v0.6.0 - XML Injection and Prototype Pollution

Added

• XML injection module to prevent very basic and common xml attacks
• Added notice that this project is more an educational tool and not a professional security solution

Changed

• Improve prototype pollution detection
• Update dev dependencies fixing CVE-2024-29041

v0.5.2 - Fix CommonJS import

Changed

• Fix package.json - CommonJS import now works again
• Update dependencies

Thanks @kelvinwop for reporting the bug.

v0.5.1 - Async Hooks, GitHub Actions and some improvements

Changed

• Hooks can now be async functions
• Minimal improvements to sql detection
• Prevent false positive xss detection
• Publish via GitHub Actions
• Added prettier
• Updated dependencies

v0.5.0 - TypeScript, ESM and Fake Crawlers

⚠️ Breaking changes

• Package is now published as an ECMAScript module (ESM) and a CommonJS module (CJS)
• CommonJS require syntax has changed. You now have to use require('easy-waf').default; instead of require('easy-waf');
• Renamed fakeSearchCrawlers module to fakeCrawlers

Added

• Added Facebook, Twitter and Pinterest to fake crawlers detection

Changed

• Code is now written in TypeScript instead of JavaScript
• Package is now published as an ECMAScript module (ESM) and a CommonJS module (CJS)
• The fake crawlers whitelist will now be downloaded from the repository easy-waf-data
• The performance of IP lists has been significantly increased (netparser is used instead of cidr-matcher)
• Node.js v20 is used in GitHub Actions
• Updated dependencies

v0.4.0 - HTTP Parameter Pollution, bug fixes and more

Added

• HTTP Parameter Pollution module - Replaces array parameters with their last value (req.query must be set by a web framework)
• README.md with module descriptions to lib/modules
• Issue templates and CONTRIBUTING.md

Changed

• Fixed critical bug in "Block Tor Exit Nodes" module
• Improved tests and updated examples
• Code refactoring

v0.3.1 - Security Update

Changed

• Update dependencies to fix CVE-2022-24999 (only devDependencies affected)
• Improve prototype pollution detection

v0.3.0 - Hooks, improvements and bug fixes.

Added

• Added Pre- and Post-Block-Hooks, which makes it possible to have your own whitelist rules or notifications.
• Log request method
• Validate ip addresses in cidr notation before adding to search crawler whitelist
• Example of how to send notifications when a request is blocked
• Bug fix: Remove unicode character "Zero Width Space" (200B) in bing ip adresses

Changed

• Bug fix: replace quotation marks in logs (user agent and url)
• Remove googleusercontent.com from trusted urls for fake search crawler detection
• Remove Not and Petalbot from bad bot list

v0.2.0 - The second beta version

Added

• Fake search crawlers module: Blocks crawlers pretending to be a bot from major search engines or internet companies
• Modules can now have a check method with callback
• Added Security.md

Changed

• UptimeRobot and archive.org are not longer blocked
• Remove quotation marks in url or useragent when logging
• README.md updates

Full Changelog: v0.1.0...v0.2.0

v0.1.0 - The first beta version

Hello world! This is the initial beta release.