aikido-zen 0.1.0-x86_64-darwin → 0.1.1-x86_64-darwin

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/.simplecov +19 -0
  3. data/CHANGELOG.md +16 -0
  4. data/lib/aikido/zen/agent.rb +3 -1
  5. data/lib/aikido/zen/internals.rb +4 -0
  6. data/lib/aikido/zen/{libzen-v0.1.30.x86_64.dylib → libzen-v0.1.31.x86_64.dylib} +0 -0
  7. data/lib/aikido/zen/scanners/ssrf_scanner.rb +12 -6
  8. data/lib/aikido/zen/sinks/http.rb +1 -1
  9. data/lib/aikido/zen/sinks/pg.rb +13 -12
  10. data/lib/aikido/zen/sinks/typhoeus.rb +1 -1
  11. data/lib/aikido/zen/version.rb +2 -2
  12. metadata +4 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5950e63b5d2cf450319180656ba1d4fe98b84b728b1466cad829351bf4856b10
4
- data.tar.gz: d66d4d918d49e0fa7959aefff1b413e46503e310e73f60746eeea5bf1f1f9233
3
+ metadata.gz: 0aa289d304c5e3c07a2f797988ef4dd3365d0798635a33872d1a8208a0b2945d
4
+ data.tar.gz: efd5caa2aafc56a5355198cd4e43f226c1aa44178078a2e7f47ae46b66b8dc8f
5
5
  SHA512:
6
- metadata.gz: 8ada36e48931de8d30f980ec791a4488616220c53b1b2df8d4d09a763f725a1a9f21d5c918747a0500afc2d58a29aa4b14b486f06e5be2adaeeea7c25da1fe18
7
- data.tar.gz: dfc614d39850112351ccb81a060cea0d69109ab8174aa50405505ca6dad85a06ddd320383d006eaa4e6fca98898a4e81de9d83d64e6d1db0dec980bf4ca7f3e4
6
+ metadata.gz: 360bc33ac62e7973369b9b1e72beb628d4efd08c5ccc64464360923493dc71d3f5069c73dc7c5dd62d33c4de242ce11c28496e67a44dd3109ef1bcd1396e0135
7
+ data.tar.gz: 00ddf6f7584bd29a3f556de726ac701a86bde8b5135a94d155c9a57a7c7d811f1d664a3905d41d2ee1c096329817f822dc67d83e06562a0360e15ae7f3f5acea
data/.simplecov ADDED
@@ -0,0 +1,19 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Due to dependency resolution, on Ruby 2.x we're stuck with a _very_ old
4
+ # SimpleCov version, and it doesn't really give us any benefit to run coverage
5
+ # in separate ruby versions since we don't branch on ruby version in the code.
6
+ return if RUBY_VERSION < "3.0"
7
+
8
+ SimpleCov.start do
9
+ # Make sure SimpleCov waits until after the tests
10
+ # are finished to generate the coverage reports.
11
+ self.external_at_exit = true
12
+
13
+ enable_coverage :branch
14
+ minimum_coverage line: 95, branch: 85
15
+
16
+ add_filter "/test/"
17
+ end
18
+
19
+ # vim: ft=ruby
data/CHANGELOG.md CHANGED
@@ -2,4 +2,20 @@
2
2
 
3
3
  ## [Unreleased]
4
4
 
5
+ ## 0.1.1
6
+
7
+ ### Fixed
8
+
9
+ - Avoid an error when sending the initial heartbeat if the Aikido server hasn't
10
+ received stats yet.
11
+ - Fix the SSRF scanner to ensure the port in the user-supplied payload matches
12
+ the port in the request.
13
+ - Don't break the HTTP.rb sink when a Zen context isn't set.
14
+ - Don't break the Typhoeus sink when a Zen context isn't set.
15
+ - Don't break the PG sink outside of Rails.
16
+ - Updated [libzen](https://github.com/AikidoSec/zen-internals) to v0.1.31 to
17
+ prevent flagging false positives in SQL queries with comments.
18
+
19
+ ## 0.1.0
20
+
5
21
  - Initial version
data/lib/aikido/zen/agent.rb CHANGED
@@ -65,7 +65,9 @@ module Aikido::Zen
65
65
 
66
66
  poll_for_setting_updates
67
67
 
68
- @worker.delay(@config.initial_heartbeat_delay) { send_heartbeat if stats.any? }
68
+ @worker.delay(@config.initial_heartbeat_delay) do
69
+ send_heartbeat if @collector.stats.any?
70
+ end
69
71
  end
70
72
 
71
73
  # Clean up any ongoing threads, and reset the state. Called automatically
data/lib/aikido/zen/internals.rb CHANGED
@@ -31,6 +31,8 @@ module Aikido::Zen
31
31
  attach_function :detect_sql_injection_native, :detect_sql_injection,
32
32
  [:string, :string, :int], :int
33
33
  rescue LoadError, FFI::NotFoundError => err
34
+ # :nocov:
35
+
34
36
  # Emit an $stderr warning at startup.
35
37
  warn "Zen could not load its binary extension #{libzen_name}: #{err}"
36
38
 
@@ -38,6 +40,8 @@ module Aikido::Zen
38
40
  attempt = format("%p for SQL injection", query)
39
41
  raise InternalsError.new(attempt, "loading", Internals.libzen_name)
40
42
  end
43
+
44
+ # :nocov:
41
45
  else
42
46
  # Analyzes the SQL query to detect if the provided user input is being
43
47
  # passed as-is without escaping.
data/lib/aikido/zen/scanners/ssrf_scanner.rb CHANGED
@@ -112,7 +112,8 @@ module Aikido::Zen
112
112
  is_port_relevant = input_uri.port != input_uri.default_port
113
113
  return false if is_port_relevant && input_uri.port != conn_uri.port
114
114
 
115
- conn_uri.hostname == input_uri.hostname
115
+ conn_uri.hostname == input_uri.hostname &&
116
+ conn_uri.port == input_uri.port
116
117
  end
117
118
 
118
119
  def private_ip?(hostname)
@@ -128,8 +129,11 @@ module Aikido::Zen
128
129
  # * The input itself, if it already looks like a URI.
129
130
  # * The input prefixed with http://
130
131
  # * The input prefixed with https://
132
+ # * The input prefixed with the scheme of the request's URI, to consider
133
+ # things like an FTP request (to "ftp://localhost") with a plain host
134
+ # as a user-input ("localhost").
131
135
  #
132
- # @return [Set<URI>]
136
+ # @return [Array<URI>] a list of unique URIs based on the above criteria.
133
137
  def uris_from_input
134
138
  input = @input.to_s
135
139
 
@@ -138,10 +142,12 @@ module Aikido::Zen
138
142
  # valid hostname. We should do the same for the input.
139
143
  input = format("[%s]", input) if unescaped_ipv6?(input)
140
144
 
141
- [input, "http://#{input}", "https://#{input}"]
142
- .map { |candidate| as_uri(candidate) }
143
- .compact
144
- .uniq
145
+ [
146
+ input,
147
+ "http://#{input}",
148
+ "https://#{input}",
149
+ "#{@request_uri.scheme}://#{input}"
150
+ ].map { |candidate| as_uri(candidate) }.compact.uniq
145
151
  end
146
152
 
147
153
  def as_uri(string)
data/lib/aikido/zen/sinks/http.rb CHANGED
@@ -66,7 +66,7 @@ module Aikido::Zen
66
66
 
67
67
  response
68
68
  ensure
69
- context["ssrf.request"] = prev_request
69
+ context["ssrf.request"] = prev_request if context
70
70
  end
71
71
  end
72
72
  end
data/lib/aikido/zen/sinks/pg.rb CHANGED
@@ -7,6 +7,17 @@ module Aikido::Zen
7
7
  module PG
8
8
  SINK = Sinks.add("pg", scanners: [Scanners::SQLInjectionScanner])
9
9
 
10
+ # For some reason, the ActiveRecord pg adapter does not wrap exceptions in
11
+ # StatementInvalid, which leads to inconsistent handling. This guarantees
12
+ # that all Zen errors are wrapped in a StatementInvalid, so documentation
13
+ # can be consistent.
14
+ WRAP_EXCEPTIONS = if defined?(ActiveRecord::StatementInvalid)
15
+ <<~RUBY
16
+ rescue Aikido::Zen::SQLInjectionError
17
+ raise ActiveRecord::StatementInvalid
18
+ RUBY
19
+ end
20
+
10
21
  module Extensions
11
22
  %i[
12
23
  send_query exec sync_exec async_exec
@@ -16,12 +27,7 @@ module Aikido::Zen
16
27
  def #{method}(query, *)
17
28
  SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
18
29
  super
19
- rescue Aikido::Zen::SQLInjectionError
20
- # The pg adapter does not wrap exceptions in StatementInvalid, which
21
- # leads to inconsistent handling. This guarantees that all Aikido
22
- # errors are wrapped in a StatementInvalid, so documentation can be
23
- # consistent.
24
- raise ActiveRecord::StatementInvalid
30
+ #{WRAP_EXCEPTIONS}
25
31
  end
26
32
  RUBY
27
33
  end
@@ -33,12 +39,7 @@ module Aikido::Zen
33
39
  def #{method}(_, query, *)
34
40
  SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
35
41
  super
36
- rescue Aikido::Zen::SQLInjectionError
37
- # The pg adapter does not wrap exceptions in StatementInvalid, which
38
- # leads to inconsistent handling. This guarantees that all Aikido
39
- # errors are wrapped in a StatementInvalid, so documentation can be
40
- # consistent.
41
- raise ActiveRecord::StatementInvalid
42
+ #{WRAP_EXCEPTIONS}
42
43
  end
43
44
  RUBY
44
45
  end
data/lib/aikido/zen/sinks/typhoeus.rb CHANGED
@@ -66,7 +66,7 @@ module Aikido::Zen
66
66
  operation: "request"
67
67
  )
68
68
  ensure
69
- context["ssrf.request"] = nil
69
+ context["ssrf.request"] = nil if context
70
70
  end
71
71
 
72
72
  true
data/lib/aikido/zen/version.rb CHANGED
@@ -2,9 +2,9 @@
2
2
 
3
3
  module Aikido
4
4
  module Zen
5
- VERSION = "0.1.0"
5
+ VERSION = "0.1.1"
6
6
 
7
7
  # The version of libzen_internals that we build against.
8
- LIBZEN_VERSION = "0.1.30"
8
+ LIBZEN_VERSION = "0.1.31"
9
9
  end
10
10
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aikido-zen
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  platform: x86_64-darwin
6
6
  authors:
7
7
  - Nicolas Sanguinetti
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2024-11-15 00:00:00.000000000 Z
11
+ date: 2024-11-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: concurrent-ruby
@@ -63,6 +63,7 @@ extensions: []
63
63
  extra_rdoc_files: []
64
64
  files:
65
65
  - ".ruby-version"
66
+ - ".simplecov"
66
67
  - ".standard.yml"
67
68
  - CHANGELOG.md
68
69
  - LICENSE
@@ -95,7 +96,7 @@ files:
95
96
  - lib/aikido/zen/errors.rb
96
97
  - lib/aikido/zen/event.rb
97
98
  - lib/aikido/zen/internals.rb
98
- - lib/aikido/zen/libzen-v0.1.30.x86_64.dylib
99
+ - lib/aikido/zen/libzen-v0.1.31.x86_64.dylib
99
100
  - lib/aikido/zen/middleware/check_allowed_addresses.rb
100
101
  - lib/aikido/zen/middleware/set_context.rb
101
102
  - lib/aikido/zen/middleware/throttler.rb