Merge pull request #306 from AikidoSec/check-wrap-builtin

Check if built in module is available
AikidoSec · Jul 29, 2024 · 73333f4 · 73333f4
2 parents ce8f12b + 68399d9
commit 73333f4
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/library/agent/applyHooks.ts b/library/agent/applyHooks.ts
@@ -20,6 +20,7 @@ import { Package } from "./hooks/Package";
 import { WrappableFile } from "./hooks/WrappableFile";
 import { WrappableSubject } from "./hooks/WrappableSubject";
 import { MethodResultInterceptor } from "./hooks/MethodResultInterceptor";
+import { isPackageInstalled } from "../helpers/isPackageInstalled";
 
 /**
  * Hooks allows you to register packages and then wrap specific methods on
@@ -125,6 +126,9 @@ function wrapBuiltInModule(
   subjects: WrappableSubject[],
   agent: Agent
 ) {
+  if (!isPackageInstalled(module.getName())) {
+    return;
+  }
   const exports = require(module.getName());
 
   subjects.forEach(

diff --git a/library/sinks/NodeSqlite.ts b/library/sinks/NodeSqlite.ts
@@ -2,7 +2,6 @@ import { getContext } from "../agent/Context";
 import { Hooks } from "../agent/hooks/Hooks";
 import { InterceptorResult } from "../agent/hooks/MethodInterceptor";
 import { Wrapper } from "../agent/Wrapper";
-import { isPackageInstalled } from "../helpers/isPackageInstalled";
 import { checkContextForSqlInjection } from "../vulnerabilities/sql-injection/checkContextForSqlInjection";
 import type { SQLDialect } from "../vulnerabilities/sql-injection/dialects/SQLDialect";
 import { SQLDialectSQLite } from "../vulnerabilities/sql-injection/dialects/SQLDialectSQLite";
@@ -11,10 +10,6 @@ export class NodeSQLite implements Wrapper {
   private readonly dialect: SQLDialect = new SQLDialectSQLite();
 
   wrap(hooks: Hooks) {
-    if (!isPackageInstalled("node:sqlite")) {
-      return;
-    }
-
     const database = hooks
       .addBuiltinModule("node:sqlite")
       .addSubject((exports) => {