aikido-zen 0.1.0.alpha4-arm64-darwin

data/lib/aikido/zen/sinks/trilogy.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+
+module Aikido::Zen
+  module Sinks
+    module Trilogy
+      SINK = Sinks.add("trilogy", scanners: [Scanners::SQLInjectionScanner])
+
+      module Extensions
+        def query(query, *)
+          SINK.scan(query: query, dialect: :mysql, operation: "query")
+
+          super
+        end
+      end
+    end
+  end
+end
+
+::Trilogy.prepend(Aikido::Zen::Sinks::Trilogy::Extensions)

data/lib/aikido/zen/sinks/typhoeus.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Typhoeus
+      SINK = Sinks.add("typhoeus", scanners: [
+        Aikido::Zen::Scanners::SSRFScanner,
+        Aikido::Zen::OutboundConnectionMonitor
+      ])
+
+      before_callback = ->(request) {
+        wrapped_request = Aikido::Zen::Scanners::SSRFScanner::Request.new(
+          verb: request.options[:method],
+          uri: URI(request.url),
+          headers: request.options[:headers]
+        )
+
+        # Store the request information so the DNS sinks can pick it up.
+        if (context = Aikido::Zen.current_context)
+          prev_request = context["ssrf.request"]
+          context["ssrf.request"] = wrapped_request
+        end
+
+        SINK.scan(
+          connection: Aikido::Zen::OutboundConnection.from_uri(URI(request.base_url)),
+          request: wrapped_request,
+          operation: "request"
+        )
+
+        request.on_headers do |response|
+          context["ssrf.request"] = prev_request if context
+
+          Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+            request: wrapped_request,
+            response: Aikido::Zen::Scanners::SSRFScanner::Response.new(
+              status: response.code,
+              headers: response.headers.to_h
+            )
+          )
+        end
+
+        # When Typhoeus is configured with followlocation: true, the redirect
+        # following happens between the on_headers and the on_complete callback,
+        # so we need this one to detect if the request resulted in an automatic
+        # redirect that was followed.
+        request.on_complete do |response|
+          break if response.effective_url == request.url
+
+          last_effective_request = Aikido::Zen::Scanners::SSRFScanner::Request.new(
+            verb: request.options[:method],
+            uri: URI(response.effective_url),
+            headers: request.options[:headers]
+          )
+          context["ssrf.request"] = last_effective_request if context
+
+          # In this case, we can't actually stop the request from happening, but
+          # we can scan again (now that we know another request happened), to
+          # stop the response from being exposed to the user. This downgrades
+          # the SSRF into a blind SSRF, which is better than doing nothing.
+          SINK.scan(
+            connection: Aikido::Zen::OutboundConnection.from_uri(URI(response.effective_url)),
+            request: last_effective_request,
+            operation: "request"
+          )
+        ensure
+          context["ssrf.request"] = nil
+        end
+
+        true
+      }
+
+      ::Typhoeus.before.prepend(before_callback)
+    end
+  end
+end

data/lib/aikido/zen/sinks.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative "sink"
+
+require_relative "sinks/socket"
+
+require_relative "sinks/resolv" if defined?(::Resolv)
+require_relative "sinks/net_http" if defined?(::Net::HTTP)
+require_relative "sinks/http" if defined?(::HTTP)
+require_relative "sinks/httpx" if defined?(::HTTPX)
+require_relative "sinks/httpclient" if defined?(::HTTPClient)
+require_relative "sinks/excon" if defined?(::Excon)
+require_relative "sinks/curb" if defined?(::Curl)
+require_relative "sinks/patron" if defined?(::Patron)
+require_relative "sinks/typhoeus" if defined?(::Typhoeus)
+require_relative "sinks/async_http" if defined?(::Async::HTTP)
+require_relative "sinks/em_http" if defined?(::EventMachine::HttpRequest)
+require_relative "sinks/mysql2" if defined?(::Mysql2)
+require_relative "sinks/pg" if defined?(::PG)
+require_relative "sinks/sqlite3" if defined?(::SQLite3)
+require_relative "sinks/trilogy" if defined?(::Trilogy)

data/lib/aikido/zen/stats/routes.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require_relative "../request/schema/empty_schema"
+
+class Aikido::Zen::Stats
+  # @api private
+  #
+  # Keeps track of the visited routes.
+  class Routes
+    def initialize
+      @routes = Hash.new do |h, k|
+        h[k] = Record.new(0, Aikido::Zen::Request::Schema::EMPTY_SCHEMA)
+      end
+    end
+
+    # @param route [Aikido::Zen::Route, nil] tracks the visit, if given.
+    # @param schema [Aikido::Zen::Request::Schema, nil] the schema of the
+    #   request, if the feature is enabled.
+    # @return [void]
+    def add(route, schema = nil)
+      @routes[route].add(schema) if route
+    end
+
+    # @!visibility private
+    def [](route)
+      @routes[route]
+    end
+
+    # @!visibility private
+    def empty?
+      @routes.empty?
+    end
+
+    def as_json
+      @routes.map do |route, record|
+        {
+          method: route.verb,
+          path: route.path,
+          hits: record.hits,
+          apispec: record.schema&.as_json
+        }.compact
+      end
+    end
+
+    # @!visibility private
+    Record = Struct.new(:hits, :schema) do
+      def add(new_schema = nil)
+        self.hits += 1
+        self.schema |= new_schema
+      end
+    end
+  end
+end

data/lib/aikido/zen/stats/sink_stats.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require_relative "../capped_collections"
+
+module Aikido::Zen
+  # @api private
+  #
+  # Tracks data specific to a single Sink.
+  class Stats::SinkStats
+    # @return [Integer] number of total calls to Sink#scan.
+    attr_accessor :scans
+
+    # @return [Integer] number of scans where our scanners raised an
+    #   error that was handled.
+    attr_accessor :errors
+
+    # @return [Integer] number of scans where an attack was detected.
+    attr_accessor :attacks
+
+    # @return [Integer] number of scans where an attack was detected
+    #   _and_ blocked by the Zen.
+    attr_accessor :blocked_attacks
+
+    # @return [Set<Float>] keeps the duration of individual scans. If
+    #   this grows to match Config#max_performance_samples, the set is
+    #   cleared and the data is aggregated into #compressed_timings.
+    attr_accessor :timings
+
+    # @return [Array<CompressedTiming>] list of aggregated stats.
+    attr_accessor :compressed_timings
+
+    def initialize(name, config)
+      @name = name
+      @config = config
+
+      @scans = 0
+      @errors = 0
+
+      @attacks = 0
+      @blocked_attacks = 0
+
+      @timings = Set.new
+      @compressed_timings = CappedSet.new(@config.max_compressed_stats)
+    end
+
+    def add_timing(duration)
+      compress_timings if @timings.size >= @config.max_performance_samples
+      @timings << duration
+    end
+
+    def compress_timings(at: Time.now.utc)
+      return if @timings.empty?
+
+      list = @timings.sort
+      @timings.clear
+
+      mean = list.sum / list.size
+      percentiles = percentiles(list, 50, 75, 90, 95, 99)
+
+      @compressed_timings << CompressedTiming.new(mean, percentiles, at)
+    end
+
+    def as_json
+      {
+        total: @scans,
+        interceptorThrewError: @errors,
+        withoutContext: 0,
+        attacksDetected: {
+          total: @attacks,
+          blocked: @blocked_attacks
+        },
+        compressedTimings: @compressed_timings.as_json
+      }
+    end
+
+    private def percentiles(sorted, *scores)
+      return {} if sorted.empty? || scores.empty?
+
+      scores.map { |p|
+        index = (sorted.size * (p / 100.0)).floor
+        [p, sorted.at(index)]
+      }.to_h
+    end
+
+    CompressedTiming = Struct.new(:mean, :percentiles, :compressed_at) do
+      def as_json
+        {
+          averageInMs: mean * 1000,
+          percentiles: percentiles.transform_values { |t| t * 1000 },
+          compressedAt: compressed_at.to_i * 1000
+        }
+      end
+    end
+  end
+end

data/lib/aikido/zen/stats/users.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "../capped_collections"
+
+class Aikido::Zen::Stats
+  # @api private
+  #
+  # Keeps track of the users that were seen by the app.
+  class Users < Aikido::Zen::CappedMap
+    def add(actor)
+      if key?(actor.id)
+        self[actor.id].update
+      else
+        self[actor.id] = actor
+      end
+    end
+
+    def each(&b)
+      each_value(&b)
+    end
+
+    def as_json
+      map(&:as_json)
+    end
+  end
+end

data/lib/aikido/zen/stats.rb

@@ -0,0 +1,171 @@
+# frozen_string_literal: true
+
+require "concurrent"
+
+require_relative "capped_collections"
+
+module Aikido::Zen
+  # Tracks information about how the Aikido Agent is used in the app.
+  class Stats < Concurrent::Synchronization::LockableObject
+    # @!visibility private
+    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :sinks
+
+    # @!visibility private
+    attr_writer :ended_at
+
+    def initialize(config = Aikido::Zen.config)
+      super()
+      @config = config
+      reset_state
+    end
+
+    # @return [Boolean]
+    def empty?
+      synchronize { @requests.zero? && @sinks.empty? }
+    end
+
+    # @return [Boolean]
+    def any?
+      !empty?
+    end
+
+    # Track the timestamp we start tracking this series of stats.
+    #
+    # @return [void]
+    def start(at = Time.now.utc)
+      synchronize { @started_at = at }
+    end
+
+    # Atomically copies the stats and resets them to their initial values, so
+    # you can start gathering a new set while being able to read the old ones
+    # without fear that a thread might modify them.
+    #
+    # @param at [Time] the time at which we're resetting, which is set as the
+    #   ending time for the returned copy.
+    #
+    # @return [Aikido::Zen::Stats] a frozen copy of the object before
+    #   resetting, so you can access the data there, with its +ended_at+
+    #   set to the given timestamp.
+    def reset(at: Time.now.utc)
+      synchronize {
+        # Make sure the timing stats are compressed before copying, since we
+        # need these compressed when we serialize this for the API.
+        @sinks.each_value(&:compress_timings)
+
+        copy = clone
+        copy.ended_at = at
+
+        reset_state
+        start(at)
+
+        copy
+      }
+    end
+
+    # @param request [Aikido::Zen::Request]
+    # @return [void]
+    def add_request(request)
+      synchronize {
+        @requests += 1
+        @routes.add(request.route, request.schema)
+      }
+      self
+    end
+
+    # @param connection [Aikido::Zen::OutboundConnection]
+    # @return [void]
+    def add_outbound(connection)
+      synchronize { @outbound_connections << connection }
+      self
+    end
+
+    # @param [Aikido::Zen::Scan]
+    # @return [void]
+    def add_scan(scan)
+      synchronize {
+        stats = @sinks[scan.sink.name]
+        stats.scans += 1
+        stats.errors += 1 if scan.errors?
+        stats.add_timing(scan.duration)
+      }
+      self
+    end
+
+    # @param attack [Aikido::Zen::Attack]
+    # @param being_blocked [Boolean] whether the Agent blocked the
+    #   request where this Attack happened or not.
+    #
+    # @return [void]
+    def add_attack(attack, being_blocked:)
+      synchronize {
+        stats = @sinks[attack.sink.name]
+        stats.attacks += 1
+        stats.blocked_attacks += 1 if being_blocked
+      }
+      self
+    end
+
+    # @param actor [Aikido::Zen::Actor]
+    # @return [void]
+    def add_user(actor)
+      synchronize { @users.add(actor) }
+    end
+
+    # @return [#as_json] the set of routes visited during this stats-gathering
+    #   period.
+    def routes
+      synchronize { @routes }
+    end
+
+    # @return [Enumerable<#as_json>] the set of users that had an active session
+    #   during this stats-gathering period.
+    def users
+      synchronize { @users }
+    end
+
+    # @return [#as_json] the set of connections to outbound hosts that were
+    #   established during this stats-gathering period.
+    def outbound_connections
+      synchronize { @outbound_connections }
+    end
+
+    def as_json
+      synchronize {
+        total_attacks, total_blocked = aggregate_attacks_from_sinks
+        {
+          startedAt: @started_at.to_i * 1000,
+          endedAt: (@ended_at.to_i * 1000 if @ended_at),
+          sinks: @sinks.transform_values(&:as_json),
+          requests: {
+            total: @requests,
+            aborted: @aborted_requests,
+            attacksDetected: {
+              total: total_attacks,
+              blocked: total_blocked
+            }
+          }
+        }
+      }
+    end
+
+    private def reset_state
+      @sinks = Hash.new { |h, k| h[k] = SinkStats.new(k, @config) }
+      @started_at = @ended_at = nil
+      @requests = 0
+      @routes = Routes.new
+      @users = Users.new(@config.max_users_tracked)
+      @outbound_connections = CappedSet.new(@config.max_outbound_connections)
+      @aborted_requests = 0
+    end
+
+    private def aggregate_attacks_from_sinks
+      @sinks.each_value.reduce([0, 0]) { |(attacks, blocked), stats|
+        [attacks + stats.attacks, blocked + stats.blocked_attacks]
+      }
+    end
+  end
+end
+
+require_relative "stats/users"
+require_relative "stats/routes"
+require_relative "stats/sink_stats"

data/lib/aikido/zen/synchronizable.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # @!visibility private
+  #
+  # Provides the synchronization part of Concurrent's LockableObject, but allows
+  # objects to take keyword arguments as well.
+  #
+  # NOTE: This is meant to be prepennded.
+  module Synchronizable
+    def initialize(*, **)
+      @__lock__ = ::Mutex.new
+      super
+    end
+
+    def synchronize
+      if @__lock__.owned?
+        yield
+      else
+        @__lock__.synchronize { yield }
+      end
+    end
+  end
+end

data/lib/aikido/zen/system_info.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "socket"
+require "rubygems"
+
+require_relative "package"
+
+module Aikido::Zen
+  # Provides information about the currently running Agent.
+  class SystemInfo
+    def initialize(config = Aikido::Zen.config)
+      @config = config
+    end
+
+    def attacks_block_requests?
+      !!@config.blocking_mode
+    end
+
+    def attacks_are_only_reported?
+      !attacks_block_requests?
+    end
+
+    def library_name
+      "firewall-ruby"
+    end
+
+    def library_version
+      VERSION
+    end
+
+    def platform_version
+      RUBY_VERSION
+    end
+
+    def hostname
+      @hostname ||= Socket.gethostname
+    end
+
+    # @return [Array<Aikido::Zen::Package>] a list of loaded rubygems that are
+    #   supported by Aikido (i.e. we have a Sink that scans the package for
+    #   vulnerabilities and protects you).
+    def packages
+      @packages ||= Gem.loaded_specs
+        .map { |_, spec| Package.new(spec.name, spec.version) }
+        .select(&:supported?)
+    end
+
+    # @return [String] the first non-loopback IPv4 address that we can use
+    #   to identify this host. If the machine is solely identified by IPv6
+    #   addresses, then this will instead return an IPv6 address.
+    def ip_address
+      @ip_address ||= Socket.ip_address_list
+        .reject { |ip| ip.ipv4_loopback? || ip.ipv6_loopback? || ip.unix? }
+        .min_by { |ip| ip.ipv4? ? 0 : 1 }
+        .ip_address
+    end
+
+    def os_name
+      Gem::Platform.local.os
+    end
+
+    def os_version
+      Gem::Platform.local.version
+    end
+
+    def as_json
+      {
+        dryMode: attacks_are_only_reported?,
+        library: library_name,
+        version: library_version,
+        hostname: hostname,
+        ipAddress: ip_address,
+        platform: {version: platform_version},
+        os: {name: os_name, version: os_version},
+        packages: packages.reduce({}) { |all, package| all.update(package.as_json) },
+        incompatiblePackages: {},
+        stack: [],
+        serverless: false,
+        nodeEnv: "",
+        preventedPrototypePollution: false
+      }
+    end
+  end
+end

data/lib/aikido/zen/version.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Aikido
+  module Zen
+    VERSION = "0.1.0.alpha4"
+
+    # The version of libzen_internals that we build against.
+    LIBZEN_VERSION = "0.1.26"
+  end
+end