securenow 7.7.8 → 7.7.9

package/firewall.js

@@ -17,7 +17,7 @@ let _initialized = false;
 let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
-let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0, suppressedDisabled: 0 };
+let _stats = { syncs: 0, blocked: 0, rateLimited: 0, allowed: 0, versionChecks: 0, errors: 0, suppressedDisabled: 0 };
 let _localhostFallbackTried = false;
 let _eventQueue = [];
 let _eventTimer = null;
@@ -40,6 +40,7 @@ let _lastAllowlistSyncEtag = null;
 // Enforcement is intentionally added in the next SDK phase.
 let _rateLimitRules = [];
 let _lastRateLimitVersion = null;
+let _rateLimitBuckets = new Map();
 
 // Circuit breaker
 const CIRCUIT_OPEN_THRESHOLD = 5;
@@ -385,6 +386,7 @@ function doUnifiedSync(callback) {
 
       if (Array.isArray(body.rateLimitRules)) {
         _rateLimitRules = body.rateLimitRules;
+        pruneRateLimitBuckets(_rateLimitRules);
       }
 
       callback(null, { blChanged, alChanged, rlChanged: Array.isArray(body.rateLimitRules) });
@@ -752,19 +754,125 @@ function wrapListener(originalListener) {
   };
 }
 
-function sendBlockResponse(req, res, ip) {
-  const code = (_options && _options.statusCode) || 403;
-  const accept = req.headers['accept'] || '';
-  if (accept.includes('text/html')) {
+function sendBlockResponse(req, res, ip) {
+  const code = (_options && _options.statusCode) || 403;
+  const accept = req.headers['accept'] || '';
+  if (accept.includes('text/html')) {
     res.writeHead(code, { 'Content-Type': 'text/html; charset=utf-8' });
     res.end(blockedHtml(ip));
   } else {
     res.writeHead(code, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ error: 'Forbidden', ip }));
-  }
-}
-
-function firewallRequestHandler(req, res) {
+    res.end(JSON.stringify({ error: 'Forbidden', ip }));
+  }
+}
+
+function sendRateLimitResponse(req, res, ip, decision) {
+  const retryAfter = Math.max(1, decision.retryAfter || 1);
+  const headers = {
+    'Retry-After': String(retryAfter),
+    'X-RateLimit-Limit': String(decision.limit || ''),
+    'X-RateLimit-Window': String(decision.windowSeconds || ''),
+    'X-SecureNow-Rate-Limit-Rule': decision.ruleId || '',
+  };
+  const accept = req.headers['accept'] || '';
+  if (accept.includes('text/html')) {
+    res.writeHead(429, { ...headers, 'Content-Type': 'text/html; charset=utf-8' });
+    res.end('<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Too Many Requests</title></head><body><h1>Too Many Requests</h1><p>Please retry later.</p></body></html>');
+  } else {
+    res.writeHead(429, { ...headers, 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({
+      error: 'Too Many Requests',
+      ip,
+      retryAfter,
+    }));
+  }
+}
+
+function requestPath(req) {
+  try {
+    return new URL(req.url || '/', 'http://localhost').pathname || '/';
+  } catch (_) {
+    return req.url || '/';
+  }
+}
+
+function ruleIpMatches(rule, ip) {
+  const target = String(rule.ip || '').trim();
+  if (!target) return true;
+  try {
+    return createMatcher([target]).isBlocked(ip);
+  } catch (_) {
+    return false;
+  }
+}
+
+function rulePathMatches(rule, path) {
+  const pattern = String(rule.pathPattern || '').trim();
+  if (!pattern) return true;
+  const mode = rule.pathMatchMode || 'prefix';
+  if (mode === 'exact') return path === pattern;
+  if (mode === 'regex') {
+    try { return new RegExp(pattern).test(path); } catch (_) { return false; }
+  }
+  return path.startsWith(pattern);
+}
+
+function rateLimitKey(rule, ip) {
+  const id = rule.id || rule._id || `${rule.ip || '*'}:${rule.method || 'ALL'}:${rule.pathPattern || '*'}`;
+  const subject = rule.keyBy === 'global' ? 'global' : ip;
+  return `${id}|${subject}`;
+}
+
+function checkRateLimitRules(req, ip) {
+  if (!_rateLimitRules || _rateLimitRules.length === 0) return null;
+  const method = String(req.method || 'GET').toUpperCase();
+  const path = requestPath(req);
+  const now = Date.now();
+
+  for (const rule of _rateLimitRules) {
+    if (!rule) continue;
+    const ruleMethod = String(rule.method || 'ALL').toUpperCase();
+    if (ruleMethod !== 'ALL' && ruleMethod !== method) continue;
+    if (!ruleIpMatches(rule, ip)) continue;
+    if (!rulePathMatches(rule, path)) continue;
+
+    const limit = Math.max(1, Number(rule.limit || 1) || 1);
+    const windowSeconds = Math.max(1, Number(rule.windowSeconds || 60) || 60);
+    const windowMs = windowSeconds * 1000;
+    const key = rateLimitKey(rule, ip);
+    let bucket = _rateLimitBuckets.get(key);
+    if (!bucket || now - bucket.windowStart >= windowMs) {
+      bucket = { windowStart: now, count: 0 };
+      _rateLimitBuckets.set(key, bucket);
+    }
+
+    if (bucket.count >= limit) {
+      const retryAfter = Math.ceil((bucket.windowStart + windowMs - now) / 1000);
+      return {
+        rule,
+        ruleId: rule.id || rule._id || '',
+        limit,
+        windowSeconds,
+        retryAfter,
+        path,
+      };
+    }
+    bucket.count++;
+  }
+
+  return null;
+}
+
+function pruneRateLimitBuckets(rules) {
+  const ids = new Set((rules || []).map((rule) => String(rule.id || rule._id || `${rule.ip || '*'}:${rule.method || 'ALL'}:${rule.pathPattern || '*'}`)));
+  for (const key of _rateLimitBuckets.keys()) {
+    const idx = key.indexOf('|');
+    const ruleKey = idx === -1 ? key : key.slice(0, idx);
+    if (!ids.has(ruleKey)) _rateLimitBuckets.delete(key);
+  }
+}
+
+function firewallRequestHandler(req, res) {
   // Remote disable wins over everything: when the dashboard / CLI flips the
   // toggle off, requests pass through the SDK as if the firewall weren't
   // installed. The poll loop keeps running so we re-enable within seconds.
@@ -809,9 +917,29 @@ function firewallRequestHandler(req, res) {
     sendBlockResponse(req, res, ip);
     return true;
   }
-
-  return false;
-}
+
+  const rateLimitDecision = checkRateLimitRules(req, ip);
+  if (rateLimitDecision) {
+    _stats.rateLimited++;
+    if (_options && _options.log) {
+      fwLog('[securenow] Firewall: rate-limited %s via HTTP (rule=%s)', ip, rateLimitDecision.ruleId || 'unknown');
+    }
+    reportFirewallEvent({
+      action: 'rate_limited',
+      source: 'rate_limit',
+      statusCode: 429,
+      ip,
+      matchedEntry: rateLimitDecision.ruleId || '',
+      method: req.method || '',
+      path: rateLimitDecision.path || req.url || '',
+      userAgent: req.headers['user-agent'] || '',
+    });
+    sendRateLimitResponse(req, res, ip, rateLimitDecision);
+    return true;
+  }
+
+  return false;
+}
 
 const _origEmit = http.Server.prototype.emit;
 let _emitPatched = false;
@@ -913,8 +1041,10 @@ function shutdown() {
   _circuitState = 'closed';
   _circuitOpenedAt = 0;
   _consecutiveErrors = 0;
-  _pollInflight = false;
-  _retryAfterUntil = 0;
+  _pollInflight = false;
+  _retryAfterUntil = 0;
+  _rateLimitRules = [];
+  _rateLimitBuckets = new Map();
 
   _httpAgent.destroy();
   _httpsAgent.destroy();
@@ -941,6 +1071,7 @@ function getStats() {
     matcher: _matcher ? _matcher.stats() : null,
     allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
     rateLimitRules: _rateLimitRules.length,
+    rateLimitBuckets: _rateLimitBuckets.size,
     initialized: _initialized,
     circuitState: _circuitState,
     consecutiveErrors: _consecutiveErrors,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.8",
+  "version": "7.7.9",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",