Skip to content

Releases: SecuriLee/LibraryInTheMiddleJS

Release list

v1.0.2

v1.0.2 Latest
Latest

Choose a tag to compare

View all tags
@SecuriLee SecuriLee released this 12 Apr 09:57
v1.0.2
e7eca22
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🚀 v1.0.2 - Production Hardening & Performance Update

This release focuses on internal robustness, performance optimization for high-traffic environments, and expanded security traps to prevent library tampering.

🛠️ What’s New in v1.0.2?

⚡ O(1) Performance Optimization

The core policy engine has been rewritten to use Sets instead of Arrays.

  • The Benefit: Whether your allowlist contains 5 methods or 5,000, the lookup time is now constant ($O(1)$). This ensures LITM adds virtually zero latency to your legacy method calls.

🛡️ Expanded Proxy Traps (Advanced Hardening)

We have moved beyond simple get interception. LITM now guards the entire lifecycle of the library object:

  • SET Trap: Prevents "Prototype Pollution" or malicious overwriting of library methods at runtime.
  • HAS Trap: Intercepts in operator checks (e.g., 'riskyMethod' in lib). In enforcement mode, blocked methods will now appear as non-existent to the calling code.
  • DELETE Trap: Blocks attempts to delete security-critical functions from the library.

🔗 Context-Aware Execution

Improved handling of the this context using .apply(obj, args). This ensures that legacy libraries relying on internal state or private variables continue to function perfectly even when wrapped.

📝 Developer Experience (IntelliSense)

Added full JSDoc Typedefs for all configuration options and callbacks. Developers using VS Code or other modern IDEs will now see full auto-completion and documentation for allowlist, denylist, and validate hooks.

📦 Updated Implementation Example

const LibraryInTheMiddle = require('./litm');
const legacyLib = require('vulnerable-package');

const secured = new LibraryInTheMiddle(legacyLib, {
    name: "Legacy-Vault",
    transparent: false, // Set to false for active blocking
    allowlist: ['read', 'write'], 
    denylist: ['eval', 'adminCmd'],
    onTelemetry: (data) => {
        // New structured telemetry includes 'action' (blocked/executed/threw)
        sendToSIEM(data);
    }
});

🛡️ Security Posture Reminder

  • Prevent: Use transparent: false to kill unauthorized calls.
  • Detect: Use onTelemetry to watch for detected-risky events.
  • Correct: Audit the threw events to see if the legacy library is failing under specific payloads.

Full Changelog: v1.0.1...v1.0.2

Assets 2
Loading

Functional updates

Functional updates

Choose a tag to compare

View all tags
@SecuriLee SecuriLee released this 12 Apr 09:54
v1.0.1
c4037be
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v1.0.1 (Current)

  • Feature: Added "Prevent, Detect, Correct" documentation for legacy dependency management.
  • Logic Update: Refined Proxy traps in litm.js for better edge-case handling.
  • Documentation: Integrated Splunk HEC routing guide into core configuration.

Full Changelog: v1.0.0...v1.0.1

Loading

Initial release

Initial release

Choose a tag to compare

View all tags
@SecuriLee SecuriLee released this 12 Apr 09:40
v1.0.0
b3a4e11
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🚀 v1.0.0 - Initial Release: The Security "Safety Net"

LibraryInTheMiddleJS (LITM) is a lightweight security proxy designed to provide a posture of Prevent, Detect, and Correct for legacy library dependencies.

We’ve all been there: you’re stuck with a legacy package because upgrading to the latest version would break your entire stack. LITM.js allows you to wrap those vulnerable dependencies in a secure layer, giving you visibility and control without changing a single line of the original library's code.

✨ Key Features

  • 🛡️ Hardened Enforcement: Block calls to known-vulnerable methods (Blacklisting).
  • 🔍 Zero-Trust Whitelisting: Explicitly allow only the methods your application actually uses.
  • 📡 Transparent Telemetry: Stream execution data to Splunk, ELK, or local logs to verify that calls are non-damaging.
  • 🚦 Flexible Posture: Switch between Audit Mode (Detect) and Enforcement Mode (Block) with a single config flag.

📦 Installation & Quick Start

const LibraryInTheMiddle = require('./litm');
const legacyLib = require('vulnerable-legacy-package');

const secured = new LibraryInTheMiddle(legacyLib, {
    name: "Legacy-API-Proxy",
    transparent: false, // Set to true to just monitor
    whitelist: ['safeMethodA', 'safeMethodB'],
    onTelemetry: (data) => {
        // Route to your SIEM/Collector
        console.log(`[SECURITY EVENT]: ${data.action} on ${data.property}`);
    }
});

module.exports = secured;

🛡️ Posture Strategy

Goal Mechanism
Prevent Use transparent: false and a strict whitelist to stop unauthorized execution at the source.
Detect Use the onTelemetry hook to monitor payload arguments, call frequency, and unexpected access patterns.
Correct Use real-time logs to verify if a call was malicious and audit the impact immediately without downtime.

🤝 Contributing

Found a bug or have a feature request? Open an issue on the GitHub Repository.

Loading