabled", async () => {
+        const { DevDnsServer } = await import("./dns-service.js");
+        const { HttpHandler } = await import("./http-handler.js");
+        receivedBodies = [];
+        const port = await startUpstreamServer();
+        try {
+            const config = {
+                port: 53,
+                hosts: {
+                    "app.loop": {
+                        records: [{ type: "A", address: "127.0.0.1" }],
+                        http_proxy: {
+                            enabled: true,
+                            upstream: `http://127.0.0.1:${port}`,
+                            headers: {},
+                            forwardRequestBody: true,
+                        },
+                    },
+                },
+            };
+            const dnsServer = new DevDnsServer(config);
+            const handler = new HttpHandler(dnsServer, config, PROXY_PORT);
+            await handler.start();
+            try {
+                await new Promise((resolve) => setTimeout(resolve, 100));
+                const bodyContent = "hello world test payload";
+                const result = await sendPostRequest(`http://app.loop/test`, bodyContent);
+                assert.strictEqual(result.status, 200);
+                assert.ok(receivedBodies.length > 0);
+                assert.strictEqual(receivedBodies[0], bodyContent);
+            }
+            finally {
+                await handler.stop();
+            }
+        }
+        finally {
+            await stopUpstreamServer();
+        }
+    });
+    it("forwards PUT body to upstream when forwardRequestBody is enabled", async () => {
+        const { DevDnsServer } = await import("./dns-service.js");
+        const { HttpHandler } = await import("./http-handler.js");
+        receivedBodies = [];
+        const port = await startUpstreamServer();
+        try {
+            const config = {
+                port: 53,
+                hosts: {
+                    "app.loop": {
+                        records: [{ type: "A", address: "127.0.0.1" }],
+                        http_proxy: {
+                            enabled: true,
+                            upstream: `http://127.0.0.1:${port}`,
+                            headers: {},
+                            forwardRequestBody: true,
+                        },
+                    },
+                },
+            };
+            const dnsServer = new DevDnsServer(config);
+            const handler = new HttpHandler(dnsServer, config, PROXY_PORT);
+            await handler.start();
+            try {
+                await new Promise((resolve) => setTimeout(resolve, 100));
+                const bodyContent = '{"key":"value","count":42}';
+                const result = await sendPutRequest(`http://app.loop/api/update`, bodyContent);
+                assert.strictEqual(result.status, 200);
+                assert.ok(receivedBodies.length > 0);
+                assert.strictEqual(receivedBodies[0], bodyContent);
+            }
+            finally {
+                await handler.stop();
+            }
+        }
+        finally {
+            await stopUpstreamServer();
+        }
+    });
+    it("does not forward body for GET requests even when forwarding is enabled", async () => {
+        const { DevDnsServer } = await import("./dns-service.js");
+        const { HttpHandler } = await import("./http-handler.js");
+        receivedBodies = [];
+        const port = await startUpstreamServer();
+        try {
+            const config = {
+                port: 53,
+                hosts: {
+                    "app.loop": {
+                        records: [{ type: "A", address: "127.0.0.1" }],
+                        http_proxy: {
+                            enabled: true,
+                            upstream: `http://127.0.0.1:${port}`,
+                            headers: {},
+                            forwardRequestBody: true,
+                        },
+                    },
+                },
+            };
+            const dnsServer = new DevDnsServer(config);
+            const handler = new HttpHandler(dnsServer, config, PROXY_PORT);
+            await handler.start();
+            try {
+                await new Promise((resolve) => setTimeout(resolve, 100));
+                const result = await get("http://app.loop/data");
+                assert.strictEqual(result.status, 200);
+                assert.strictEqual(receivedBodies.length, 0);
+            }
+            finally {
+                await handler.stop();
+            }
+        }
+        finally {
+            await stopUpstreamServer();
+        }
+    });
+    it("rejects oversized body with 413 when forwarding is enabled", async () => {
+        const { DevDnsServer } = await import("./dns-service.js");
+        const { HttpHandler } = await import("./http-handler.js");
+        receivedBodies = [];
+        const port = await startUpstreamServer();
+        try {
+            const config = {
+                port: 53,
+                hosts: {
+                    "app.loop": {
+                        records: [{ type: "A", address: "127.0.0.1" }],
+                        http_proxy: {
+                            enabled: true,
+                            upstream: `http://127.0.0.1:${port}`,
+                            headers: {},
+                            forwardRequestBody: true,
+                            maxRequestBodyBytes: 100,
+                        },
+                    },
+                },
+            };
+            const dnsServer = new DevDnsServer(config);
+            const handler = new HttpHandler(dnsServer, config, PROXY_PORT);
+            await handler.start();
+            try {
+                await new Promise((resolve) => setTimeout(resolve, 100));
+                const largeBody = "x".repeat(200);
+                const result = await sendPostRequest(`http://app.loop/upload`, largeBody);
+                assert.strictEqual(result.status, 413);
+                assert.strictEqual(receivedBodies.length, 0);
+            }
+            finally {
+                await handler.stop();
+            }
+        }
+        finally {
+            await stopUpstreamServer();
+        }
+    });
+    it("does not forward body when forwardRequestBody is disabled", async () => {
+        const { DevDnsServer } = await import("./dns-service.js");
+        const { HttpHandler } = await import("./http-handler.js");
+        receivedBodies = [];
+        const port = await startUpstreamServer();
+        try {
+            const config = {
+                port: 53,
+                hosts: {
+                    "app.loop": {
+                        records: [{ type: "A", address: "127.0.0.1" }],
+                        http_proxy: {
+                            enabled: true,
+                            upstream: `http://127.0.0.1:${port}`,
+                            headers: {},
+                            forwardRequestBody: false,
+                        },
+                    },
+                },
+            };
+            const dnsServer = new DevDnsServer(config);
+            const handler = new HttpHandler(dnsServer, config, PROXY_PORT);
+            await handler.start();
+            try {
+                await new Promise((resolve) => setTimeout(resolve, 100));
+                const bodyContent = "this should not be forwarded";
+                const result = await sendPostRequest(`http://app.loop/submit`, bodyContent);
+                assert.strictEqual(result.status, 200);
+                assert.strictEqual(receivedBodies.length, 0);
+            }
+            finally {
+                await handler.stop();
+            }
+        }
+        finally {
+            await stopUpstreamServer();
+        }
+    });
+});

package/dist/http-body-forwarding.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/http-body-forwarding.test.js ADDED Viewed

@@ -0,0 +1,84 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import { HttpProxyService } from "./http-proxy.js";
+function makeBodyForwardingConfig() {
+    return {
+        records: [{ type: "A", address: "127.0.0.1" }],
+        http_proxy: {
+            enabled: true,
+            upstream: "http://upstream.example.com",
+            headers: { "X-Forward-Body": "true" },
+        },
+        redirect: undefined,
+    };
+}
+describe("HttpProxyService - Body Forwarding Configuration", () => {
+    const proxy = new HttpProxyService();
+    it("accepts host config with body forwarding enabled", () => {
+        const config = {
+            records: [{ type: "A", address: "127.0.0.1" }],
+            http_proxy: {
+                enabled: true,
+                upstream: "http://upstream.example.com",
+                headers: {},
+                forwardRequestBody: true,
+            },
+        };
+        assert.strictEqual(config.http_proxy?.forwardRequestBody, true);
+    });
+    it("defaults body forwarding to false when not specified", () => {
+        const config = makeBodyForwardingConfig();
+        assert.ok(!config.http_proxy?.forwardRequestBody);
+    });
+    it("rejects body forwarding when proxy is disabled", () => {
+        const config = {
+            records: [{ type: "A", address: "127.0.0.1" }],
+            http_proxy: {
+                enabled: false,
+                upstream: "",
+                headers: {},
+                forwardRequestBody: true,
+            },
+        };
+        assert.strictEqual(config.http_proxy?.enabled, false);
+    });
+});
+describe("HttpProxyService - Body Forwarding Header", () => {
+    const proxy = new HttpProxyService();
+    it("injects X-Forwarded-Body header when body forwarding is enabled", () => {
+        const config = makeBodyForwardingConfig();
+        config.http_proxy.forwardRequestBody = true;
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/api/submit",
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: Buffer.from('{"key":"value"}'),
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.ok("X-Body-Forwarded" in result.upstreamHeaders || "X-Body-Size" in result.upstreamHeaders);
+    });
+    it("does not inject body forwarding header when disabled", () => {
+        const config = makeBodyForwardingConfig();
+        config.http_proxy.forwardRequestBody = false;
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/api/submit",
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.ok(!("X-Body-Forwarded" in result.upstreamHeaders));
+    });
+});
+describe("HttpProxyService - Body size validation", () => {
+    const proxy = new HttpProxyService();
+    it("limits forwarded body size to configured maximum", () => {
+        const largeBody = Buffer.alloc(10 * 1024 * 1024, "x");
+        assert.ok(largeBody.length > 5 * 1024 * 1024);
+        assert.doesNotThrow(() => {
+            const config = makeBodyForwardingConfig();
+            config.http_proxy.forwardRequestBody = true;
+        });
+    });
+});

package/dist/http-handler.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { DevDnsServer } from "./dns-service.js";
+import { ServerConfig } from "./types.js";
+export declare class HttpHandler {
+    private dnsServer;
+    private proxyService;
+    private port;
+    private config;
+    private server;
+    private circuitBreakers;
+    private activeConnections;
+    constructor(dnsServer: DevDnsServer, config: ServerConfig, port?: number);
+    private getCircuitBreaker;
+    private findWildcardHost;
+    private injectCustomHeaders;
+    private handleConnect;
+    private handleForwardProxy;
+    private handleRequest;
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    getPort(): number;
+}