@opensecurity/zonzon-core 0.1.2 → 0.1.3

package/dist/wildcard-matching.test.js

@@ -0,0 +1,162 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import { DevDnsServer } from "./dns-service.js";
+import { DNS_TYPES } from "./types.js";
+function buildQuery(name, type) {
+    const encoder = new (class {
+        buf = Buffer.alloc(256);
+        offset = 0;
+        writeUint16(v) {
+            this.buf.writeUInt16BE(v, this.offset);
+            this.offset += 2;
+        }
+        writeUint8(v) {
+            this.buf.writeUInt8(v, this.offset);
+            this.offset += 1;
+        }
+        writeDomainName(nm) {
+            for (const label of nm.split(".")) {
+                if (label.length === 0)
+                    continue;
+                this.writeUint8(label.length);
+                Buffer.from(label).copy(this.buf, this.offset);
+                this.offset += label.length;
+            }
+            this.writeUint8(0);
+        }
+        finish() {
+            return this.buf.subarray(0, this.offset);
+        }
+    })();
+    encoder.writeUint16(0xBEEF);
+    encoder.writeUint16(0x0100);
+    encoder.writeUint16(1);
+    encoder.writeUint16(0);
+    encoder.writeUint16(0);
+    encoder.writeUint16(0);
+    encoder.writeDomainName(name);
+    encoder.writeUint16(type);
+    encoder.writeUint16(1);
+    return encoder.finish();
+}
+function getAnswerCount(buf) {
+    return buf.readUInt16BE(6);
+}
+describe("DevDnsServer - Wildcard Host Matching", () => {
+    let server;
+    it("resolves subdomains under a wildcard pattern *.loop", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 0,
+            hosts: {
+                "*.loop": { records: [{ type: "A", address: "192.168.1.1" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const appResp = server.resolve(buildQuery("app.loop", DNS_TYPES.A));
+        assert.ok(appResp.length > 0);
+        assert.strictEqual(getAnswerCount(appResp), 1);
+        const deepResp = server.resolve(buildQuery("deep.sub.loop", DNS_TYPES.A));
+        assert.ok(deepResp.length > 0);
+        assert.strictEqual(getAnswerCount(deepResp), 1);
+    });
+    it("resolves wildcard with multiple record types", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 0,
+            hosts: {
+                "*.dev": {
+                    records: [
+                        { type: "A", address: "10.0.0.1" },
+                        { type: "AAAA", address: "::1" },
+                        { type: "TXT", data: ["v=dev"] },
+                    ],
+                },
+            },
+        };
+        server = new DevDnsServer(config);
+        const aResp = server.resolve(buildQuery("random.dev", DNS_TYPES.A));
+        assert.ok(aResp.length > 0);
+        assert.strictEqual(getAnswerCount(aResp), 1);
+        const aaaaResp = server.resolve(buildQuery("another.dev", DNS_TYPES.AAAA));
+        assert.ok(aaaaResp.length > 0);
+        assert.strictEqual(getAnswerCount(aaaaResp), 1);
+        const txtResp = server.resolve(buildQuery("foo.dev", DNS_TYPES.TXT));
+        assert.ok(txtResp.length > 0);
+        assert.strictEqual(getAnswerCount(txtResp), 1);
+    });
+    it("exact hostname takes priority over wildcard", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 0,
+            hosts: {
+                "*.loop": { records: [{ type: "A", address: "192.168.1.1" }] },
+                "exact.loop": { records: [{ type: "A", address: "10.0.0.100" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const exactResp = server.resolve(buildQuery("exact.loop", DNS_TYPES.A));
+        assert.ok(exactResp.length > 0);
+        assert.strictEqual(getAnswerCount(exactResp), 1);
+        const wildResp = server.resolve(buildQuery("other.loop", DNS_TYPES.A));
+        assert.ok(wildResp.length > 0);
+        assert.strictEqual(getAnswerCount(wildResp), 1);
+    });
+    it("rejects bare wildcard pattern query (no subdomain)", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 0,
+            hosts: {
+                "*.loop": { records: [{ type: "A", address: "192.168.1.1" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const bareResp = server.resolve(buildQuery("*.loop", DNS_TYPES.A));
+        assert.ok(bareResp.length > 0);
+    });
+    it("handles deeply nested wildcard matches", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 0,
+            hosts: {
+                "*.com": { records: [{ type: "A", address: "8.8.8.8" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const deepResp = server.resolve(buildQuery("a.b.c.d.com", DNS_TYPES.A));
+        assert.ok(deepResp.length > 0);
+        assert.strictEqual(getAnswerCount(deepResp), 1);
+    });
+    it("is case-insensitive for wildcard matching", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 0,
+            hosts: {
+                "*.example": { records: [{ type: "A", address: "1.2.3.4" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const upperResp = server.resolve(buildQuery("APP.EXAMPLE", DNS_TYPES.A));
+        assert.ok(upperResp.length > 0);
+        assert.strictEqual(getAnswerCount(upperResp), 1);
+    });
+    it("wildcard only matches one label prefix", () => {
+        const config = {
+            port: 53,
+            dnsCacheMaxSize: 100,
+            dnsCacheTtlMs: 0,
+            hosts: {
+                "*.loop": { records: [{ type: "A", address: "5.5.5.5" }] },
+            },
+        };
+        server = new DevDnsServer(config);
+        const oneLabelResp = server.resolve(buildQuery("x.loop", DNS_TYPES.A));
+        assert.ok(oneLabelResp.length > 0);
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opensecurity/zonzon-core",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "core routing, dns, and firewall engine",
   "type": "module",
   "author": "Lucian BLETAN <neuraluc@gmail.com>",
@@ -22,6 +22,9 @@
   "publishConfig": {
     "access": "public"
   },
+  "files": [
+    "dist"
+  ],
   "exports": {
     ".": {
       "import": "./dist/index.js",

package/src/audit.ts

@@ -1,43 +0,0 @@
-import { DNS_TYPES } from "./types.js";
-
-const REVERSE_DNS_TYPES = Object.fromEntries(Object.entries(DNS_TYPES).map(([k, v]) => [v, k]));
-
-export class AuditLogger {
-  private isTestEnv = process.argv.includes("--test") || process.env.NODE_ENV === "test";
-
-  private sanitize(input: any): string {
-    return String(input || "").replace(/[\r\n\t]/g, " ").replace(/[^\x20-\x7E]/g, "?");
-  }
-
-  public dns(ip: string, questions: any[], rcode: number, cached: boolean = false): void {
-    if (this.isTestEnv) return;
-    const codeMap: any = { 0: "Found (NOERROR)", 3: "Not Found (NXDOMAIN)", 5: "Blocked by Firewall (REFUSED)" };
-    const prefix = cached ? "[Cached] " : "";
-    questions.forEach(q => {
-      console.log(`[DNS] ${this.sanitize(ip)} | ${prefix}${REVERSE_DNS_TYPES[q.type] || q.type} ${this.sanitize(q.name)} -> ${codeMap[rcode] || rcode}`);
-    });
-  }
-
-  public firewall(ip: string, target: string, action: "ALLOW" | "DENY", detail: string = "") {
-    if (this.isTestEnv) return;
-    const color = action === "ALLOW" ? "\x1b[32mALLOW\x1b[0m" : "\x1b[31mDENY\x1b[0m";
-    console.log(`[FIREWALL] ${this.sanitize(ip)} | ${color} | ${this.sanitize(target)} ${detail ? `(${this.sanitize(detail)})` : ""}`);
-  }
-
-  public http(ip: string, method: string, host: string, path: string, status: number, target: string = "") {
-    if (this.isTestEnv) return;
-    console.log(`[HTTP] ${this.sanitize(ip)} | Returned Status ${status} | ${this.sanitize(method)} ${this.sanitize(host)}${this.sanitize(path)} ${target ? `-> ${this.sanitize(target)}` : ""}`);
-  }
-
-  public system(msg: string) { 
-    if (this.isTestEnv) return;
-    console.log(`[SYSTEM] ${this.sanitize(msg)}`); 
-  }
-  
-  public error(msg: string) { 
-    if (this.isTestEnv) return;
-    console.error(`[ERROR] \x1b[31m${this.sanitize(msg)}\x1b[0m`); 
-  }
-}
-
-export const audit = new AuditLogger();

package/src/cache-layer.test.ts

@@ -1,236 +0,0 @@
-import { describe, it } from "node:test";
-import assert from "assert";
-import { DevDnsServer } from "./dns-service.js";
-import { ServerConfig, DNS_TYPES } from "./types.js";
-
-function buildQuery(name: string, type: number): Buffer {
-  const encoder = new (class {
-    buf = Buffer.alloc(256);
-    offset = 0;
-
-    writeUint16(v: number) {
-      this.buf.writeUInt16BE(v, this.offset);
-      this.offset += 2;
-    }
-
-    writeUint8(v: number) {
-      this.buf.writeUInt8(v, this.offset);
-      this.offset += 1;
-    }
-
-    writeDomainName(nm: string) {
-      for (const label of nm.split(".")) {
-        if (label.length === 0) continue;
-        this.writeUint8(label.length);
-        Buffer.from(label).copy(this.buf, this.offset);
-        this.offset += label.length;
-      }
-      this.writeUint8(0);
-    }
-
-    finish(): Buffer {
-      return this.buf.subarray(0, this.offset);
-    }
-  })();
-
-  encoder.writeUint16(0x5678);
-  encoder.writeUint16(0x0100);
-  encoder.writeUint16(1);
-  encoder.writeUint16(0);
-  encoder.writeUint16(0);
-  encoder.writeUint16(0);
-
-  encoder.writeDomainName(name);
-  encoder.writeUint16(type);
-  encoder.writeUint16(1);
-
-  return encoder.finish();
-}
-
-function parseResponseFlags(buf: Buffer): { qr: number; rcode: number } {
-  const flags = buf.readUInt16BE(2);
-  const qr = (flags >> 15) & 0x1;
-  const rcode = flags & 0xf;
-  return { qr, rcode };
-}
-
-function getTtlFromResponse(buf: Buffer): number | null {
-  const ancount = buf.readUInt16BE(6);
-  if (ancount === 0) return null;
-
-  let offset = 12;
-  while (offset < buf.length && buf[offset] !== 0) {
-    const len = buf[offset];
-    if ((len & 0xc0) === 0xc0) break;
-    offset += len + 1;
-  }
-  offset += 5; 
-
-  if (offset + 4 > buf.length) return null;
-  return buf.readUInt32BE(offset);
-}
-
-describe("DevDnsServer - Cache Layer", () => {
-  let server: DevDnsServer;
-
-  it("caches responses when cache is enabled with TTL", async () => {
-    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
-      port: 53,
-      dnsCacheMaxSize: 100,
-      dnsCacheTtlMs: 5000,
-      hosts: {
-        "cached.loop": { records: [{ type: "A", address: "192.168.1.1" }] },
-      },
-    };
-
-    server = new DevDnsServer(config);
-    const queryBuffer = buildQuery("cached.loop", DNS_TYPES.A);
-
-    const firstResponse = server.resolve(queryBuffer)!;
-    assert.ok(firstResponse.length > 0);
-    const ttl1 = getTtlFromResponse(firstResponse);
-    assert.ok(ttl1 !== null && ttl1 >= 5);
-
-    await new Promise<void>((resolve) => setTimeout(resolve, 200));
-    const secondResponse = server.resolve(queryBuffer)!;
-    assert.ok(secondResponse.length > 0);
-
-    const { qr: qr1, rcode: rc1 } = parseResponseFlags(firstResponse);
-    const { qr: qr2, rcode: rc2 } = parseResponseFlags(secondResponse);
-    assert.strictEqual(qr1, qr2);
-    assert.strictEqual(rc1, rc2);
-
-    const ttl2 = getTtlFromResponse(secondResponse);
-    assert.ok(ttl2 !== null);
-    assert.ok(ttl2 <= ttl1!);
-  });
-
-  it("returns expired cache entries as stale", () => {
-    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
-      port: 53,
-      dnsCacheMaxSize: 100,
-      dnsCacheTtlMs: 50, 
-      hosts: {
-        "short-lived.loop": { records: [{ type: "A", address: "10.0.0.1" }] },
-      },
-    };
-
-    server = new DevDnsServer(config);
-    const queryBuffer = buildQuery("short-lived.loop", DNS_TYPES.A);
-
-    server.resolve(queryBuffer);
-
-    return new Promise<void>((resolve) => {
-      setTimeout(() => {
-        const expiredResponse = server.resolve(queryBuffer)!;
-        assert.ok(expiredResponse.length > 0);
-        const { rcode } = parseResponseFlags(expiredResponse);
-        assert.strictEqual(rcode, 0);
-        resolve();
-      }, 100);
-    });
-  });
-
-  it("enforces cache size limit by evicting oldest entries", () => {
-    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
-      port: 53,
-      dnsCacheMaxSize: 3, 
-      dnsCacheTtlMs: 10000,
-      hosts: {
-        "one.loop": { records: [{ type: "A", address: "1.1.1.1" }] },
-        "two.loop": { records: [{ type: "A", address: "2.2.2.2" }] },
-        "three.loop": { records: [{ type: "A", address: "3.3.3.3" }] },
-        "four.loop": { records: [{ type: "A", address: "4.4.4.4" }] },
-      },
-    };
-
-    server = new DevDnsServer(config);
-
-    server.resolve(buildQuery("one.loop", DNS_TYPES.A));
-    server.resolve(buildQuery("two.loop", DNS_TYPES.A));
-    server.resolve(buildQuery("three.loop", DNS_TYPES.A));
-
-    server.resolve(buildQuery("four.loop", DNS_TYPES.A));
-
-    const r1 = server.resolve(buildQuery("one.loop", DNS_TYPES.A))!;
-    const r4 = server.resolve(buildQuery("four.loop", DNS_TYPES.A))!;
-
-    assert.ok(r1.length > 0 || r4.length > 0);
-  });
-
-  it("does not cache when cache is disabled (zero TTL)", () => {
-    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
-      port: 53,
-      dnsCacheMaxSize: 100,
-      dnsCacheTtlMs: 0, 
-      hosts: {
-        "no-cache.loop": { records: [{ type: "A", address: "9.9.9.9" }] },
-      },
-    };
-
-    server = new DevDnsServer(config);
-    const queryBuffer = buildQuery("no-cache.loop", DNS_TYPES.A);
-
-    const resp1 = server.resolve(queryBuffer)!;
-    assert.ok(resp1.length > 0);
-
-    const resp2 = server.resolve(queryBuffer)!;
-    assert.ok(resp2.length > 0);
-  });
-
-  it("returns NXDOMAIN for unknown hosts without caching the negative result when cache is enabled", () => {
-    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
-      port: 53,
-      dnsCacheMaxSize: 100,
-      dnsCacheTtlMs: 2000,
-      hosts: {},
-    };
-
-    server = new DevDnsServer(config);
-    const queryBuffer = buildQuery("nonexistent.loop", DNS_TYPES.A);
-
-    const response = server.resolve(queryBuffer)!;
-    assert.ok(response.length > 0);
-    const { rcode } = parseResponseFlags(response);
-    assert.strictEqual(rcode, 3);
-  });
-
-  it("caches multi-question queries separately per question", () => {
-    const config: ServerConfig & { dnsCacheMaxSize?: number; dnsCacheTtlMs?: number } = {
-      port: 53,
-      dnsCacheMaxSize: 100,
-      dnsCacheTtlMs: 5000,
-      hosts: {
-        "a.loop": { records: [{ type: "A", address: "1.1.1.1" }] },
-        "b.loop": { records: [{ type: "A", address: "2.2.2.2" }] },
-      },
-    };
-
-    server = new DevDnsServer(config);
-
-    const encoder = new (class {
-      buf = Buffer.alloc(512);
-      offset = 0;
-      writeUint16(v: number) { this.buf.writeUInt16BE(v, this.offset); this.offset += 2; }
-      writeUint8(v: number) { this.buf.writeUInt8(v, this.offset); this.offset += 1; }
-      writeDomainName(nm: string) { for (const label of nm.split(".")) { if (label.length === 0) continue; this.writeUint8(label.length); Buffer.from(label).copy(this.buf, this.offset); this.offset += label.length; } this.writeUint8(0); }
-      finish(): Buffer { return this.buf.subarray(0, this.offset); }
-    })();
-
-    encoder.writeUint16(0xAAAA);
-    encoder.writeUint16(0x0100);
-    encoder.writeUint16(2);
-    encoder.writeUint16(0);
-    encoder.writeUint16(0);
-    encoder.writeUint16(0);
-    encoder.writeDomainName("a.loop");
-    encoder.writeUint16(DNS_TYPES.A);
-    encoder.writeUint16(1);
-    encoder.writeDomainName("b.loop");
-    encoder.writeUint16(DNS_TYPES.A);
-    encoder.writeUint16(1);
-
-    const response = server.resolve(encoder.finish())!;
-    assert.ok(response.length > 0);
-  });
-});