aikido-zen 0.1.0-arm64-linux → 0.1.1-arm64-linux

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/.simplecov +19 -0
  3. data/CHANGELOG.md +16 -0
  4. data/lib/aikido/zen/agent.rb +3 -1
  5. data/lib/aikido/zen/internals.rb +4 -0
  6. data/lib/aikido/zen/{libzen-v0.1.30.aarch64.so → libzen-v0.1.31.aarch64.so} +0 -0
  7. data/lib/aikido/zen/scanners/ssrf_scanner.rb +12 -6
  8. data/lib/aikido/zen/sinks/http.rb +1 -1
  9. data/lib/aikido/zen/sinks/pg.rb +13 -12
  10. data/lib/aikido/zen/sinks/typhoeus.rb +1 -1
  11. data/lib/aikido/zen/version.rb +2 -2
  12. metadata +4 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7a05b927790518de64cf697fe043ec22ccbe1b759905c02e9c60591c4761d78b
4
- data.tar.gz: b185c54f7410fe10d296f3c5e76707e0cc9cc4884c41f06f6899f6b5ba53be43
3
+ metadata.gz: 31bd721c8bf4bee4a140897184340b717fe53b7df7cd48cf7d31fb32ee8a5710
4
+ data.tar.gz: cac854f8a57916caca2ed97c3090d552b5d6f812abd6cbd4f3f16354eccb8c2c
5
5
  SHA512:
6
- metadata.gz: 00ff11282a036d8ea41a0c4cf3ef96f8f7f440249d648fe68d21710f5f33dbbd04380625ede4a9c8bd622d24c5b90c9c1f6d76a9121e0181e58f10af078307b5
7
- data.tar.gz: bde69f052b425bac88e3efb6a932d68383bce5dc430b4606b3d05b442a7a00f1e4cc58330d4b8740784fa4410f55715d10b0f645db6851767f16a91e6e00a3d4
6
+ metadata.gz: b8434d5cb98769ab4446b91d346448fdd92e08fedb5f722b099484a2a8a03dccb4a7c27ef1f8e84770e5374c5124081d30c08d59198947fe93bf73e2aad7a64e
7
+ data.tar.gz: 5e67365f580302b3c98befe7bce01d72391ff363f6c5aa4ad2c5356bc9675f4308b87f70cf86e137a5aee6e914e258e76330902c0e207aac2329c2e081415622
data/.simplecov ADDED
@@ -0,0 +1,19 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Due to dependency resolution, on Ruby 2.x we're stuck with a _very_ old
4
+ # SimpleCov version, and it doesn't really give us any benefit to run coverage
5
+ # in separate ruby versions since we don't branch on ruby version in the code.
6
+ return if RUBY_VERSION < "3.0"
7
+
8
+ SimpleCov.start do
9
+ # Make sure SimpleCov waits until after the tests
10
+ # are finished to generate the coverage reports.
11
+ self.external_at_exit = true
12
+
13
+ enable_coverage :branch
14
+ minimum_coverage line: 95, branch: 85
15
+
16
+ add_filter "/test/"
17
+ end
18
+
19
+ # vim: ft=ruby
data/CHANGELOG.md CHANGED
@@ -2,4 +2,20 @@
2
2
 
3
3
  ## [Unreleased]
4
4
 
5
+ ## 0.1.1
6
+
7
+ ### Fixed
8
+
9
+ - Avoid an error when sending the initial heartbeat if the Aikido server hasn't
10
+ received stats yet.
11
+ - Fix the SSRF scanner to ensure the port in the user-supplied payload matches
12
+ the port in the request.
13
+ - Don't break the HTTP.rb sink when a Zen context isn't set.
14
+ - Don't break the Typhoeus sink when a Zen context isn't set.
15
+ - Don't break the PG sink outside of Rails.
16
+ - Updated [libzen](https://github.com/AikidoSec/zen-internals) to v0.1.31 to
17
+ prevent flagging false positives in SQL queries with comments.
18
+
19
+ ## 0.1.0
20
+
5
21
  - Initial version
data/lib/aikido/zen/agent.rb CHANGED
@@ -65,7 +65,9 @@ module Aikido::Zen
65
65
 
66
66
  poll_for_setting_updates
67
67
 
68
- @worker.delay(@config.initial_heartbeat_delay) { send_heartbeat if stats.any? }
68
+ @worker.delay(@config.initial_heartbeat_delay) do
69
+ send_heartbeat if @collector.stats.any?
70
+ end
69
71
  end
70
72
 
71
73
  # Clean up any ongoing threads, and reset the state. Called automatically
data/lib/aikido/zen/internals.rb CHANGED
@@ -31,6 +31,8 @@ module Aikido::Zen
31
31
  attach_function :detect_sql_injection_native, :detect_sql_injection,
32
32
  [:string, :string, :int], :int
33
33
  rescue LoadError, FFI::NotFoundError => err
34
+ # :nocov:
35
+
34
36
  # Emit an $stderr warning at startup.
35
37
  warn "Zen could not load its binary extension #{libzen_name}: #{err}"
36
38
 
@@ -38,6 +40,8 @@ module Aikido::Zen
38
40
  attempt = format("%p for SQL injection", query)
39
41
  raise InternalsError.new(attempt, "loading", Internals.libzen_name)
40
42
  end
43
+
44
+ # :nocov:
41
45
  else
42
46
  # Analyzes the SQL query to detect if the provided user input is being
43
47
  # passed as-is without escaping.
data/lib/aikido/zen/scanners/ssrf_scanner.rb CHANGED
@@ -112,7 +112,8 @@ module Aikido::Zen
112
112
  is_port_relevant = input_uri.port != input_uri.default_port
113
113
  return false if is_port_relevant && input_uri.port != conn_uri.port
114
114
 
115
- conn_uri.hostname == input_uri.hostname
115
+ conn_uri.hostname == input_uri.hostname &&
116
+ conn_uri.port == input_uri.port
116
117
  end
117
118
 
118
119
  def private_ip?(hostname)
@@ -128,8 +129,11 @@ module Aikido::Zen
128
129
  # * The input itself, if it already looks like a URI.
129
130
  # * The input prefixed with http://
130
131
  # * The input prefixed with https://
132
+ # * The input prefixed with the scheme of the request's URI, to consider
133
+ # things like an FTP request (to "ftp://localhost") with a plain host
134
+ # as a user-input ("localhost").
131
135
  #
132
- # @return [Set<URI>]
136
+ # @return [Array<URI>] a list of unique URIs based on the above criteria.
133
137
  def uris_from_input
134
138
  input = @input.to_s
135
139
 
@@ -138,10 +142,12 @@ module Aikido::Zen
138
142
  # valid hostname. We should do the same for the input.
139
143
  input = format("[%s]", input) if unescaped_ipv6?(input)
140
144
 
141
- [input, "http://#{input}", "https://#{input}"]
142
- .map { |candidate| as_uri(candidate) }
143
- .compact
144
- .uniq
145
+ [
146
+ input,
147
+ "http://#{input}",
148
+ "https://#{input}",
149
+ "#{@request_uri.scheme}://#{input}"
150
+ ].map { |candidate| as_uri(candidate) }.compact.uniq
145
151
  end
146
152
 
147
153
  def as_uri(string)
data/lib/aikido/zen/sinks/http.rb CHANGED
@@ -66,7 +66,7 @@ module Aikido::Zen
66
66
 
67
67
  response
68
68
  ensure
69
- context["ssrf.request"] = prev_request
69
+ context["ssrf.request"] = prev_request if context
70
70
  end
71
71
  end
72
72
  end
data/lib/aikido/zen/sinks/pg.rb CHANGED
@@ -7,6 +7,17 @@ module Aikido::Zen
7
7
  module PG
8
8
  SINK = Sinks.add("pg", scanners: [Scanners::SQLInjectionScanner])
9
9
 
10
+ # For some reason, the ActiveRecord pg adapter does not wrap exceptions in
11
+ # StatementInvalid, which leads to inconsistent handling. This guarantees
12
+ # that all Zen errors are wrapped in a StatementInvalid, so documentation
13
+ # can be consistent.
14
+ WRAP_EXCEPTIONS = if defined?(ActiveRecord::StatementInvalid)
15
+ <<~RUBY
16
+ rescue Aikido::Zen::SQLInjectionError
17
+ raise ActiveRecord::StatementInvalid
18
+ RUBY
19
+ end
20
+
10
21
  module Extensions
11
22
  %i[
12
23
  send_query exec sync_exec async_exec
@@ -16,12 +27,7 @@ module Aikido::Zen
16
27
  def #{method}(query, *)
17
28
  SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
18
29
  super
19
- rescue Aikido::Zen::SQLInjectionError
20
- # The pg adapter does not wrap exceptions in StatementInvalid, which
21
- # leads to inconsistent handling. This guarantees that all Aikido
22
- # errors are wrapped in a StatementInvalid, so documentation can be
23
- # consistent.
24
- raise ActiveRecord::StatementInvalid
30
+ #{WRAP_EXCEPTIONS}
25
31
  end
26
32
  RUBY
27
33
  end
@@ -33,12 +39,7 @@ module Aikido::Zen
33
39
  def #{method}(_, query, *)
34
40
  SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
35
41
  super
36
- rescue Aikido::Zen::SQLInjectionError
37
- # The pg adapter does not wrap exceptions in StatementInvalid, which
38
- # leads to inconsistent handling. This guarantees that all Aikido
39
- # errors are wrapped in a StatementInvalid, so documentation can be
40
- # consistent.
41
- raise ActiveRecord::StatementInvalid
42
+ #{WRAP_EXCEPTIONS}
42
43
  end
43
44
  RUBY
44
45
  end
data/lib/aikido/zen/sinks/typhoeus.rb CHANGED
@@ -66,7 +66,7 @@ module Aikido::Zen
66
66
  operation: "request"
67
67
  )
68
68
  ensure
69
- context["ssrf.request"] = nil
69
+ context["ssrf.request"] = nil if context
70
70
  end
71
71
 
72
72
  true
data/lib/aikido/zen/version.rb CHANGED
@@ -2,9 +2,9 @@
2
2
 
3
3
  module Aikido
4
4
  module Zen
5
- VERSION = "0.1.0"
5
+ VERSION = "0.1.1"
6
6
 
7
7
  # The version of libzen_internals that we build against.
8
- LIBZEN_VERSION = "0.1.30"
8
+ LIBZEN_VERSION = "0.1.31"
9
9
  end
10
10
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aikido-zen
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  platform: arm64-linux
6
6
  authors:
7
7
  - Nicolas Sanguinetti
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2024-11-15 00:00:00.000000000 Z
11
+ date: 2024-11-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: concurrent-ruby
@@ -63,6 +63,7 @@ extensions: []
63
63
  extra_rdoc_files: []
64
64
  files:
65
65
  - ".ruby-version"
66
+ - ".simplecov"
66
67
  - ".standard.yml"
67
68
  - CHANGELOG.md
68
69
  - LICENSE
@@ -95,7 +96,7 @@ files:
95
96
  - lib/aikido/zen/errors.rb
96
97
  - lib/aikido/zen/event.rb
97
98
  - lib/aikido/zen/internals.rb
98
- - lib/aikido/zen/libzen-v0.1.30.aarch64.so
99
+ - lib/aikido/zen/libzen-v0.1.31.aarch64.so
99
100
  - lib/aikido/zen/middleware/check_allowed_addresses.rb
100
101
  - lib/aikido/zen/middleware/set_context.rb
101
102
  - lib/aikido/zen/middleware/throttler.rb