aikido-zen 0.1.0.alpha4-arm64-linux

data/lib/aikido/zen/sinks/excon.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Excon
+      SINK = Sinks.add("excon", scanners: [
+        Aikido::Zen::Scanners::SSRFScanner,
+        Aikido::Zen::OutboundConnectionMonitor
+      ])
+
+      module Extensions
+        # Maps Excon request params to an Aikido OutboundConnection.
+        #
+        # @param connection [Hash<Symbol, Object>] the data set in the connection.
+        # @param request [Hash<Symbol, Object>] the data overrides sent for each
+        #   request.
+        #
+        # @return [Aikido::Zen::OutboundConnection]
+        def self.build_outbound(connection, request)
+          Aikido::Zen::OutboundConnection.new(
+            host: request.fetch(:hostname) { connection[:hostname] },
+            port: request.fetch(:port) { connection[:port] }
+          )
+        end
+
+        def self.build_request(connection, request)
+          uri = URI(format("%<scheme>s://%<host>s:%<port>i%<path>s", {
+            scheme: request.fetch(:scheme) { connection[:scheme] },
+            host: request.fetch(:hostname) { connection[:hostname] },
+            port: request.fetch(:port) { connection[:port] },
+            path: request.fetch(:path) { connection[:path] }
+          }))
+          uri.query = request.fetch(:query) { connection[:query] }
+
+          Aikido::Zen::Scanners::SSRFScanner::Request.new(
+            verb: request.fetch(:method) { connection[:method] },
+            uri: uri,
+            headers: connection[:headers].to_h.merge(request[:headers].to_h)
+          )
+        end
+
+        def request(params = {}, *)
+          request = Extensions.build_request(@data, params)
+
+          # Store the request information so the DNS sinks can pick it up.
+          if (context = Aikido::Zen.current_context)
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = request
+          end
+
+          SINK.scan(
+            connection: Aikido::Zen::OutboundConnection.from_uri(request.uri),
+            request: request,
+            operation: "request"
+          )
+
+          response = super
+
+          Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+            request: request,
+            response: Aikido::Zen::Scanners::SSRFScanner::Response.new(
+              status: response.status,
+              headers: response.headers.to_h
+            )
+          )
+
+          response
+        rescue ::Excon::Error::Socket => err
+          # Excon wraps errors inside the lower level layer. This only happens
+          # to our scanning exceptions when a request is using RedirectFollower,
+          # so we unwrap them when it happens so host apps can handle errors
+          # consistently.
+          raise err.cause if err.cause.is_a?(Aikido::Zen::UnderAttackError)
+          raise
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+
+      module RedirectFollowerExtensions
+        def response_call(data)
+          if (response = data[:response])
+            Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+              request: Extensions.build_request(data, {}),
+              response: Aikido::Zen::Scanners::SSRFScanner::Response.new(
+                status: response[:status],
+                headers: response[:headers]
+              )
+            )
+          end
+
+          super
+        end
+      end
+    end
+  end
+end
+
+::Excon::Connection.prepend(Aikido::Zen::Sinks::Excon::Extensions)
+::Excon::Middleware::RedirectFollower.prepend(Aikido::Zen::Sinks::Excon::RedirectFollowerExtensions)

data/lib/aikido/zen/sinks/http.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module HTTP
+      SINK = Sinks.add("http", scanners: [
+        Aikido::Zen::Scanners::SSRFScanner,
+        Aikido::Zen::OutboundConnectionMonitor
+      ])
+
+      module Extensions
+        # Maps an HTTP Request to an Aikido OutboundConnection.
+        #
+        # @param req [HTTP::Request]
+        # @return [Aikido::Zen::OutboundConnection]
+        def self.build_outbound(req)
+          Aikido::Zen::OutboundConnection.new(
+            host: req.socket_host,
+            port: req.socket_port
+          )
+        end
+
+        # Wraps the HTTP request with an API we can depend on.
+        #
+        # @param req [HTTP::Request]
+        # @return [Aikido::Zen::Scanners::SSRFScanner::Request]
+        def self.wrap_request(req)
+          Aikido::Zen::Scanners::SSRFScanner::Request.new(
+            verb: req.verb,
+            uri: URI(req.uri.to_s),
+            headers: req.headers.to_h
+          )
+        end
+
+        def self.wrap_response(resp)
+          Aikido::Zen::Scanners::SSRFScanner::Response.new(
+            status: resp.status,
+            headers: resp.headers.to_h
+          )
+        end
+
+        def perform(req, *)
+          wrapped_request = Extensions.wrap_request(req)
+
+          # Store the request information so the DNS sinks can pick it up.
+          if (context = Aikido::Zen.current_context)
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+
+          SINK.scan(
+            request: wrapped_request,
+            connection: Extensions.build_outbound(req),
+            operation: "request"
+          )
+
+          response = super
+
+          Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+            request: wrapped_request,
+            response: Extensions.wrap_response(response)
+          )
+
+          response
+        ensure
+          context["ssrf.request"] = prev_request
+        end
+      end
+    end
+  end
+end
+
+::HTTP::Client.prepend(Aikido::Zen::Sinks::HTTP::Extensions)

data/lib/aikido/zen/sinks/httpclient.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module HTTPClient
+      SINK = Sinks.add("httpclient", scanners: [
+        Aikido::Zen::Scanners::SSRFScanner,
+        Aikido::Zen::OutboundConnectionMonitor
+      ])
+
+      module Extensions
+        def self.wrap_request(req)
+          Aikido::Zen::Scanners::SSRFScanner::Request.new(
+            verb: req.http_header.request_method,
+            uri: req.http_header.request_uri,
+            headers: req.headers
+          )
+        end
+
+        def self.wrap_response(resp)
+          Aikido::Zen::Scanners::SSRFScanner::Response.new(
+            status: resp.http_header.status_code,
+            headers: resp.headers
+          )
+        end
+
+        def self.perform_scan(req, &block)
+          wrapped_request = wrap_request(req)
+          connection = Aikido::Zen::OutboundConnection.from_uri(req.http_header.request_uri)
+
+          # Store the request information so the DNS sinks can pick it up.
+          if (context = Aikido::Zen.current_context)
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+
+          SINK.scan(connection: connection, request: wrapped_request, operation: "request")
+
+          yield
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+
+        def do_get_block(req, *)
+          Extensions.perform_scan(req) { super }
+        end
+
+        def do_get_stream(req, *)
+          Extensions.perform_scan(req) { super }
+        end
+
+        def do_get_header(req, res, *)
+          super.tap do
+            Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+              request: Extensions.wrap_request(req),
+              response: Extensions.wrap_response(res)
+            )
+          end
+        end
+      end
+    end
+  end
+end
+
+::HTTPClient.prepend(Aikido::Zen::Sinks::HTTPClient::Extensions)

data/lib/aikido/zen/sinks/httpx.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module HTTPX
+      SINK = Sinks.add("httpx", scanners: [
+        Aikido::Zen::Scanners::SSRFScanner,
+        Aikido::Zen::OutboundConnectionMonitor
+      ])
+
+      module Extensions
+        def self.wrap_request(request)
+          Aikido::Zen::Scanners::SSRFScanner::Request.new(
+            verb: request.verb,
+            uri: request.uri,
+            headers: request.headers.to_hash
+          )
+        end
+
+        def self.wrap_response(response)
+          Aikido::Zen::Scanners::SSRFScanner::Response.new(
+            status: response.status,
+            headers: response.headers.to_hash
+          )
+        end
+
+        def send_request(request, *)
+          wrapped_request = Extensions.wrap_request(request)
+
+          # Store the request information so the DNS sinks can pick it up.
+          if (context = Aikido::Zen.current_context)
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+
+          SINK.scan(
+            connection: Aikido::Zen::OutboundConnection.from_uri(request.uri),
+            request: wrapped_request,
+            operation: "request"
+          )
+
+          request.on(:response) do |response|
+            Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+              request: wrapped_request,
+              response: Extensions.wrap_response(response)
+            )
+          end
+
+          super
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+    end
+  end
+end
+
+::HTTPX::Session.prepend(Aikido::Zen::Sinks::HTTPX::Extensions)

data/lib/aikido/zen/sinks/mysql2.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+
+module Aikido::Zen
+  module Sinks
+    module Mysql2
+      SINK = Sinks.add("mysql2", scanners: [Scanners::SQLInjectionScanner])
+
+      module Extensions
+        def query(query, *)
+          SINK.scan(query: query, dialect: :mysql, operation: "query")
+
+          super
+        end
+      end
+    end
+  end
+end
+
+::Mysql2::Client.prepend(Aikido::Zen::Sinks::Mysql2::Extensions)

data/lib/aikido/zen/sinks/net_http.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Net
+      module HTTP
+        SINK = Sinks.add("net-http", scanners: [
+          Aikido::Zen::Scanners::SSRFScanner,
+          Aikido::Zen::OutboundConnectionMonitor
+        ])
+
+        module Extensions
+          # Maps a Net::HTTP connection to an Aikido OutboundConnection,
+          # which our tooling expects.
+          #
+          # @param http [Net::HTTP]
+          # @return [Aikido::Zen::OutboundConnection]
+          def self.build_outbound(http)
+            Aikido::Zen::OutboundConnection.new(
+              host: http.address,
+              port: http.port
+            )
+          end
+
+          def self.wrap_request(req, session)
+            uri = req.uri if req.uri.is_a?(URI)
+            uri ||= URI(format("%<scheme>s://%<hostname>s:%<port>s%<path>s", {
+              scheme: session.use_ssl? ? "https" : "http",
+              hostname: session.address,
+              port: session.port,
+              path: req.path
+            }))
+
+            Aikido::Zen::Scanners::SSRFScanner::Request.new(
+              verb: req.method,
+              uri: uri,
+              headers: req.to_hash,
+              header_normalizer: ->(val) { Array(val).join(", ") }
+            )
+          end
+
+          def self.wrap_response(response)
+            Aikido::Zen::Scanners::SSRFScanner::Response.new(
+              status: response.code.to_i,
+              headers: response.to_hash,
+              header_normalizer: ->(val) { Array(val).join(", ") }
+            )
+          end
+
+          def request(req, *)
+            wrapped_request = Extensions.wrap_request(req, self)
+
+            # Store the request information so the DNS sinks can pick it up.
+            if (context = Aikido::Zen.current_context)
+              prev_request = context["ssrf.request"]
+              context["ssrf.request"] = wrapped_request
+            end
+
+            SINK.scan(
+              connection: Extensions.build_outbound(self),
+              request: wrapped_request,
+              operation: "request"
+            )
+
+            response = super
+
+            Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+              request: wrapped_request,
+              response: Extensions.wrap_response(response)
+            )
+
+            response
+          ensure
+            context["ssrf.request"] = prev_request if context
+          end
+        end
+      end
+    end
+  end
+end
+
+::Net::HTTP.prepend(Aikido::Zen::Sinks::Net::HTTP::Extensions)

data/lib/aikido/zen/sinks/patron.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Patron
+      SINK = Sinks.add("patron", scanners: [
+        Aikido::Zen::Scanners::SSRFScanner,
+        Aikido::Zen::OutboundConnectionMonitor
+      ])
+
+      module Extensions
+        def self.wrap_response(request, response)
+          # In this case, automatic redirection happened inside libcurl.
+          if response.url != request.url && !response.url.to_s.empty?
+            Aikido::Zen::Scanners::SSRFScanner::Response.new(
+              status: 302, # We can't know what the actual status was, but we just need a 3XX
+              headers: response.headers.merge("Location" => response.url)
+            )
+          else
+            Aikido::Zen::Scanners::SSRFScanner::Response.new(
+              status: response.status,
+              headers: response.headers
+            )
+          end
+        end
+
+        def handle_request(request)
+          wrapped_request = Aikido::Zen::Scanners::SSRFScanner::Request.new(
+            verb: request.action,
+            uri: URI(request.url),
+            headers: request.headers
+          )
+
+          # Store the request information so the DNS sinks can pick it up.
+          if (context = Aikido::Zen.current_context)
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+
+          SINK.scan(
+            connection: Aikido::Zen::OutboundConnection.from_uri(URI(request.url)),
+            request: wrapped_request,
+            operation: "request"
+          )
+
+          response = super
+
+          Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+            request: wrapped_request,
+            response: Extensions.wrap_response(request, response)
+          )
+
+          # When libcurl has follow_location set, it will handle redirections
+          # internally, and expose the response.url as the URI that was last
+          # requested in the redirect chain.
+          #
+          # In this case, we can't actually stop the request from happening, but
+          # we can scan again (now that we know another request happened), to
+          # stop the response from being exposed to the user. This downgrades
+          # the SSRF into a blind SSRF, which is better than doing nothing.
+          if request.url != response.url && !response.url.to_s.empty?
+            last_effective_request = Aikido::Zen::Scanners::SSRFScanner::Request.new(
+              verb: request.action,
+              uri: URI(response.url),
+              headers: request.headers
+            )
+            context["ssrf.request"] = last_effective_request if context
+
+            SINK.scan(
+              connection: Aikido::Zen::OutboundConnection.from_uri(URI(response.url)),
+              request: last_effective_request,
+              operation: "request"
+            )
+          end
+
+          response
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+    end
+  end
+end
+
+::Patron::Session.prepend(Aikido::Zen::Sinks::Patron::Extensions)

data/lib/aikido/zen/sinks/pg.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+
+module Aikido::Zen
+  module Sinks
+    module PG
+      SINK = Sinks.add("pg", scanners: [Scanners::SQLInjectionScanner])
+
+      module Extensions
+        %i[
+          send_query exec sync_exec async_exec
+          send_query_params exec_params sync_exec_params async_exec_params
+        ].each do |method|
+          module_eval <<~RUBY, __FILE__, __LINE__ + 1
+            def #{method}(query, *)
+              SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
+              super
+            rescue Aikido::Zen::SQLInjectionError
+              # The pg adapter does not wrap exceptions in StatementInvalid, which
+              # leads to inconsistent handling. This guarantees that all Aikido
+              # errors are wrapped in a StatementInvalid, so documentation can be
+              # consistent.
+              raise ActiveRecord::StatementInvalid
+            end
+          RUBY
+        end
+
+        %i[
+          send_prepare prepare async_prepare sync_prepare
+        ].each do |method|
+          module_eval <<~RUBY, __FILE__, __LINE__ + 1
+            def #{method}(_, query, *)
+              SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
+              super
+            rescue Aikido::Zen::SQLInjectionError
+              # The pg adapter does not wrap exceptions in StatementInvalid, which
+              # leads to inconsistent handling. This guarantees that all Aikido
+              # errors are wrapped in a StatementInvalid, so documentation can be
+              # consistent.
+              raise ActiveRecord::StatementInvalid
+            end
+          RUBY
+        end
+      end
+    end
+  end
+end
+
+::PG::Connection.prepend(Aikido::Zen::Sinks::PG::Extensions)

data/lib/aikido/zen/sinks/resolv.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+require_relative "../scanners/stored_ssrf_scanner"
+require_relative "../scanners/ssrf_scanner"
+
+module Aikido::Zen
+  module Sinks
+    module Resolv
+      SINK = Sinks.add("resolv", scanners: [
+        Aikido::Zen::Scanners::StoredSSRFScanner,
+        Aikido::Zen::Scanners::SSRFScanner
+      ])
+
+      module Extensions
+        def each_address(name, &block)
+          addresses = []
+
+          super do |address|
+            addresses << address
+            yield address
+          end
+        ensure
+          if (context = Aikido::Zen.current_context)
+            context["dns.lookups"] ||= Aikido::Zen::Scanners::SSRF::DNSLookups.new
+            context["dns.lookups"].add(name, addresses)
+          end
+
+          SINK.scan(
+            hostname: name,
+            addresses: addresses,
+            request: context && context["ssrf.request"],
+            operation: "lookup"
+          )
+        end
+      end
+    end
+  end
+end
+
+::Resolv.prepend(Aikido::Zen::Sinks::Resolv::Extensions)

data/lib/aikido/zen/sinks/socket.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require "socket"
+
+module Aikido::Zen
+  module Sinks
+    # We intercept IPSocket.open to hook our DNS checks around it, since
+    # there's no way to access the internal DNS resolution that happens in C
+    # when using the socket primitives.
+    module Socket
+      SINK = Sinks.add("socket", scanners: [
+        Aikido::Zen::Scanners::StoredSSRFScanner,
+        Aikido::Zen::Scanners::SSRFScanner
+      ])
+
+      module IPSocketExtensions
+        def self.scan_socket(hostname, socket)
+          # ["AF_INET", 80, "10.0.0.1", "10.0.0.1"]
+          addr_family, *, remote_address = socket.peeraddr
+
+          # We only care about IPv4 (AF_INET) or IPv6 (AF_INET6) sockets
+          # This might be overcautious, since this is _IP_Socket, so you
+          # would expect it's only used for IP connections?
+          return unless addr_family.start_with?("AF_INET")
+
+          if (context = Aikido::Zen.current_context)
+            context["dns.lookups"] ||= Aikido::Zen::Scanners::SSRF::DNSLookups.new
+            context["dns.lookups"].add(hostname, remote_address)
+          end
+
+          SINK.scan(
+            hostname: hostname,
+            addresses: [remote_address],
+            request: context && context["ssrf.request"],
+            operation: "open"
+          )
+        end
+
+        def open(name, *)
+          socket = super
+
+          IPSocketExtensions.scan_socket(name, socket)
+
+          socket
+        end
+      end
+    end
+  end
+end
+
+::IPSocket.singleton_class.prepend(Aikido::Zen::Sinks::Socket::IPSocketExtensions)

data/lib/aikido/zen/sinks/sqlite3.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative "../sink"
+
+module Aikido::Zen
+  module Sinks
+    module SQLite3
+      SINK = Sinks.add("sqlite3", scanners: [Scanners::SQLInjectionScanner])
+
+      module DatabaseExt
+        def exec_batch(sql, *)
+          SINK.scan(query: sql, dialect: :sqlite, operation: "exec_batch")
+
+          super
+        end
+      end
+
+      module StatementExt
+        def initialize(_, sql, *)
+          SINK.scan(query: sql, dialect: :sqlite, operation: "statement.execute")
+
+          super
+        end
+      end
+    end
+  end
+end
+
+::SQLite3::Database.prepend(Aikido::Zen::Sinks::SQLite3::DatabaseExt)
+::SQLite3::Statement.prepend(Aikido::Zen::Sinks::SQLite3::StatementExt)