@aikidosec/guard v1.3.0

Aikido Guard for Node.js

Features

Protects your application against

• 🛡️ NoSQL injection attacks
• 🛡️ SQL injection attacks
• 🛡️ Prototype pollution
• 🔥 More to come (See roadmap below)

Roadmap

• Monitor outbound requests
• Protect against path traversal attacks
• Protect against SSRF attacks
• Protect against shell injection attacks

Supported libraries and frameworks

Aikido guard for Node.js is compatible with

• ✅ express 4.x
• ✅ mongodb 4.x, 5.x and 6.x (npm package versions, not MongoDB server versions)
• ✅ mongoose 8.x, 7.x and 6.x
• ✅ pg 8.x and 7.x
• ✅ mysql 2.x
• ✅ mysql2 3.x

Installation

# The --save-exact makes sure that you don't automatically install a newer version
$ npm install --save-exact @aikidosec/guard

# The --exact makes sure that you don't automatically install a newer version
$ yarn add --exact @aikidosec/guard

• For express based apps, follow the Express instructions
• For AWS Lambda, follow the AWS Lambda instructions

Reporting to Aikido

Aikido Security is a developer-first software security platform. We scan your source code & cloud to show you which vulnerabilities are actually important.

You can use some of this library's features without Aikido, but you will get the most value when using it with Aikido.

You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can sign up for free.

Here's how:

• Login to your Aikido account
• Go to Runtime protection
• Go to services
• Click on "Add service"
• Choose a name for your service
• Click on "Generate token"
• Copy the token
• Set the token as an environment variable:

AIKIDO_TOKEN=your-token node your-app.js

(Or use dotenv to load the token from an .env file)

Running in dry mode

If you want to test the guard without blocking any requests, you can set the AIKIDO_NO_BLOCKING environment variable to true:

AIKIDO_NO_BLOCKING=true node your-app.js

(Or use dotenv to load the token from an .env file)

See Reporting NoSQL injections to Aikido to learn how to send events to Aikido.

Performance

We run a benchmark on every commit to make sure that the guard has a minimal impact on your application's performance.

The bench runs a simple MongoDB query to measure the difference between two runs with and without the guard:

(Using Node.js 18.x and MongoDB 6.3.x, results will vary depending on your hardware)

See benchmarks for more information.

Development

• $ make install to install dependencies
• $ make build to build the library
• $ make watch to watch for changes and rebuild the library
• $ make test to run tests using tap
• $ make end2end to run end-to-end tests using tap
• $ make lint to run ESLint