honeyweb-core 2.0.3 → 2.0.4

package/detection/bot-detector.js

@@ -1,31 +1,17 @@
-// honeyweb-core/detection/bot-detector.js
-// Bot fingerprinting - detect automated tools and headless browsers
-
 class BotDetector {
     constructor(config = {}) {
         this.enabled = config.enabled !== false;
     }
 
-    /**
-     * Detect if request is from a bot
-     * @param {Object} req - Express request object
-     * @returns {Object} - { isBot: boolean, confidence: number, indicators: string[] }
-     */
     detect(req) {
-        if (!this.enabled) {
-            return { isBot: false, confidence: 0, indicators: [] };
-        }
+        if (!this.enabled) return { isBot: false, confidence: 0, indicators: [] };
 
         const indicators = [];
         let confidence = 0;
-
         const userAgent = req.headers['user-agent'] || '';
         const headers = req.headers;
 
-        // 1. USER-AGENT ANALYSIS
-
-        // Known bot patterns
-        const knownBotPatterns = [
+        const knownBots = [
             { pattern: /curl/i, name: 'curl', confidence: 90 },
             { pattern: /wget/i, name: 'wget', confidence: 90 },
             { pattern: /python-requests/i, name: 'Python Requests', confidence: 85 },
@@ -42,99 +28,62 @@ class BotDetector {
             { pattern: /okhttp/i, name: 'OkHttp', confidence: 75 }
         ];
 
-        for (const { pattern, name, confidence: conf } of knownBotPatterns) {
+        for (const { pattern, name, confidence: conf } of knownBots) {
             if (pattern.test(userAgent)) {
                 indicators.push(`Known bot User-Agent: ${name}`);
                 confidence = Math.max(confidence, conf);
             }
         }
 
-        // Empty or missing User-Agent
         if (!userAgent || userAgent.trim() === '') {
             indicators.push('Missing User-Agent header');
             confidence = Math.max(confidence, 70);
         }
 
-        // 2. HEADER ANALYSIS
-
-        // Missing common browser headers
-        const commonHeaders = ['accept', 'accept-language', 'accept-encoding'];
-        const missingHeaders = commonHeaders.filter(h => !headers[h]);
-
+        const missingHeaders = ['accept', 'accept-language', 'accept-encoding'].filter(h => !headers[h]);
         if (missingHeaders.length > 0) {
             indicators.push(`Missing headers: ${missingHeaders.join(', ')}`);
             confidence = Math.max(confidence, 40 + (missingHeaders.length * 10));
         }
 
-        // Suspicious header combinations
-        if (headers['accept'] && headers['accept'] === '*/*') {
-            indicators.push('Generic Accept header (*/*)')
+        if (headers['accept'] === '*/*') {
+            indicators.push('Generic Accept header (*/*)');
             confidence = Math.max(confidence, 30);
         }
 
-        // No Accept-Language (browsers always send this)
         if (!headers['accept-language']) {
             indicators.push('Missing Accept-Language header');
             confidence = Math.max(confidence, 40);
         }
 
-        // Connection: close (common in automated tools)
         if (headers['connection'] === 'close') {
             indicators.push('Connection: close (bot pattern)');
             confidence = Math.max(confidence, 20);
         }
 
-        // 3. BROWSER VERSION ANALYSIS
-
-        // Detect outdated browser versions (bots often use old UA strings)
         const chromeMatch = userAgent.match(/Chrome\/(\d+)/);
-        if (chromeMatch) {
-            const version = parseInt(chromeMatch[1]);
-            if (version < 90) {
-                indicators.push(`Outdated Chrome version: ${version}`);
-                confidence = Math.max(confidence, 30);
-            }
+        if (chromeMatch && parseInt(chromeMatch[1]) < 90) {
+            indicators.push(`Outdated Chrome version: ${chromeMatch[1]}`);
+            confidence = Math.max(confidence, 30);
         }
 
-        // 4. SUSPICIOUS PATTERNS
-
-        // User-Agent too short (< 20 chars)
         if (userAgent.length > 0 && userAgent.length < 20) {
             indicators.push('Suspiciously short User-Agent');
             confidence = Math.max(confidence, 50);
         }
-
-        // User-Agent too long (> 500 chars) - sometimes bots add extra info
         if (userAgent.length > 500) {
             indicators.push('Suspiciously long User-Agent');
             confidence = Math.max(confidence, 30);
         }
-
-        // Multiple spaces in User-Agent (malformed)
         if (/\s{2,}/.test(userAgent)) {
             indicators.push('Malformed User-Agent (multiple spaces)');
             confidence = Math.max(confidence, 40);
         }
 
-        // Cap confidence at 100
-        confidence = Math.min(100, confidence);
-
-        return {
-            isBot: confidence >= 60,
-            confidence,
-            indicators
-        };
+        return { isBot: Math.min(100, confidence) >= 60, confidence: Math.min(100, confidence), indicators };
     }
 
-    /**
-     * Get statistics
-     * @returns {Object}
-     */
-    getStats() {
-        return {
-            enabled: this.enabled
-        };
-    }
+    getStats() { return { enabled: this.enabled }; }
 }
 
 module.exports = BotDetector;

package/detection/index.js

@@ -1,7 +1,5 @@
-// honeyweb-core/detection/index.js
-// Detection orchestrator - combines all detection modules
-
 const { detectMaliciousPatterns } = require('./patterns');
+const { detectTraversal } = require('./traversal');
 const RateLimiter = require('./rate-limiter');
 const BotWhitelist = require('./whitelist');
 const BehavioralAnalyzer = require('./behavioral');
@@ -11,12 +9,10 @@ class DetectionEngine {
     constructor(config) {
         this.config = config;
 
-        // Initialize rate limiter
         this.rateLimiter = config.rateLimit.enabled
             ? new RateLimiter(config.rateLimit)
             : null;
 
-        // Initialize Phase 2 detection modules
         this.whitelist = config.detection.whitelist.enabled
             ? new BotWhitelist(config.detection.whitelist)
             : null;
@@ -28,22 +24,15 @@ class DetectionEngine {
         this.botDetector = new BotDetector({ enabled: true });
     }
 
-    /**
-     * Analyze request for threats
-     * @param {Object} req - Express request object
-     * @param {string} ip - Client IP address
-     * @returns {Promise<Object>} - { detected: boolean, threats: string[], threatLevel: number, whitelist: Object, behavioral: Object, botDetection: Object }
-     */
     async analyze(req, ip) {
         const threats = [];
         let threatLevel = 0;
 
-        // 0. Check whitelist first (legitimate bots should skip other checks)
+        // Whitelist check first — legitimate bots skip all checks
         let whitelistResult = null;
         if (this.whitelist) {
             whitelistResult = await this.whitelist.check(req, ip);
             if (whitelistResult.isLegitimate) {
-                // Legitimate bot - skip all other checks
                 return {
                     detected: false,
                     threats: [],
@@ -54,46 +43,52 @@ class DetectionEngine {
             }
         }
 
-        // 1. Pattern detection (SQLi/XSS)
+        // Pattern detection (SQLi/XSS)
         if (this.config.detection.patterns.enabled) {
             const patternResult = detectMaliciousPatterns(req);
             if (patternResult.detected) {
                 threats.push(...patternResult.threats);
-                threatLevel += 50; // High threat
+                threatLevel += 50;
             }
         }
 
-        // 2. Rate limiting
+        // Path traversal detection
+        const traversalResult = detectTraversal(req);
+        if (traversalResult.detected) {
+            threats.push(...traversalResult.threats);
+            threatLevel += 50;
+        }
+
+        // Rate limiting
         let rateLimitResult = null;
         if (this.rateLimiter) {
             rateLimitResult = this.rateLimiter.check(ip);
             if (rateLimitResult.limited) {
                 threats.push(`Rate limit exceeded: ${rateLimitResult.count} requests in ${this.config.rateLimit.window}ms`);
-                threatLevel += 30; // Medium threat
+                threatLevel += 30;
             }
         }
 
-        // 3. Behavioral analysis (Phase 2)
+        // Behavioral analysis
         let behavioralResult = null;
         if (this.behavioral) {
             behavioralResult = this.behavioral.analyze(req, ip);
             if (behavioralResult.suspicious) {
                 threats.push(...behavioralResult.reasons);
-                threatLevel += behavioralResult.suspicionScore * 0.3; // Scale down behavioral score
+                threatLevel += behavioralResult.suspicionScore * 0.5;
             }
         }
 
-        // 4. Bot detection (Phase 2)
+        // Bot fingerprinting
         let botDetectionResult = null;
         if (this.botDetector) {
             botDetectionResult = this.botDetector.detect(req);
             if (botDetectionResult.isBot) {
                 threats.push(...botDetectionResult.indicators);
-                threatLevel += botDetectionResult.confidence * 0.2; // Scale down bot detection score
+                threatLevel += botDetectionResult.confidence * 0.4;
             }
         }
 
-        // Cap threat level at 100
         threatLevel = Math.min(100, threatLevel);
 
         return {
@@ -108,10 +103,6 @@ class DetectionEngine {
         };
     }
 
-    /**
-     * Get detection statistics
-     * @returns {Object}
-     */
     getStats() {
         return {
             rateLimiter: this.rateLimiter ? this.rateLimiter.getStats() : null,
@@ -120,16 +111,9 @@ class DetectionEngine {
         };
     }
 
-    /**
-     * Cleanup and stop timers
-     */
     destroy() {
-        if (this.rateLimiter) {
-            this.rateLimiter.destroy();
-        }
-        if (this.behavioral) {
-            this.behavioral.destroy();
-        }
+        if (this.rateLimiter) this.rateLimiter.destroy();
+        if (this.behavioral) this.behavioral.destroy();
     }
 }
 

package/detection/patterns.js

@@ -1,9 +1,5 @@
-// honeyweb-core/detection/patterns.js
-// SQLi and XSS pattern detection (extracted from main index.js)
-
-// Malicious patterns for SQLi and XSS detection
 const MALICIOUS_PATTERNS = [
-    // SQL Injection patterns
+    // SQL Injection
     /(\bUNION\b.*\bSELECT\b)/i,
     /(\bOR\b\s+\d+\s*=\s*\d+)/i,
     /(\bAND\b\s+\d+\s*=\s*\d+)/i,
@@ -14,7 +10,7 @@ const MALICIOUS_PATTERNS = [
     /(--\s*$)/,
     /(';\s*--)/,
 
-    // XSS patterns
+    // XSS
     /(<script[^>]*>.*?<\/script>)/i,
     /(<iframe[^>]*>)/i,
     /(<img[^>]*onerror\s*=)/i,
@@ -25,59 +21,26 @@ const MALICIOUS_PATTERNS = [
     /(<embed[^>]*>)/i
 ];
 
-/**
- * Check if request contains malicious patterns
- * @param {Object} req - Express request object
- * @returns {Object} - { detected: boolean, threats: string[] }
- */
 function detectMaliciousPatterns(req) {
     const threats = [];
+    const targets = [
+        { value: req.url || '', label: 'URL' },
+        { value: JSON.stringify(req.query || {}), label: 'query' },
+        { value: req.headers['user-agent'] || '', label: 'User-Agent' },
+        { value: req.headers['referer'] || '', label: 'Referer' },
+    ];
 
-    // Check URL
-    const url = req.url || '';
-    for (const pattern of MALICIOUS_PATTERNS) {
-        if (pattern.test(url)) {
-            threats.push(`Malicious pattern in URL: ${pattern.source.substring(0, 50)}`);
-        }
-    }
-
-    // Check query parameters
-    const query = JSON.stringify(req.query || {});
-    for (const pattern of MALICIOUS_PATTERNS) {
-        if (pattern.test(query)) {
-            threats.push(`Malicious pattern in query: ${pattern.source.substring(0, 50)}`);
-        }
-    }
+    if (req.body) targets.push({ value: JSON.stringify(req.body), label: 'body' });
 
-    // Check body (if exists)
-    if (req.body) {
-        const body = JSON.stringify(req.body);
+    for (const { value, label } of targets) {
         for (const pattern of MALICIOUS_PATTERNS) {
-            if (pattern.test(body)) {
-                threats.push(`Malicious pattern in body: ${pattern.source.substring(0, 50)}`);
+            if (pattern.test(value)) {
+                threats.push(`Malicious pattern in ${label}: ${pattern.source.substring(0, 50)}`);
             }
         }
     }
 
-    // Check headers (User-Agent, Referer, etc.)
-    const userAgent = req.headers['user-agent'] || '';
-    const referer = req.headers['referer'] || '';
-    for (const pattern of MALICIOUS_PATTERNS) {
-        if (pattern.test(userAgent)) {
-            threats.push(`Malicious pattern in User-Agent`);
-        }
-        if (pattern.test(referer)) {
-            threats.push(`Malicious pattern in Referer`);
-        }
-    }
-
-    return {
-        detected: threats.length > 0,
-        threats
-    };
+    return { detected: threats.length > 0, threats };
 }
 
-module.exports = {
-    MALICIOUS_PATTERNS,
-    detectMaliciousPatterns
-};
+module.exports = { MALICIOUS_PATTERNS, detectMaliciousPatterns };

package/detection/rate-limiter.js

@@ -1,109 +1,38 @@
-// honeyweb-core/detection/rate-limiter.js
-// Rate limiting with auto-cleanup (fixes memory leak)
-
 class RateLimiter {
     constructor(config) {
-        this.window = config.window || 10000; // 10 seconds
+        this.window = config.window || 10000;
         this.maxRequests = config.maxRequests || 50;
-        this.requests = new Map(); // ip -> [timestamps]
-
-        // Auto-cleanup to prevent memory leak
-        const cleanupInterval = config.cleanupInterval || 60000; // 60 seconds
-        this.cleanupTimer = setInterval(() => {
-            this._cleanup();
-        }, cleanupInterval);
+        this.requests = new Map();
+        this.cleanupTimer = setInterval(() => this._cleanup(), config.cleanupInterval || 60000);
     }
 
-    /**
-     * Check if IP has exceeded rate limit
-     * @param {string} ip
-     * @returns {Object} - { limited: boolean, count: number, remaining: number }
-     */
     check(ip) {
         const now = Date.now();
-        const windowStart = now - this.window;
-
-        // Get existing requests for this IP
-        let timestamps = this.requests.get(ip) || [];
-
-        // Filter out old requests outside the window
-        timestamps = timestamps.filter(ts => ts > windowStart);
-
-        // Add current request
+        let timestamps = (this.requests.get(ip) || []).filter(ts => ts > now - this.window);
         timestamps.push(now);
-
-        // Update map
         this.requests.set(ip, timestamps);
 
-        const count = timestamps.length;
-        const remaining = Math.max(0, this.maxRequests - count);
-        const limited = count > this.maxRequests;
-
         return {
-            limited,
-            count,
-            remaining,
+            limited: timestamps.length > this.maxRequests,
+            count: timestamps.length,
+            remaining: Math.max(0, this.maxRequests - timestamps.length),
             resetAt: now + this.window
         };
     }
 
-    /**
-     * Clean up old entries to prevent memory leak
-     * @private
-     */
     _cleanup() {
-        const now = Date.now();
-        const windowStart = now - this.window;
-
+        const cutoff = Date.now() - this.window;
         for (const [ip, timestamps] of this.requests.entries()) {
-            // Filter out old timestamps
-            const active = timestamps.filter(ts => ts > windowStart);
-
-            if (active.length === 0) {
-                // No active requests, remove entry
-                this.requests.delete(ip);
-            } else {
-                // Update with filtered timestamps
-                this.requests.set(ip, active);
-            }
+            const active = timestamps.filter(ts => ts > cutoff);
+            if (active.length === 0) this.requests.delete(ip);
+            else this.requests.set(ip, active);
         }
     }
 
-    /**
-     * Get statistics
-     * @returns {Object}
-     */
-    getStats() {
-        return {
-            trackedIPs: this.requests.size,
-            window: this.window,
-            maxRequests: this.maxRequests
-        };
-    }
-
-    /**
-     * Reset rate limit for an IP
-     * @param {string} ip
-     */
-    reset(ip) {
-        this.requests.delete(ip);
-    }
-
-    /**
-     * Clear all rate limit data
-     */
-    clear() {
-        this.requests.clear();
-    }
-
-    /**
-     * Cleanup and stop timers
-     */
-    destroy() {
-        if (this.cleanupTimer) {
-            clearInterval(this.cleanupTimer);
-        }
-    }
+    getStats() { return { trackedIPs: this.requests.size, window: this.window, maxRequests: this.maxRequests }; }
+    reset(ip) { this.requests.delete(ip); }
+    clear() { this.requests.clear(); }
+    destroy() { if (this.cleanupTimer) clearInterval(this.cleanupTimer); }
 }
 
 module.exports = RateLimiter;

package/detection/traversal.js

@@ -0,0 +1,42 @@
+const TRAVERSAL_PATTERNS = [
+    /\.\.\//,
+    /\.\.\\/,
+    /%2e%2e[%2f%5c]/i,
+    /%252e%252e/i,
+    /\.\.%2f/i,
+    /\.\.%5c/i,
+    /\/etc\/passwd/i,
+    /\/etc\/shadow/i,
+    /\/etc\/hosts/i,
+    /\/proc\/self/i,
+    /win\.ini/i,
+    /boot\.ini/i,
+    /system32/i,
+    /%00/,
+    /\0/,
+];
+
+function detectTraversal(req) {
+    const threats = [];
+    const targets = [
+        req.url || '',
+        JSON.stringify(req.query || {}),
+        req.headers['referer'] || '',
+    ];
+
+    if (req.body) targets.push(JSON.stringify(req.body));
+
+    for (const target of targets) {
+        for (const pattern of TRAVERSAL_PATTERNS) {
+            if (pattern.test(target)) {
+                threats.push(`Path traversal pattern: ${pattern.source.substring(0, 40)}`);
+            }
+        }
+    }
+
+    // Deduplicate
+    const unique = [...new Set(threats)];
+    return { detected: unique.length > 0, threats: unique };
+}
+
+module.exports = { TRAVERSAL_PATTERNS, detectTraversal };

package/index.js

@@ -1,6 +1,5 @@
 // honeyweb-core/index.js
 // HoneyWeb - Intelligent Honeypot Middleware
-// Main entry point - orchestrates all modules
 
 const { loadConfig } = require('./config');
 const { createStorage } = require('./storage');
@@ -11,27 +10,18 @@ const Logger = require('./utils/logger');
 const HoneyWebEvents = require('./utils/event-emitter');
 const createMiddleware = require('./middleware');
 
-/**
- * HoneyWeb Middleware Factory
- * @param {Object} userConfig - Optional configuration overrides
- * @returns {Function} - Express middleware function with event emitter
- */
 function honeyWeb(userConfig = {}) {
-    // 1. Load and merge configuration
     const config = loadConfig(userConfig);
 
-    // 2. Initialize core components
     const logger = new Logger(config.logging);
     const events = new HoneyWebEvents();
     const storage = createStorage(config.storage);
-    const botTracker = new BotTracker(); // Track legitimate bot visits
+    const botTracker = new BotTracker();
     const detector = new DetectionEngine(config);
     const aiAnalyzer = new AIAnalyzer(config.ai);
 
-    // 3. Create middleware
     const middleware = createMiddleware(config, storage, botTracker, detector, aiAnalyzer, logger, events);
 
-    // 4. Attach event emitter and utilities to middleware function
     middleware.on = events.on.bind(events);
     middleware.once = events.once.bind(events);
     middleware.off = events.off.bind(events);
@@ -42,7 +32,6 @@ function honeyWeb(userConfig = {}) {
     middleware.logger = logger;
     middleware.config = config;
 
-    // 5. Cleanup on process exit
     const cleanup = () => {
         detector.destroy();
         storage.destroy();
@@ -60,5 +49,4 @@ function honeyWeb(userConfig = {}) {
     return middleware;
 }
 
-// Export for backward compatibility
 module.exports = honeyWeb;

package/middleware/blocklist-checker.js

@@ -1,27 +1,13 @@
-// honeyweb-core/middleware/blocklist-checker.js
-// Blocklist checking middleware
-
-/**
- * Create blocklist checker middleware
- * @param {Object} storage - Storage instance
- * @param {Object} logger - Logger instance
- * @param {Object} events - Event emitter
- * @returns {Function} - Middleware function
- */
 function createBlocklistChecker(storage, logger, events) {
     return async function checkBlocklist(req, res, next) {
         const clientIP = req.ip || req.connection.remoteAddress;
 
         try {
             const isBanned = await storage.isBanned(clientIP);
-
             if (isBanned) {
                 logger.blocked(clientIP, 'IP is banned');
                 events.emitRequestBlocked(clientIP, 'IP is banned');
-
-                return res.status(403).send(
-                    '<h1>403 Forbidden</h1><p>Your IP has been flagged for suspicious activity.</p>'
-                );
+                return res.status(403).send('<h1>403 Forbidden</h1><p>Your IP has been flagged for suspicious activity.</p>');
             }
         } catch (err) {
             logger.error('Error checking blocklist', { error: err.message });