This public repository is read-only and no longer maintained.

A fork of the Node.js runtime with additional security mechanisms built-in. Protects your Node.js applications from injection attacks such as SQL and NoSQL injection as well as path traversal attacks.

This is SAP's extended version of the Node.js runtime capable of real-time attack detection and mitigation. It represents a fully compatible and hardened alternative to using plain Node.js. The runtime employs taint-lexical analysis for precise mitigation of SQL and NoSQL injection as well as path traversal.

Basically, we are building Runtime Application Self-Protection (RASP) into Node.js

Runtime application self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment and is capable of controlling application execution and detecting and preventing real-time attacks. [GAR17]

Requirements for building are defined in BUILDING.md and provided by the official Node.js project.

Currently, we cannot provide compiled binaries for download. Please follow the build instructions below to get this engine up and running.

Clone our repository, checkout the branch you want to build and configure the project.

./configure

Build the binary by running make (adapt the number of parallel jobs depending on your build system).

make -j4

Test the resulting binary with the following two make goals.

make test test-taint

Run the just built Node RASP engine.

./node

See BUILDING.md for detailed instructions on how to build Node.js from source. The document also contains a list of officially supported platforms.

The taint-lexical analysis for precise mitigation and protection of attacks against your Node.js application is currently only supported for the following modules:

SQL Injection - PostgreSQL (pg)

NoSQL Injection - MongoDB (mongo-core, mongodb, mongoose)

Path Traversal - Internal fs module protected

The following issues of the node-rasp project are known and not solved in the current implementation:

• False-positive, as well as false-negative attack detections, can occur when strings from the string table are referenced multiple times. A correct evaluation through the underlying dynamic code analysis isn't guaranteed in these situations.
• Certain string and buffer functions documented by the make test-taint-failing goal are not yet supported by the dynamic code analysis implementation.

Please create a new issue if you find any problems. For questions feel free to get in touch with us.

We currently support Node.js LTS 10 and integrate upstream changes as soon as possible. We do not support Node.js 11 and the respective upstream changes yet.

Please directly reach out to us, in case you found a security issue caused by our changes. Please reach out to the upstream Node.js project in case you found any security-related issues in the official Node.js code.

We welcome external contributions including code and documentation. Everyone should feel encouraged to discuss issues and features with us in the issues section as well as to provide feedback directly to us.

For contributing directly to the Node.js project, please consider their repository and contributing guidelines.

Taint Persistence The reference form strings and buffers to taint information will in the future be implemented through a map-like structure. This will eliminate memory layout changes for strings and buffers.

Taint Propagation For the propagation of taint information on strings and buffers, the relevant functions will be simply wrapped. This will reduce code changes in the central string and buffer implementations.

Development by SAP Cloud Platform Security.

Contributors
Patrick Spiegel <[email protected]>
Jonas Zengerle <[email protected]>
Marc Rahn <[email protected]>
Tobias Simolik <[email protected]>
Hannah Keller <[email protected]>
Nils Neumann <[email protected]>

Project Manager & Product Owner
Mathias Essenpreis <[email protected]>
Heiko Ettelbrück <[email protected]>

Innovation by SAP Security Research.
Credit to Prof. Dr. Martin Johns <[email protected]> and team.

Copyright (c) 2018 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file.