aikido-zen 0.1.0-x86_64-linux → 0.1.1-x86_64-linux
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.simplecov +19 -0
- data/CHANGELOG.md +16 -0
- data/lib/aikido/zen/agent.rb +3 -1
- data/lib/aikido/zen/internals.rb +4 -0
- data/lib/aikido/zen/{libzen-v0.1.30.x86_64.so → libzen-v0.1.31.x86_64.so} +0 -0
- data/lib/aikido/zen/scanners/ssrf_scanner.rb +12 -6
- data/lib/aikido/zen/sinks/http.rb +1 -1
- data/lib/aikido/zen/sinks/pg.rb +13 -12
- data/lib/aikido/zen/sinks/typhoeus.rb +1 -1
- data/lib/aikido/zen/version.rb +2 -2
- metadata +4 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 71dff796247be7898e6fa9a68e66a0289c3435e45721b21a4e93ca94e486f130
|
4
|
+
data.tar.gz: c6f2ade140275a39b8371f9068a7b8b4b96666a903248e0d1e54eeab8e85603d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d8cd7c12e2b35fb7f6be3708345d445e0ba4f92f2c453db3f404ba40c8489ac709d65e710a1660e1ac7139799493a8879944ec996c1af1d29d5487add7cbf221
|
7
|
+
data.tar.gz: 1283b73ee94eae915fcb7298ed00319fcef545153421dda1512e7f551d81fa003c47c16ce8892eefc8de7b97d3382a245565b72dd305c708fada87305a1f001d
|
data/.simplecov
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Due to dependency resolution, on Ruby 2.x we're stuck with a _very_ old
|
4
|
+
# SimpleCov version, and it doesn't really give us any benefit to run coverage
|
5
|
+
# in separate ruby versions since we don't branch on ruby version in the code.
|
6
|
+
return if RUBY_VERSION < "3.0"
|
7
|
+
|
8
|
+
SimpleCov.start do
|
9
|
+
# Make sure SimpleCov waits until after the tests
|
10
|
+
# are finished to generate the coverage reports.
|
11
|
+
self.external_at_exit = true
|
12
|
+
|
13
|
+
enable_coverage :branch
|
14
|
+
minimum_coverage line: 95, branch: 85
|
15
|
+
|
16
|
+
add_filter "/test/"
|
17
|
+
end
|
18
|
+
|
19
|
+
# vim: ft=ruby
|
data/CHANGELOG.md
CHANGED
@@ -2,4 +2,20 @@
|
|
2
2
|
|
3
3
|
## [Unreleased]
|
4
4
|
|
5
|
+
## 0.1.1
|
6
|
+
|
7
|
+
### Fixed
|
8
|
+
|
9
|
+
- Avoid an error when sending the initial heartbeat if the Aikido server hasn't
|
10
|
+
received stats yet.
|
11
|
+
- Fix the SSRF scanner to ensure the port in the user-supplied payload matches
|
12
|
+
the port in the request.
|
13
|
+
- Don't break the HTTP.rb sink when a Zen context isn't set.
|
14
|
+
- Don't break the Typhoeus sink when a Zen context isn't set.
|
15
|
+
- Don't break the PG sink outside of Rails.
|
16
|
+
- Updated [libzen](https://github.com/AikidoSec/zen-internals) to v0.1.31 to
|
17
|
+
prevent flagging false positives in SQL queries with comments.
|
18
|
+
|
19
|
+
## 0.1.0
|
20
|
+
|
5
21
|
- Initial version
|
data/lib/aikido/zen/agent.rb
CHANGED
@@ -65,7 +65,9 @@ module Aikido::Zen
|
|
65
65
|
|
66
66
|
poll_for_setting_updates
|
67
67
|
|
68
|
-
@worker.delay(@config.initial_heartbeat_delay)
|
68
|
+
@worker.delay(@config.initial_heartbeat_delay) do
|
69
|
+
send_heartbeat if @collector.stats.any?
|
70
|
+
end
|
69
71
|
end
|
70
72
|
|
71
73
|
# Clean up any ongoing threads, and reset the state. Called automatically
|
data/lib/aikido/zen/internals.rb
CHANGED
@@ -31,6 +31,8 @@ module Aikido::Zen
|
|
31
31
|
attach_function :detect_sql_injection_native, :detect_sql_injection,
|
32
32
|
[:string, :string, :int], :int
|
33
33
|
rescue LoadError, FFI::NotFoundError => err
|
34
|
+
# :nocov:
|
35
|
+
|
34
36
|
# Emit an $stderr warning at startup.
|
35
37
|
warn "Zen could not load its binary extension #{libzen_name}: #{err}"
|
36
38
|
|
@@ -38,6 +40,8 @@ module Aikido::Zen
|
|
38
40
|
attempt = format("%p for SQL injection", query)
|
39
41
|
raise InternalsError.new(attempt, "loading", Internals.libzen_name)
|
40
42
|
end
|
43
|
+
|
44
|
+
# :nocov:
|
41
45
|
else
|
42
46
|
# Analyzes the SQL query to detect if the provided user input is being
|
43
47
|
# passed as-is without escaping.
|
Binary file
|
@@ -112,7 +112,8 @@ module Aikido::Zen
|
|
112
112
|
is_port_relevant = input_uri.port != input_uri.default_port
|
113
113
|
return false if is_port_relevant && input_uri.port != conn_uri.port
|
114
114
|
|
115
|
-
conn_uri.hostname == input_uri.hostname
|
115
|
+
conn_uri.hostname == input_uri.hostname &&
|
116
|
+
conn_uri.port == input_uri.port
|
116
117
|
end
|
117
118
|
|
118
119
|
def private_ip?(hostname)
|
@@ -128,8 +129,11 @@ module Aikido::Zen
|
|
128
129
|
# * The input itself, if it already looks like a URI.
|
129
130
|
# * The input prefixed with http://
|
130
131
|
# * The input prefixed with https://
|
132
|
+
# * The input prefixed with the scheme of the request's URI, to consider
|
133
|
+
# things like an FTP request (to "ftp://localhost") with a plain host
|
134
|
+
# as a user-input ("localhost").
|
131
135
|
#
|
132
|
-
# @return [
|
136
|
+
# @return [Array<URI>] a list of unique URIs based on the above criteria.
|
133
137
|
def uris_from_input
|
134
138
|
input = @input.to_s
|
135
139
|
|
@@ -138,10 +142,12 @@ module Aikido::Zen
|
|
138
142
|
# valid hostname. We should do the same for the input.
|
139
143
|
input = format("[%s]", input) if unescaped_ipv6?(input)
|
140
144
|
|
141
|
-
[
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
+
[
|
146
|
+
input,
|
147
|
+
"http://#{input}",
|
148
|
+
"https://#{input}",
|
149
|
+
"#{@request_uri.scheme}://#{input}"
|
150
|
+
].map { |candidate| as_uri(candidate) }.compact.uniq
|
145
151
|
end
|
146
152
|
|
147
153
|
def as_uri(string)
|
data/lib/aikido/zen/sinks/pg.rb
CHANGED
@@ -7,6 +7,17 @@ module Aikido::Zen
|
|
7
7
|
module PG
|
8
8
|
SINK = Sinks.add("pg", scanners: [Scanners::SQLInjectionScanner])
|
9
9
|
|
10
|
+
# For some reason, the ActiveRecord pg adapter does not wrap exceptions in
|
11
|
+
# StatementInvalid, which leads to inconsistent handling. This guarantees
|
12
|
+
# that all Zen errors are wrapped in a StatementInvalid, so documentation
|
13
|
+
# can be consistent.
|
14
|
+
WRAP_EXCEPTIONS = if defined?(ActiveRecord::StatementInvalid)
|
15
|
+
<<~RUBY
|
16
|
+
rescue Aikido::Zen::SQLInjectionError
|
17
|
+
raise ActiveRecord::StatementInvalid
|
18
|
+
RUBY
|
19
|
+
end
|
20
|
+
|
10
21
|
module Extensions
|
11
22
|
%i[
|
12
23
|
send_query exec sync_exec async_exec
|
@@ -16,12 +27,7 @@ module Aikido::Zen
|
|
16
27
|
def #{method}(query, *)
|
17
28
|
SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
|
18
29
|
super
|
19
|
-
|
20
|
-
# The pg adapter does not wrap exceptions in StatementInvalid, which
|
21
|
-
# leads to inconsistent handling. This guarantees that all Aikido
|
22
|
-
# errors are wrapped in a StatementInvalid, so documentation can be
|
23
|
-
# consistent.
|
24
|
-
raise ActiveRecord::StatementInvalid
|
30
|
+
#{WRAP_EXCEPTIONS}
|
25
31
|
end
|
26
32
|
RUBY
|
27
33
|
end
|
@@ -33,12 +39,7 @@ module Aikido::Zen
|
|
33
39
|
def #{method}(_, query, *)
|
34
40
|
SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
|
35
41
|
super
|
36
|
-
|
37
|
-
# The pg adapter does not wrap exceptions in StatementInvalid, which
|
38
|
-
# leads to inconsistent handling. This guarantees that all Aikido
|
39
|
-
# errors are wrapped in a StatementInvalid, so documentation can be
|
40
|
-
# consistent.
|
41
|
-
raise ActiveRecord::StatementInvalid
|
42
|
+
#{WRAP_EXCEPTIONS}
|
42
43
|
end
|
43
44
|
RUBY
|
44
45
|
end
|
data/lib/aikido/zen/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aikido-zen
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.1
|
5
5
|
platform: x86_64-linux
|
6
6
|
authors:
|
7
7
|
- Nicolas Sanguinetti
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-11-
|
11
|
+
date: 2024-11-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: concurrent-ruby
|
@@ -63,6 +63,7 @@ extensions: []
|
|
63
63
|
extra_rdoc_files: []
|
64
64
|
files:
|
65
65
|
- ".ruby-version"
|
66
|
+
- ".simplecov"
|
66
67
|
- ".standard.yml"
|
67
68
|
- CHANGELOG.md
|
68
69
|
- LICENSE
|
@@ -95,7 +96,7 @@ files:
|
|
95
96
|
- lib/aikido/zen/errors.rb
|
96
97
|
- lib/aikido/zen/event.rb
|
97
98
|
- lib/aikido/zen/internals.rb
|
98
|
-
- lib/aikido/zen/libzen-v0.1.
|
99
|
+
- lib/aikido/zen/libzen-v0.1.31.x86_64.so
|
99
100
|
- lib/aikido/zen/middleware/check_allowed_addresses.rb
|
100
101
|
- lib/aikido/zen/middleware/set_context.rb
|
101
102
|
- lib/aikido/zen/middleware/throttler.rb
|