@opensecurity/zonzon-core 0.1.4 → 0.1.6

package/dist/sni-proxy.js

@@ -2,14 +2,17 @@ import * as net from "net";
 import * as dns from "dns/promises";
 import { firewallEngine } from "./firewall.js";
 import { audit } from "./audit.js";
+const MAX_CLIENT_HELLO_SIZE = 16384;
 export class SniProxyService {
     port;
     config;
     server = null;
     activeConnections = new Set();
+    idleTimeoutMs;
     constructor(config, port) {
         this.config = config;
         this.port = config.httpsPort ?? port ?? 443;
+        this.idleTimeoutMs = config.tcpIdleTimeoutMs ?? 30000;
     }
     extractSNI(data) {
         try {
@@ -23,13 +26,15 @@ export class SniProxyService {
             offset += 1 + sessionIdLength;
             if (offset >= data.length)
                 return null;
+            if (offset + 2 > data.length)
+                return null;
             const cipherSuitesLength = data.readUInt16BE(offset);
             offset += 2 + cipherSuitesLength;
             if (offset >= data.length)
                 return null;
             const compressionMethodsLength = data[offset];
             offset += 1 + compressionMethodsLength;
-            if (offset >= data.length)
+            if (offset + 2 > data.length)
                 return null;
             const extensionsLength = data.readUInt16BE(offset);
             offset += 2;
@@ -41,11 +46,17 @@ export class SniProxyService {
                 if (extType === 0x0000) {
                     let sniOffset = offset;
                     sniOffset += 2;
+                    if (sniOffset >= data.length)
+                        return null;
                     const nameType = data[sniOffset];
                     if (nameType === 0) {
                         sniOffset += 1;
+                        if (sniOffset + 2 > data.length)
+                            return null;
                         const nameLength = data.readUInt16BE(sniOffset);
                         sniOffset += 2;
+                        if (sniOffset + nameLength > data.length)
+                            return null;
                         return data.toString("utf8", sniOffset, sniOffset + nameLength);
                     }
                 }
@@ -61,9 +72,27 @@ export class SniProxyService {
         const clientIp = clientSocket.remoteAddress || "unknown";
         let buffer = Buffer.alloc(0);
         let isHandled = false;
+        let upstreamSocket = null;
+        clientSocket.setTimeout(this.idleTimeoutMs);
+        clientSocket.on("timeout", () => {
+            audit.error(`SNI Client tunnel idle timeout reached for ${clientIp}`);
+            clientSocket.destroy();
+        });
+        const absoluteHandshakeTimeout = setTimeout(() => {
+            if (!isHandled && !clientSocket.destroyed) {
+                audit.http(clientIp, "TLS", "UNKNOWN", `:${this.port}`, 408, "Dropped: ClientHello absolute timeout (Slowloris)");
+                clientSocket.destroy();
+            }
+        }, 5000);
         clientSocket.on("data", async (chunk) => {
             if (isHandled)
                 return;
+            if (buffer.length + chunk.length > MAX_CLIENT_HELLO_SIZE) {
+                audit.http(clientIp, "TLS", "UNKNOWN", `:${this.port}`, 413, "Dropped: ClientHello exceeded maximum permitted size");
+                clientSocket.destroy();
+                clearTimeout(absoluteHandshakeTimeout);
+                return;
+            }
             buffer = Buffer.concat([buffer, chunk]);
             if (buffer.length < 5)
                 return;
@@ -71,6 +100,7 @@ export class SniProxyService {
             if (buffer.length < 5 + recordLength)
                 return;
             isHandled = true;
+            clearTimeout(absoluteHandshakeTimeout);
             const sni = this.extractSNI(buffer);
             if (!sni) {
                 audit.http(clientIp, "TLS", "UNKNOWN", `:${this.port}`, 400, "Dropped: No SNI detected");
@@ -87,18 +117,28 @@ export class SniProxyService {
                     throw new Error("NXDOMAIN on upstream resolution");
                 }
                 const targetIp = targetIps[0];
+                if (firewallEngine.isRestrictedOutbound(targetIp)) {
+                    throw new Error(`Target IP ${targetIp} blocked by Strict SSRF proxy policy`);
+                }
                 if (firewallEngine.evaluateIp(targetIp, this.config.firewall) === "DENY") {
                     throw new Error(`Target IP ${targetIp} blocked by Firewall policy`);
                 }
                 audit.http(clientIp, "TLS-SNI", sni, `:${this.port}`, 200, `Tunneled to ${targetIp}`);
-                const srvSocket = net.connect(443, targetIp, () => {
-                    srvSocket.write(buffer);
-                    clientSocket.pipe(srvSocket);
-                    srvSocket.pipe(clientSocket);
+                upstreamSocket = net.connect(443, targetIp, () => {
+                    upstreamSocket.write(buffer);
+                    clientSocket.pipe(upstreamSocket);
+                    upstreamSocket.pipe(clientSocket);
+                });
+                upstreamSocket.setTimeout(this.idleTimeoutMs);
+                upstreamSocket.on("timeout", () => {
+                    audit.error(`SNI Upstream tunnel idle timeout reached for ${sni}:${targetIp}`);
+                    upstreamSocket.destroy();
                 });
-                this.activeConnections.add(srvSocket);
-                srvSocket.on("close", () => this.activeConnections.delete(srvSocket));
-                srvSocket.on("error", (err) => {
+                this.activeConnections.add(upstreamSocket);
+                upstreamSocket.on("close", () => {
+                    this.activeConnections.delete(upstreamSocket);
+                });
+                upstreamSocket.on("error", (err) => {
                     audit.error(`Upstream tunnel fault on ${sni}:443 - ${err.message}`);
                     if (!clientSocket.destroyed)
                         clientSocket.destroy();
@@ -111,6 +151,16 @@ export class SniProxyService {
         });
         clientSocket.on("error", (err) => {
             audit.error(`Client tunnel fault from ${clientIp} - ${err.message}`);
+            if (upstreamSocket && !upstreamSocket.destroyed) {
+                upstreamSocket.destroy();
+            }
+            clearTimeout(absoluteHandshakeTimeout);
+        });
+        clientSocket.on("close", () => {
+            if (upstreamSocket && !upstreamSocket.destroyed) {
+                upstreamSocket.destroy();
+            }
+            clearTimeout(absoluteHandshakeTimeout);
         });
     }
     start() {
@@ -128,13 +178,13 @@ export class SniProxyService {
     }
     async stop() {
         if (this.server) {
-            for (const socket of this.activeConnections) {
-                socket.destroy();
+            if ('closeIdleConnections' in this.server) {
+                this.server.closeIdleConnections();
             }
-            this.activeConnections.clear();
             await new Promise((resolve) => {
                 this.server.close(() => resolve());
             });
+            this.activeConnections.clear();
             this.server = null;
         }
     }

package/dist/sni-proxy.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/sni-proxy.test.js

@@ -0,0 +1,69 @@
+import { describe, it } from "node:test";
+import assert from "node:assert";
+import { SniProxyService } from "./sni-proxy.js";
+function buildClientHello(sni) {
+    const sniBuffer = Buffer.from(sni, "utf8");
+    const extLength = sniBuffer.length + 9;
+    const buf = Buffer.alloc(100 + extLength);
+    buf[0] = 0x16;
+    buf[5] = 0x01;
+    buf[43] = 0x00;
+    buf.writeUInt16BE(0x0002, 44);
+    buf[46] = 0x00;
+    buf[47] = 0x00;
+    buf[48] = 0x01;
+    buf[49] = 0x00;
+    buf.writeUInt16BE(extLength, 50);
+    buf.writeUInt16BE(0x0000, 52);
+    buf.writeUInt16BE(sniBuffer.length + 5, 54);
+    buf.writeUInt16BE(sniBuffer.length + 3, 56);
+    buf[58] = 0x00;
+    buf.writeUInt16BE(sniBuffer.length, 59);
+    sniBuffer.copy(buf, 61);
+    return buf;
+}
+describe("SniProxyService - Protocol Extraction", () => {
+    const dummyConfig = {
+        port: 53,
+        hosts: {}
+    };
+    it("extracts SNI from valid TLS ClientHello structure", () => {
+        const service = new SniProxyService(dummyConfig);
+        const packet = buildClientHello("secure.internal.loop");
+        const extracted = service.extractSNI(packet);
+        assert.strictEqual(extracted, "secure.internal.loop");
+    });
+    it("returns null for non-TLS packets", () => {
+        const service = new SniProxyService(dummyConfig);
+        const packet = Buffer.from("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n");
+        const extracted = service.extractSNI(packet);
+        assert.strictEqual(extracted, null);
+    });
+    it("returns null for TLS packets without ServerName extension", () => {
+        const service = new SniProxyService(dummyConfig);
+        const buf = Buffer.alloc(100);
+        buf[0] = 0x16;
+        buf[5] = 0x01;
+        buf[43] = 0x00;
+        buf.writeUInt16BE(0x0002, 44);
+        buf[48] = 0x01;
+        buf.writeUInt16BE(0x0004, 50);
+        buf.writeUInt16BE(0x000A, 52);
+        buf.writeUInt16BE(0x0000, 54);
+        const extracted = service.extractSNI(buf);
+        assert.strictEqual(extracted, null);
+    });
+    it("gracefully handles truncated packets without throwing", () => {
+        const service = new SniProxyService(dummyConfig);
+        const packet = buildClientHello("secure.internal.loop").subarray(0, 50);
+        const extracted = service.extractSNI(packet);
+        assert.strictEqual(extracted, null);
+    });
+    it("gracefully handles corrupt length markers without throwing", () => {
+        const service = new SniProxyService(dummyConfig);
+        const packet = buildClientHello("secure.internal.loop");
+        packet.writeUInt16BE(0xFFFF, 44);
+        const extracted = service.extractSNI(packet);
+        assert.strictEqual(extracted, null);
+    });
+});

package/dist/srv-record.test.js

@@ -1,5 +1,5 @@
 import { describe, it } from "node:test";
-import assert from "assert";
+import assert from "node:assert";
 import { DevDnsServer } from "./dns-service.js";
 import { DNS_TYPES, DNS_RCODE } from "./types.js";
 function buildQuery(name, type) {

package/dist/tcp-connection-limit.test.js

@@ -1,6 +1,6 @@
 import { describe, it } from "node:test";
-import assert from "assert";
-import * as net from "net";
+import assert from "node:assert";
+import * as net from "node:net";
 let PORT_BASE = 61500;
 function nextPort() {
     return PORT_BASE++;

package/dist/types.d.ts

@@ -64,12 +64,20 @@ export interface FirewallConfig {
 export interface ControlPlaneConfig {
     enabled?: boolean;
     port?: number;
+    socketPath?: string;
     apiKey?: string;
 }
+export interface TlsConfig {
+    cert: string;
+    key: string;
+}
 export interface ServerConfig {
     port: number;
     httpPort?: number;
     httpsPort?: number;
+    tls?: TlsConfig;
+    dotPort?: number;
+    dohPort?: number;
     fallbackDns?: string;
     firewall?: FirewallConfig;
     controlPlane?: ControlPlaneConfig;

package/dist/wildcard-matching.test.js

@@ -1,5 +1,5 @@
 import { describe, it } from "node:test";
-import assert from "assert";
+import assert from "node:assert";
 import { DevDnsServer } from "./dns-service.js";
 import { DNS_TYPES } from "./types.js";
 function buildQuery(name, type) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opensecurity/zonzon-core",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "core routing, dns, and firewall engine",
   "type": "module",
   "author": "Lucian BLETAN <neuraluc@gmail.com>",
@@ -37,4 +37,4 @@
   "dependencies": {
     "zod": "^3.24.2"
   }
-}
+}