aikido-zen 0.1.0.alpha4-arm64-darwin

data/lib/aikido/zen/capped_collections.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "forwardable"
+
+module Aikido::Zen
+  # @api private
+  #
+  # Provides a FIFO set with a maximum size. Adding an element after the
+  # capacity has been reached kicks the oldest element in the set out,
+  # while maintaining the uniqueness property of a set (relying on #eql?
+  # and #hash).
+  class CappedSet
+    include Enumerable
+    extend Forwardable
+
+    def_delegators :@data, :size, :empty?
+
+    # @return [Integer]
+    attr_reader :capacity
+
+    def initialize(capacity)
+      @data = CappedMap.new(capacity)
+    end
+
+    def <<(element)
+      @data[element] = nil
+      self
+    end
+    alias_method :add, :<<
+    alias_method :push, :<<
+
+    def each(&b)
+      @data.each_key(&b)
+    end
+
+    def as_json
+      map(&:as_json)
+    end
+  end
+
+  # @api private
+  #
+  # Provides a FIFO hash-like structure with a maximum size. Adding a new key
+  # after the capacity has been reached kicks the first element pair added out.
+  class CappedMap
+    include Enumerable
+    extend Forwardable
+
+    def_delegators :@data,
+      :[], :fetch, :delete, :key?,
+      :each, :each_key, :each_value,
+      :size, :empty?, :to_hash
+
+    # @return [Integer]
+    attr_reader :capacity
+
+    def initialize(capacity)
+      raise ArgumentError, "cannot set capacity lower than 1: #{capacity}" if capacity < 1
+      @capacity = capacity
+      @data = {}
+    end
+
+    def []=(key, value)
+      @data[key] = value
+      @data.delete(@data.each_key.first) if @data.size > @capacity
+    end
+  end
+end

data/lib/aikido/zen/config.rb

@@ -0,0 +1,229 @@
+# frozen_string_literal: true
+
+require "uri"
+require "json"
+require "logger"
+
+require_relative "context"
+
+module Aikido::Zen
+  class Config
+    # @return [Boolean] whether Aikido should only report infractions or block
+    #   the request by raising an Exception. Defaults to whether AIKIDO_BLOCKING
+    #   is set to a non-empty value in your environment, or +false+ otherwise.
+    attr_accessor :blocking_mode
+    alias_method :blocking_mode?, :blocking_mode
+
+    # @return [URI] The HTTP host for the Aikido API. Defaults to
+    #   +https://guard.aikido.dev+.
+    attr_reader :api_base_url
+
+    # @return [URI] The HTTP host for the Aikido Runtime API. Defaults to
+    #   +https://runtime.aikido.dev+.
+    attr_reader :runtime_api_base_url
+
+    # @return [Hash] HTTP timeouts for communicating with the API.
+    attr_reader :api_timeouts
+
+    # @return [String] the token obtained when configuring the Firewall in the
+    #   Aikido interface.
+    attr_accessor :api_token
+
+    # @return [Integer] the interval in seconds to poll the runtime API for
+    #   settings changes. Defaults to evey 60 seconds.
+    attr_accessor :polling_interval
+
+    # @return [Integer] the amount in seconds to wait before sending an initial
+    #   heartbeat event when the server reports no stats have been sent yet.
+    attr_accessor :initial_heartbeat_delay
+
+    # @return [#call] Callable that can be passed an Object and returns a String
+    #   of JSON. Defaults to the standard library's JSON.dump method.
+    attr_accessor :json_encoder
+
+    # @return [#call] Callable that can be passed a JSON string and parses it
+    #   into an Object. Defaults to the standard library's JSON.parse method.
+    attr_accessor :json_decoder
+
+    # @returns [Logger]
+    attr_accessor :logger
+
+    # @return [Integer] maximum number of timing measurements to keep in memory
+    #   before compressing them.
+    attr_accessor :max_performance_samples
+
+    # @return [Integer] maximum number of compressed performance samples to keep
+    #   in memory. If we take more than this before reporting them to Aikido, we
+    #   will discard the oldest samples.
+    attr_accessor :max_compressed_stats
+
+    # @return [Integer] maximum number of connections to outbound hosts to keep
+    #   in memory in order to report them in the next heartbeat event. If new
+    #   connections are added to the set before reporting them to Aikido, we
+    #   will discard the oldest data point.
+    attr_accessor :max_outbound_connections
+
+    # @return [Integer] maximum number of users tracked via Zen.track_user to
+    #   share with the Aikido servers on the next heartbeat event. If more
+    #   unique users (by their ID) are tracked than this number, we will discard
+    #   the oldest seen users.
+    attr_accessor :max_users_tracked
+
+    # @return [Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}]
+    #   Rack handler used to respond to requests from IPs blocked in the Aikido
+    #   dashboard.
+    attr_accessor :blocked_ip_responder
+
+    # @return [Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}]
+    #   Rack handler used to respond to requests that have been rate limited.
+    attr_accessor :rate_limited_responder
+
+    # @return [Proc{Aikido::Zen::Request => String}] a proc that reads
+    #   information off the current request and returns a String to
+    #   differentiate different clients. By default this uses the request IP.
+    attr_accessor :rate_limiting_discriminator
+
+    # @return [Boolean] whether Zen should infer the schema from request bodies
+    #   sent to the app. Defaults to +false+ or the value of the environment
+    #   variable AIKIDO_FEATURE_COLLECT_API_SCHEMA.
+    attr_accessor :api_schema_collection_enabled
+    alias_method :api_schema_collection_enabled?, :api_schema_collection_enabled
+
+    # @api private
+    # @return [Integer] max number of levels deep we want to read a nested
+    #   strcture for performance reasons.
+    attr_accessor :api_schema_collection_max_depth
+
+    # @api private
+    # @return [Integer] max number of properties that we want to inspect per
+    #   level of the structure for performance reasons.
+    attr_accessor :api_schema_collection_max_properties
+
+    # @api private
+    # @return [Proc<Hash => Aikido::Zen::Context>] callable that takes a
+    #   Rack-compatible env Hash and returns a Context object with an HTTP
+    #   request. This is meant to be overridden by each framework adapter.
+    attr_accessor :request_builder
+
+    # @api private
+    # @return [Integer] number of seconds to perform client-side rate limiting
+    #   of events sent to the server.
+    attr_accessor :client_rate_limit_period
+
+    # @api private
+    # @return [Integer] max number of events sent during a sliding
+    #   {client_rate_limit_period} window.
+    attr_accessor :client_rate_limit_max_events
+
+    # @api private
+    # @return [Integer] number of seconds to wait before sending an event after
+    #   the server returns a 429 response.
+    attr_accessor :server_rate_limit_deadline
+
+    # @return [Array<String>] when checking for stored SSRF attacks, we want to
+    #   allow known hosts that should be able to resolve to the IMDS service.
+    attr_accessor :imds_allowed_hosts
+
+    def initialize
+      self.blocking_mode = !!ENV.fetch("AIKIDO_BLOCKING", false)
+      self.api_timeouts = 10
+      self.api_base_url = ENV.fetch("AIKIDO_BASE_URL", DEFAULT_API_BASE_URL)
+      self.runtime_api_base_url = ENV.fetch("AIKIDO_RUNTIME_URL", DEFAULT_RUNTIME_BASE_URL)
+      self.api_token = ENV.fetch("AIKIDO_TOKEN", nil)
+      self.polling_interval = 60
+      self.initial_heartbeat_delay = 60
+      self.json_encoder = DEFAULT_JSON_ENCODER
+      self.json_decoder = DEFAULT_JSON_DECODER
+      self.logger = Logger.new($stdout, progname: "aikido")
+      self.max_performance_samples = 5000
+      self.max_compressed_stats = 100
+      self.max_outbound_connections = 200
+      self.max_users_tracked = 1000
+      self.request_builder = Aikido::Zen::Context::RACK_REQUEST_BUILDER
+      self.blocked_ip_responder = DEFAULT_BLOCKED_IP_RESPONDER
+      self.rate_limited_responder = DEFAULT_RATE_LIMITED_RESPONDER
+      self.rate_limiting_discriminator = DEFAULT_RATE_LIMITING_DISCRIMINATOR
+      self.server_rate_limit_deadline = 1800 # 30 min
+      self.client_rate_limit_period = 3600 # 1 hour
+      self.client_rate_limit_max_events = 100
+
+      self.api_schema_collection_enabled = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_COLLECT_API_SCHEMA", false))
+      self.api_schema_collection_max_depth = 20
+      self.api_schema_collection_max_properties = 20
+
+      self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
+    end
+
+    # Set the base URL for API requests.
+    #
+    # @param url [String, URI]
+    def api_base_url=(url)
+      @api_base_url = URI(url)
+    end
+
+    # Set the base URL for runtime API requests.
+    #
+    # @param url [String, URI]
+    def runtime_api_base_url=(url)
+      @runtime_api_base_url = URI(url)
+    end
+
+    # @overload def api_timeouts=(timeouts)
+    #   Configure granular connection timeouts for the Aikido Zen API. You
+    #   can set any of these per call.
+    #   @param timeouts [Hash]
+    #   @option timeouts [Integer] :open_timeout Duration in seconds.
+    #   @option timeouts [Integer] :read_timeout Duration in seconds.
+    #   @option timeouts [Integer] :write_timeout Duration in seconds.
+    #
+    # @overload def api_timeouts=(duration)
+    #   Configure the connection timeouts for the Aikido Zen API.
+    #   @param duration [Integer] Duration in seconds to set for all three
+    #     timeouts (open, read, and write).
+    def api_timeouts=(value)
+      value = {open_timeout: value, read_timeout: value, write_timeout: value} if value.respond_to?(:to_int)
+
+      @api_timeouts ||= {}
+      @api_timeouts.update(value)
+    end
+
+    private
+
+    def read_boolean_from_env(value)
+      return value unless value.respond_to?(:to_str)
+
+      case value.to_str.strip
+      when "false", "", "0", "f"
+        false
+      else
+        true
+      end
+    end
+
+    # @!visibility private
+    DEFAULT_API_BASE_URL = "https://guard.aikido.dev"
+
+    # @!visibility private
+    DEFAULT_RUNTIME_BASE_URL = "https://runtime.aikido.dev"
+
+    # @!visibility private
+    DEFAULT_JSON_ENCODER = JSON.method(:dump)
+
+    # @!visibility private
+    DEFAULT_JSON_DECODER = JSON.method(:parse)
+
+    # @!visibility private
+    DEFAULT_BLOCKED_IP_RESPONDER = ->(request) do
+      message = "Your IP address is not allowed to access this resource. (Your IP: %s)"
+      [403, {"Content-Type" => "text/plain"}, [format(message, request.ip)]]
+    end
+
+    # @!visibility private
+    DEFAULT_RATE_LIMITED_RESPONDER = ->(request) do
+      [429, {"Content-Type" => "text/plain"}, ["Too many requests."]]
+    end
+
+    # @!visibility private
+    DEFAULT_RATE_LIMITING_DISCRIMINATOR = ->(request) { request.ip }
+  end
+end

data/lib/aikido/zen/context/rack_request.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative "../request"
+require_relative "../request/heuristic_router"
+
+module Aikido::Zen
+  # @!visibility private
+  Context::RACK_REQUEST_BUILDER = ->(env) do
+    delegate = Rack::Request.new(env)
+    router = Aikido::Zen::Request::HeuristicRouter.new
+    request = Aikido::Zen::Request.new(delegate, framework: "rack", router: router)
+
+    Context.new(request) do |req|
+      {
+        query: req.GET,
+        body: req.POST,
+        route: {},
+        header: req.normalized_headers,
+        cookie: req.cookies,
+        subdomain: []
+      }
+    end
+  end
+end

data/lib/aikido/zen/context/rails_request.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require_relative "../request"
+require_relative "../request/rails_router"
+
+module Aikido::Zen
+  module Rails
+    def self.router
+      @router ||= Request::RailsRouter.new(::Rails.application.routes)
+    end
+  end
+
+  # @!visibility private
+  Context::RAILS_REQUEST_BUILDER = ->(env) do
+    delegate = ActionDispatch::Request.new(env)
+    request = Aikido::Zen::Request.new(
+      delegate, framework: "rails", router: Rails.router
+    )
+
+    decrypt_cookies = ->(req) do
+      return req.cookies unless req.respond_to?(:cookie_jar)
+
+      req.cookie_jar.map { |key, value|
+        plain_text = req.cookie_jar.encrypted[key].presence ||
+          req.cookie_jar.signed[key].presence ||
+          value
+        [key, plain_text]
+      }.to_h
+    end
+
+    Context.new(request) do |req|
+      {
+        query: req.query_parameters,
+        body: req.request_parameters,
+        route: req.path_parameters,
+        header: req.normalized_headers,
+        cookie: decrypt_cookies.call(req),
+        subdomain: req.subdomains
+      }
+    end
+  end
+end

data/lib/aikido/zen/context.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+require "forwardable"
+
+require_relative "request"
+require_relative "payload"
+
+module Aikido::Zen
+  class Context
+    def self.from_rack_env(env, config = Aikido::Zen.config)
+      config.request_builder.call(env)
+    end
+
+    attr_reader :request
+
+    # @param [Rack::Request] a Request object that implements the
+    #   Rack::Request API, to which we will delegate behavior.
+    # @param settings [Aikido::Zen::RuntimeSettings]
+    #
+    # @yieldparam request [Rack::Request] the given request object.
+    # @yieldreturn [Hash<Symbol, #flat_map>] map of payload source types
+    #   to the actual data from the request to populate them.
+    def initialize(request, settings: Aikido::Zen.runtime_settings, &sources)
+      @request = request
+      @settings = settings
+      @payload_sources = sources
+      @metadata = {}
+    end
+
+    # Fetch some metadata stored in the Context.
+    #
+    # @param key [String]
+    # @return [Object, nil]
+    def [](key)
+      @metadata[key]
+    end
+
+    # Store some metadata in the Context so other Scanners can use it.
+    #
+    # @param key [String]
+    # @param value [Object]
+    # @return [void]
+    def []=(key, value)
+      @metadata[key] = value
+    end
+
+    # Overrides the current request, and invalidates any memoized data obtained
+    # from it. This is useful for scenarios where setting the request in the
+    # middleware isn't enough, such as Rails, where the router modifies it after
+    # the middleware has seen it.
+    #
+    # @param new_request [Rack::Request]
+    # @return [void]
+    def update_request(new_request)
+      @payloads = nil
+      request.__setobj__(new_request)
+    end
+
+    # @return [Array<Aikido::Zen::Payload>] list of user inputs from all the
+    #   different sources we recognize.
+    def payloads
+      @payloads ||= payload_sources.flat_map do |source, data|
+        extract_payloads_from(data, source)
+      end
+    end
+
+    # @return [Boolean] whether attack protection for the currently requested
+    #   endpoint was disabled on the Aikido dashboard, or if the source IP for
+    #   this request is in the "Bypass List".
+    def protection_disabled?
+      return false if request.nil?
+
+      !@settings.endpoints[request.route].protected? ||
+        @settings.skip_protection_for_ips.include?(request.ip)
+    end
+
+    # @!visibility private
+    def payload_sources
+      @payload_sources.call(request)
+    end
+
+    private
+
+    def extract_payloads_from(data, source_type, prefix = nil)
+      if data.respond_to?(:to_hash)
+        data.to_hash.flat_map { |name, val|
+          extract_payloads_from(val, source_type, [prefix, name].compact.join("."))
+        }
+      elsif data.respond_to?(:to_ary)
+        data.to_ary.flat_map.with_index { |val, idx|
+          extract_payloads_from(val, source_type, [prefix, idx].compact.join("."))
+        }
+      else
+        Payload.new(data, source_type, prefix.to_s)
+      end
+    end
+  end
+end
+
+require_relative "context/rack_request"
+require_relative "context/rails_request"

data/lib/aikido/zen/errors.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require "forwardable"
+
+module Aikido
+  # Support rescuing Aikido::Error without forcing a single base class to all
+  # errors (so things that should be e.g. a TypeError, can have the correct
+  # superclass).
+  module Error; end
+
+  # Generic error for problems with the Agent.
+  class ZenError < RuntimeError
+    include Error
+  end
+
+  module Zen
+    # Wrapper for all low-level network errors communicating with the API. You
+    # can access the original error by calling #cause.
+    class NetworkError < StandardError
+      include Error
+
+      def initialize(request, cause = nil)
+        @request = request.dup
+
+        super("Error in #{request.method} #{request.path}: #{cause.message}")
+      end
+    end
+
+    # Raised whenever a request to the API results in a 4XX or 5XX response.
+    class APIError < StandardError
+      include Error
+
+      attr_reader :request
+      attr_reader :response
+
+      def initialize(request, response)
+        @request = anonimize_token(request.dup)
+        @response = response
+
+        super("Error in #{request.method} #{request.path}: #{response.code} #{response.message} (#{response.body})")
+      end
+
+      private def anonimize_token(request)
+        # Anonimize the token to `********************xxxx`,
+        # mimicking what we show in the dashbaord.
+        request["Authorization"] = request["Authorization"].to_s
+          .gsub(/\A.*(.{4})\z/, ("*" * 20) + "\\1")
+        request
+      end
+    end
+
+    # Raised whenever a response to the API results in a 429 response.
+    class RateLimitedError < APIError; end
+
+    class UnderAttackError < StandardError
+      include Error
+
+      attr_reader :attack
+
+      def initialize(attack)
+        super(attack.log_message)
+        @attack = attack
+      end
+    end
+
+    class SQLInjectionError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :query, :input, :dialect
+    end
+
+    class SSRFDetectedError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :request, :input
+    end
+
+    # Raised when there's any problem communicating (or loading) libzen.
+    class InternalsError < ZenError
+      # @param attempt [String] description of what we were trying to do.
+      # @param problem [String] what couldn't be done.
+      # @param libname [String] the name of the file (including the arch).
+      def initialize(attempt, problem, libname)
+        super(format(<<~MSG.chomp, attempt, problem, libname))
+          Zen could not scan %s due to a problem %s the library `%s'
+        MSG
+      end
+    end
+  end
+end

data/lib/aikido/zen/event.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Base class for all events. You should be using one of the subclasses defined
+  # in the Events module.
+  class Event
+    attr_reader :type
+    attr_reader :time
+    attr_reader :system_info
+
+    def initialize(type:, system_info: Aikido::Zen.system_info, time: Time.now.utc)
+      @type = type
+      @time = time
+      @system_info = system_info
+    end
+
+    def as_json
+      {
+        type: type,
+        time: time.to_i * 1000,
+        agent: system_info.as_json
+      }
+    end
+  end
+
+  module Events
+    # Event sent when starting up the agent.
+    class Started < Event
+      def initialize(**opts)
+        super(type: "started", **opts)
+      end
+    end
+
+    class Attack < Event
+      attr_reader :attack
+
+      def initialize(attack:, **opts)
+        @attack = attack
+        super(type: "detected_attack", **opts)
+      end
+
+      def as_json
+        super.update(
+          attack: @attack.as_json,
+          request: @attack.context.request.as_json
+        )
+      end
+    end
+
+    class Heartbeat < Event
+      def initialize(stats:, **opts)
+        super(type: "heartbeat", **opts)
+        @stats = stats
+      end
+
+      def as_json
+        super.update(
+          stats: @stats.as_json,
+          routes: @stats.routes.as_json,
+          hostnames: @stats.outbound_connections.as_json,
+          users: @stats.users.as_json
+        )
+      end
+    end
+  end
+end

data/lib/aikido/zen/internals.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "ffi"
+require_relative "errors"
+
+module Aikido::Zen
+  module Internals
+    extend FFI::Library
+
+    class << self
+      # @return [String] the name of the extension we're loading, which we can
+      #   use in error messages to identify the architecture.
+      attr_accessor :libzen_name
+    end
+
+    self.libzen_name = [
+      "libzen-v#{LIBZEN_VERSION}",
+      FFI::Platform::ARCH,
+      FFI::Platform::LIBSUFFIX
+    ].join(".")
+
+    begin
+      ffi_lib File.expand_path(libzen_name, __dir__)
+
+      # @!method self.detect_sql_injection_native(query, input, dialect)
+      # @param (see .detect_sql_injection)
+      # @returns [Integer] 0 if no injection detected, 1 if an injection was
+      #   detected, or 2 if there was an internal error.
+      # @raise [Aikido::Zen::InternalsError] if there's a problem loading or
+      #   calling libzen.
+      attach_function :detect_sql_injection_native, :detect_sql_injection,
+        [:string, :string, :int], :int
+    rescue LoadError, FFI::NotFoundError => err
+      # Emit an $stderr warning at startup.
+      warn "Zen could not load its binary extension #{libzen_name}: #{err}"
+
+      def self.detect_sql_injection(query, *)
+        attempt = format("%p for SQL injection", query)
+        raise InternalsError.new(attempt, "loading", Internals.libzen_name)
+      end
+    else
+      # Analyzes the SQL query to detect if the provided user input is being
+      # passed as-is without escaping.
+      #
+      # @param query [String]
+      # @param input [String]
+      # @param dialect [Integer, #to_int] the SQL Dialect identifier in libzen.
+      #   See {Aikido::Zen::Scanners::SQLInjectionScanner::DIALECTS}.
+      #
+      # @returns [Boolean]
+      # @raise [Aikido::Zen::InternalsError] if there's a problem loading or
+      #   calling libzen.
+      def self.detect_sql_injection(query, input, dialect)
+        case detect_sql_injection_native(query, input, dialect)
+        when 0 then false
+        when 1 then true
+        when 2
+          attempt = format("%s query %p with input %p", dialect, query, input)
+          raise InternalsError.new(attempt, "calling detect_sql_injection in", libzen_name)
+        end
+      end
+    end
+  end
+end