@opensecurity/zonzon-core 0.1.2 → 0.1.4

package/dist/http-proxy.test.js

@@ -0,0 +1,375 @@
+import { describe, it } from "node:test";
+import assert from "node:assert";
+import { HttpProxyService } from "./http-proxy.js";
+function makeConfig(overrides = {}) {
+    return {
+        records: [{ type: "A", address: "127.0.0.1" }],
+        http_proxy: undefined,
+        redirect: undefined,
+        ...overrides,
+    };
+}
+function makeProxyEnabledConfig() {
+    return makeConfig({
+        http_proxy: {
+            enabled: true,
+            upstream: "http://upstream.example.com",
+            headers: {
+                "X-Custom": "custom-value",
+                "X-Env": "production",
+            },
+        },
+    });
+}
+function makeRedirectConfig() {
+    return makeConfig({
+        redirect: {
+            enabled: true,
+            code: 301,
+            target: "https://target.example.com/path",
+        },
+    });
+}
+describe("HttpProxyService - Header Sanitization", () => {
+    const proxy = new HttpProxyService();
+    it("accepts normal alphanumeric header values", () => {
+        assert.strictEqual(proxy.sanitizeHeader("normal-value"), "normal-value");
+    });
+    it("rejects header values with CR characters", () => {
+        assert.strictEqual(proxy.sanitizeHeader("value\x0dwithCR"), null);
+    });
+    it("rejects header values with LF characters", () => {
+        assert.strictEqual(proxy.sanitizeHeader("value\nwithLF"), null);
+    });
+    it("rejects header values with CRLF combinations", () => {
+        assert.strictEqual(proxy.sanitizeHeader("value\r\nInjected: true"), null);
+    });
+    it("rejects header values exceeding 8192 characters", () => {
+        const longValue = "x".repeat(8193);
+        assert.strictEqual(proxy.sanitizeHeader(longValue), null);
+    });
+    it("accepts header values at exactly 8192 characters", () => {
+        const maxLen = "x".repeat(8192);
+        assert.strictEqual(proxy.sanitizeHeader(maxLen), maxLen);
+    });
+    it("rejects non-string values", () => {
+        assert.strictEqual(proxy.sanitizeHeader(123), null);
+        assert.strictEqual(proxy.sanitizeHeader(null), null);
+        assert.strictEqual(proxy.sanitizeHeader(undefined), null);
+        assert.strictEqual(proxy.sanitizeHeader({}), null);
+    });
+    it("accepts header values with safe special characters", () => {
+        const value = "Bearer abc123.def456 ghi789!@#$%^&*()";
+        assert.strictEqual(proxy.sanitizeHeader(value), value);
+    });
+});
+describe("HttpProxyService - Header Name Validation", () => {
+    const proxy = new HttpProxyService();
+    it("accepts valid RFC 7230 token header names", () => {
+        assert.strictEqual(proxy.isValidHeaderName("Content-Type"), true);
+        assert.strictEqual(proxy.isValidHeaderName("X-Custom-Header"), true);
+        assert.strictEqual(proxy.isValidHeaderName("Authorization"), true);
+        assert.strictEqual(proxy.isValidHeaderName("X-B3-TraceId"), true);
+    });
+    it("accepts header names with RFC-valid special characters", () => {
+        assert.strictEqual(proxy.isValidHeaderName("X-Test_Header"), true);
+        assert.strictEqual(proxy.isValidHeaderName("X-Test+Header"), true);
+        assert.strictEqual(proxy.isValidHeaderName("X-Test~Header"), true);
+    });
+    it("rejects empty header names", () => {
+        assert.strictEqual(proxy.isValidHeaderName(""), false);
+    });
+    it("rejects header names exceeding 256 characters", () => {
+        const longName = "x".repeat(257);
+        assert.strictEqual(proxy.isValidHeaderName(longName), false);
+    });
+    it("rejects header names with spaces", () => {
+        assert.strictEqual(proxy.isValidHeaderName("X- Evil"), false);
+    });
+    it("rejects header names with newlines (CRLF injection)", () => {
+        assert.strictEqual(proxy.isValidHeaderName("X-Bad\r\nInjected"), false);
+        assert.strictEqual(proxy.isValidHeaderName("X-Bad\nInjected"), false);
+    });
+    it("rejects header names with forward slashes", () => {
+        assert.strictEqual(proxy.isValidHeaderName("X/Path/Header"), false);
+    });
+    it("rejects header names with backslashes", () => {
+        assert.strictEqual(proxy.isValidHeaderName("X\\Backslash"), false);
+    });
+});
+describe("HttpProxyService - Hop-by-Hop Headers", () => {
+    const proxy = new HttpProxyService();
+    it("returns all hop-by-hop headers to exclude", () => {
+        const excluded = proxy.getHopByHopHeaders();
+        assert.ok(excluded.includes("connection"));
+        assert.ok(excluded.includes("keep-alive"));
+        assert.ok(excluded.includes("te"));
+        assert.ok(excluded.includes("transfer-encoding"));
+        assert.ok(excluded.includes("upgrade"));
+        assert.ok(excluded.includes("proxy-authenticate"));
+        assert.ok(excluded.includes("proxy-authorization"));
+        assert.ok(excluded.includes("trailer"));
+    });
+    it("excludes hop-by-hop headers from upstream forwarding", () => {
+        const config = makeProxyEnabledConfig();
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/",
+            method: "GET",
+            headers: {
+                connection: "keep-alive",
+                "keep-alive": "timeout=5",
+                "X-Forwarded-For": "192.168.1.1",
+                "X-Custom": "custom-value",
+                "Transfer-Encoding": "chunked",
+            },
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.ok("X-Forwarded-For" in result.clientResponseHeaders);
+        assert.strictEqual(result.upstreamHeaders["X-Custom"], "custom-value");
+        assert.strictEqual(result.clientResponseHeaders["X-Custom"], "custom-value");
+    });
+});
+describe("HttpProxyService - Header Injection", () => {
+    const proxy = new HttpProxyService();
+    it("injects custom headers when proxy is enabled", () => {
+        const config = makeProxyEnabledConfig();
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/",
+            method: "GET",
+            headers: {},
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.strictEqual(result.upstreamHeaders["X-Custom"], "custom-value");
+        assert.strictEqual(result.upstreamHeaders["X-Env"], "production");
+        assert.strictEqual(result.clientResponseHeaders["X-Proxy"], "zonzon");
+    });
+    it("does not inject any headers when proxy is disabled", () => {
+        const config = makeConfig({ http_proxy: { enabled: false, upstream: "", headers: {} } });
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/",
+            method: "GET",
+            headers: {},
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.strictEqual(Object.keys(result.upstreamHeaders).length, 0);
+        assert.ok(!result.clientResponseHeaders["X-Proxy"]);
+    });
+    it("does not inject any headers when proxy config is absent", () => {
+        const config = makeConfig();
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/",
+            method: "GET",
+            headers: {},
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.strictEqual(Object.keys(result.upstreamHeaders).length, 0);
+        assert.ok(!result.clientResponseHeaders["X-Proxy"]);
+    });
+    it("adds X-Proxy identification header to client responses", () => {
+        const config = makeProxyEnabledConfig();
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/index.html",
+            method: "GET",
+            headers: {},
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.strictEqual(result.clientResponseHeaders["X-Proxy"], "zonzon");
+    });
+    it("passes through non-hop-by-hop original headers to client response", () => {
+        const config = makeProxyEnabledConfig();
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/",
+            method: "GET",
+            headers: {
+                Accept: "text/html",
+                "User-Agent": "test-agent/1.0",
+                "X-Request-Id": "abc-123",
+            },
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.strictEqual(result.clientResponseHeaders["Accept"], "text/html");
+        assert.strictEqual(result.clientResponseHeaders["User-Agent"], "test-agent/1.0");
+        assert.strictEqual(result.clientResponseHeaders["X-Request-Id"], "abc-123");
+    });
+    it("strips hop-by-hop headers from client response", () => {
+        const config = makeProxyEnabledConfig();
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/",
+            method: "GET",
+            headers: {
+                Connection: "close",
+                "Keep-Alive": "timeout=10",
+                TE: "trailers",
+                "Transfer-Encoding": "chunked",
+            },
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.ok(!result.clientResponseHeaders["Connection"]);
+        assert.ok(!result.clientResponseHeaders["Keep-Alive"]);
+        assert.ok(!result.clientResponseHeaders["TE"]);
+        assert.ok(!result.clientResponseHeaders["Transfer-Encoding"]);
+    });
+    it("handles case-insensitive hop-by-hop header matching", () => {
+        const config = makeProxyEnabledConfig();
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/",
+            method: "GET",
+            headers: {
+                "CONNECTION": "keep-alive",
+                "KEEP-ALIVE": "timeout=5",
+                "TRANSFER-ENCODING": "chunked",
+            },
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.ok(!result.clientResponseHeaders["CONNECTION"]);
+        assert.ok(!result.clientResponseHeaders["KEEP-ALIVE"]);
+        assert.ok(!result.clientResponseHeaders["TRANSFER-ENCODING"]);
+    });
+});
+describe("HttpProxyService - Redirect Checks", () => {
+    const proxy = new HttpProxyService();
+    it("returns redirect info when enabled with valid URL", () => {
+        const config = makeRedirectConfig();
+        const result = proxy.checkRedirect(config);
+        assert.strictEqual(result?.code, 301);
+        assert.strictEqual(result?.target, "https://target.example.com/path");
+    });
+    it("returns null when redirect is not enabled", () => {
+        const config = makeConfig();
+        assert.strictEqual(proxy.checkRedirect(config), null);
+    });
+    it("returns null when proxy-only config (no redirect)", () => {
+        const config = makeProxyEnabledConfig();
+        assert.strictEqual(proxy.checkRedirect(config), null);
+    });
+    it("rejects redirects with relative URLs", () => {
+        const config = makeConfig({
+            redirect: {
+                enabled: true,
+                code: 301,
+                target: "/path/relative",
+            },
+        });
+        assert.strictEqual(proxy.checkRedirect(config), null);
+    });
+    it("rejects redirects with malformed URLs", () => {
+        const config = makeConfig({
+            redirect: {
+                enabled: true,
+                code: 301,
+                target: "not a valid url at all",
+            },
+        });
+        assert.strictEqual(proxy.checkRedirect(config), null);
+    });
+    it("rejects redirects with protocol-relative URLs", () => {
+        const config = makeConfig({
+            redirect: {
+                enabled: true,
+                code: 301,
+                target: "//evil.example.com",
+            },
+        });
+        assert.strictEqual(proxy.checkRedirect(config), null);
+    });
+    it("accepts redirect with query parameters in target", () => {
+        const config = makeConfig({
+            redirect: {
+                enabled: true,
+                code: 302,
+                target: "https://target.example.com/path?key=value&foo=bar",
+            },
+        });
+        const result = proxy.checkRedirect(config);
+        assert.strictEqual(result?.code, 302);
+        assert.ok(result?.target.includes("?key=value"));
+    });
+    it("accepts all valid redirect codes (301, 302, 303, 307, 308)", () => {
+        for (const code of [301, 302, 303, 307, 308]) {
+            const config = makeConfig({
+                redirect: { enabled: true, code, target: "https://example.com" },
+            });
+            assert.ok(proxy.checkRedirect(config));
+        }
+    });
+    it("rejects invalid redirect codes (300, 404, 999)", () => {
+        for (const code of [200, 300, 404, 500, 999]) {
+            const config = makeConfig({
+                redirect: { enabled: true, code, target: "https://example.com" },
+            });
+            assert.strictEqual(proxy.checkRedirect(config), null);
+        }
+    });
+});
+describe("HttpProxyService - Timeout", () => {
+    const proxy = new HttpProxyService();
+    it("returns 0 timeout when proxy is disabled", () => {
+        const config = makeConfig();
+        assert.strictEqual(proxy.calculateTimeout(config), 0);
+    });
+    it("returns bounded timeout when proxy is enabled", () => {
+        const config = makeProxyEnabledConfig();
+        const timeout = proxy.calculateTimeout(config);
+        assert.ok(timeout >= 1000 && timeout <= 30000);
+    });
+    it("defaults to 5 seconds for enabled proxy", () => {
+        const config = makeProxyEnabledConfig();
+        assert.strictEqual(proxy.calculateTimeout(config), 5000);
+    });
+});
+describe("HttpProxyService - Security Edge Cases", () => {
+    const proxy = new HttpProxyService();
+    it("sanitizes headers containing URL-encoded CR/LF percent sequences in values", () => {
+        assert.strictEqual(proxy.sanitizeHeader("encoded%0d%0aInjected"), null);
+    });
+    it("rejects header values with tab characters (HTTP smuggling vector)", () => {
+        assert.strictEqual(proxy.sanitizeHeader("value\twith\ttabs"), null);
+    });
+    it("rejects header values with unicode control characters", () => {
+        assert.strictEqual(proxy.sanitizeHeader("value\u000b\u000ccontrol"), null);
+    });
+    it("handles proxy config without custom headers gracefully", () => {
+        const config = makeConfig({
+            http_proxy: {
+                enabled: true,
+                upstream: "http://upstream.example.com",
+                headers: {},
+            },
+        });
+        const request = {
+            hostname: "app.loop",
+            originalUrl: "/",
+            method: "GET",
+            headers: {},
+        };
+        const result = proxy.getUpstreamHeaders(config, request);
+        assert.strictEqual(Object.keys(result.upstreamHeaders).length, 0);
+        assert.strictEqual(result.clientResponseHeaders["X-Proxy"], "zonzon");
+    });
+    it("handles empty host config records array gracefully", () => {
+        const config = makeConfig({ http_proxy: undefined });
+        assert.ok(proxy.checkRedirect(config) === null);
+        assert.strictEqual(proxy.calculateTimeout(config), 0);
+    });
+});
+describe("HttpProxyService - Header Injection with Sanitization", () => {
+    const proxy = new HttpProxyService();
+    it("sanitizes injected custom headers before passing to response", () => {
+        const value = "injected\r\nMalicious: header";
+        const sanitized = proxy.sanitizeHeader(value);
+        assert.strictEqual(sanitized, null);
+    });
+    it("accepts safe config header values for injection", () => {
+        const value = "safe-value-with-dashes_and_underscores";
+        const sanitized = proxy.sanitizeHeader(value);
+        assert.strictEqual(sanitized, value);
+    });
+});

package/{src/index.ts → dist/index.d.ts}

@@ -7,4 +7,4 @@ export * from "./dns-service.js";
 export * from "./dns-handler.js";
 export * from "./http-proxy.js";
 export * from "./http-handler.js";
-export * from "./sni-proxy.js";
+export * from "./sni-proxy.js";

package/dist/index.js

@@ -0,0 +1,10 @@
+export * from "./types.js";
+export * from "./schema.js";
+export * from "./audit.js";
+export * from "./firewall.js";
+export * from "./rate-limiter.js";
+export * from "./dns-service.js";
+export * from "./dns-handler.js";
+export * from "./http-proxy.js";
+export * from "./http-handler.js";
+export * from "./sni-proxy.js";

package/dist/rate-limiter.d.ts

@@ -0,0 +1,11 @@
+export interface RateLimiterOptions {
+    maxRequests: number;
+    windowMs: number;
+}
+export declare class RateLimiter {
+    private options;
+    private buckets;
+    constructor(options: RateLimiterOptions);
+    allow(ip: string): boolean;
+    getRequestCount(ip: string): number;
+}

package/dist/rate-limiter.js

@@ -0,0 +1,33 @@
+export class RateLimiter {
+    options;
+    buckets = new Map();
+    constructor(options) {
+        this.options = options;
+    }
+    allow(ip) {
+        const now = Date.now();
+        let bucket = this.buckets.get(ip);
+        if (!bucket || now - bucket.timestamps[0] > this.options.windowMs) {
+            bucket = { timestamps: [now] };
+            this.buckets.set(ip, bucket);
+            return true;
+        }
+        const windowStart = now - this.options.windowMs;
+        while (bucket.timestamps.length > 0 && bucket.timestamps[0] < windowStart) {
+            bucket.timestamps.shift();
+        }
+        if (bucket.timestamps.length >= this.options.maxRequests) {
+            return false;
+        }
+        bucket.timestamps.push(now);
+        return true;
+    }
+    getRequestCount(ip) {
+        const now = Date.now();
+        const windowStart = now - this.options.windowMs;
+        const bucket = this.buckets.get(ip);
+        if (!bucket)
+            return 0;
+        return bucket.timestamps.filter((t) => t >= windowStart).length;
+    }
+}

package/dist/rate-limiter.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/rate-limiter.test.js

@@ -0,0 +1,149 @@
+import { describe, it } from "node:test";
+import assert from "assert";
+import * as net from "net";
+let PORT_BASE = 65000;
+function nextPort() { return PORT_BASE++; }
+describe("TCP Rate Limiting", () => {
+    function buildTcpDnsQuery(name) {
+        const encoder = new (class {
+            buf = Buffer.alloc(256);
+            offset = 0;
+            writeUint16(v) { this.buf.writeUInt16BE(v, this.offset); this.offset += 2; }
+            writeUint8(v) { this.buf.writeUInt8(v, this.offset); this.offset += 1; }
+            writeDomainName(nm) {
+                for (const label of nm.split(".")) {
+                    if (!label.length)
+                        continue;
+                    this.writeUint8(label.length);
+                    Buffer.from(label).copy(this.buf, this.offset);
+                    this.offset += label.length;
+                }
+                this.writeUint8(0);
+            }
+            finish() { return this.buf.subarray(0, this.offset); }
+        })();
+        encoder.writeUint16(0xDEAD);
+        encoder.writeUint16(0x0100);
+        encoder.writeUint16(1);
+        encoder.writeUint16(0);
+        encoder.writeUint16(0);
+        encoder.writeUint16(0);
+        encoder.writeDomainName(name);
+        encoder.writeUint16(1);
+        encoder.writeUint16(1);
+        const query = encoder.finish();
+        const prefixed = Buffer.alloc(2 + query.length);
+        prefixed.writeUInt16BE(query.length, 0);
+        query.copy(prefixed, 2);
+        return prefixed;
+    }
+    it("TCP queries are rate limited when configured", async () => {
+        const port = nextPort();
+        const { DnsHandler } = await import("./dns-handler.js");
+        const { DevDnsServer } = await import("./dns-service.js");
+        const config = { port, hosts: { "test.loop": { records: [{ type: "A", address: "5.6.7.8" }] } }, rateLimitMaxRequests: 3, rateLimitWindowMs: 1000 };
+        const dnsServer = new DevDnsServer(config);
+        const handler = new DnsHandler(dnsServer, config);
+        await handler.start();
+        try {
+            await new Promise((r) => setTimeout(r, 150));
+            const results = [];
+            for (let i = 0; i < 3; i++) {
+                let responses = 0;
+                await new Promise((resolve) => {
+                    const socket = net.createConnection(port, "127.0.0.1", () => {
+                        socket.write(buildTcpDnsQuery("test.loop"));
+                        socket.on("data", (data) => {
+                            let off = 0;
+                            while (off + 2 <= data.length) {
+                                const len = data.readUInt16BE(off);
+                                if (len === 0 || off + 2 + len > data.length)
+                                    break;
+                                responses++;
+                                off += 2 + len;
+                            }
+                        });
+                        setTimeout(() => { socket.destroy(); resolve(); }, 1000);
+                    });
+                });
+                results.push(responses);
+            }
+            assert.ok(results.every((r) => r > 0));
+        }
+        finally {
+            await handler.stop();
+        }
+    });
+    it("TCP connection is terminated when source IP exceeds rate limit", async () => {
+        const port = nextPort();
+        const { DnsHandler } = await import("./dns-handler.js");
+        const { DevDnsServer } = await import("./dns-service.js");
+        const config = { port, hosts: { "test.loop": { records: [{ type: "A", address: "9.8.7.6" }] } }, rateLimitMaxRequests: 1, rateLimitWindowMs: 5000 };
+        const dnsServer = new DevDnsServer(config);
+        const handler = new DnsHandler(dnsServer, config);
+        await handler.start();
+        try {
+            await new Promise((r) => setTimeout(r, 150));
+            let r1Responses = 0;
+            await new Promise((resolve) => {
+                const socket = net.createConnection(port, "127.0.0.1", () => {
+                    socket.write(buildTcpDnsQuery("test.loop"));
+                    socket.on("data", (data) => {
+                        let off = 0;
+                        while (off + 2 <= data.length) {
+                            const len = data.readUInt16BE(off);
+                            if (len === 0 || off + 2 + len > data.length)
+                                break;
+                            r1Responses++;
+                            off += 2 + len;
+                        }
+                    });
+                    setTimeout(() => { socket.destroy(); resolve(); }, 1000);
+                });
+            });
+            assert.ok(r1Responses > 0);
+            let r2Destroyed = false;
+            await new Promise((resolve) => {
+                const socket = net.createConnection(port, "127.0.0.1", () => {
+                    setTimeout(() => { socket.destroy(); resolve(); }, 1500);
+                });
+                socket.on("error", () => { r2Destroyed = true; });
+                socket.on("close", () => { if (!r2Destroyed)
+                    r2Destroyed = true; });
+            });
+            assert.strictEqual(r2Destroyed, true);
+        }
+        finally {
+            await handler.stop();
+        }
+    });
+    it("TCP queries work when rate limiting is disabled", async () => {
+        const port = nextPort();
+        const { DnsHandler } = await import("./dns-handler.js");
+        const { DevDnsServer } = await import("./dns-service.js");
+        const config = { port, hosts: { "test.loop": { records: [{ type: "A", address: "1.2.3.4" }] } }, rateLimitMaxRequests: 0 };
+        const dnsServer = new DevDnsServer(config);
+        const handler = new DnsHandler(dnsServer, config);
+        await handler.start();
+        try {
+            await new Promise((r) => setTimeout(r, 150));
+            let successes = 0;
+            for (let i = 0; i < 5; i++) {
+                let gotResponse = false;
+                await new Promise((resolve) => {
+                    const socket = net.createConnection(port, "127.0.0.1", () => {
+                        socket.write(buildTcpDnsQuery("test.loop"));
+                        socket.on("data", () => { gotResponse = true; });
+                        setTimeout(() => { socket.destroy(); resolve(); }, 1000);
+                    });
+                });
+                if (gotResponse)
+                    successes++;
+            }
+            assert.strictEqual(successes, 5);
+        }
+        finally {
+            await handler.stop();
+        }
+    });
+});

package/dist/schema.d.ts

@@ -0,0 +1,12 @@
+import { HostConfig, DnsRecord, ServerConfig } from "./types.js";
+export declare function validateARecord(record: unknown): DnsRecord;
+export declare function validateAAAARecord(record: unknown): DnsRecord;
+export declare function validateCNAME(record: unknown): DnsRecord;
+export declare function validateTXT(record: unknown): DnsRecord;
+export declare function validateMX(record: unknown): DnsRecord;
+export declare function validateNS(record: unknown): DnsRecord;
+export declare function validateSRV(record: unknown): DnsRecord;
+export declare function validatePTR(record: unknown): DnsRecord;
+export declare function validateRecord(record: unknown): DnsRecord;
+export declare function validateHostConfig(config: unknown): HostConfig;
+export declare function validateServerConfig(config: unknown): ServerConfig;