aikido-zen 0.1.0.alpha4-x86_64-darwin → 0.1.1-x86_64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a2b29278e86f4d18b83d90a8d0bdd6931c3a47e73c3478e48cd389e09ff276ce
-  data.tar.gz: b836b70bdb7d622d7a2b6d186d186406b02caa9cbec82aefcfb312adc1c526a2
+  metadata.gz: 0aa289d304c5e3c07a2f797988ef4dd3365d0798635a33872d1a8208a0b2945d
+  data.tar.gz: efd5caa2aafc56a5355198cd4e43f226c1aa44178078a2e7f47ae46b66b8dc8f
 SHA512:
-  metadata.gz: 7b65e019eebdf3967cf4a448f41bb2940f06241ea165eb75515458520be2f19033bbfdc1767303809937e69f504dcdc2feee14d638151bfc0fe46572b9611de8
-  data.tar.gz: 31798bd00abfc04ef4bf977f9645488f71689f25d70856f815d16937e5da83821847385505c41df62d64d16448679b1da149b3095c30367a035e82201c907318
+  metadata.gz: 360bc33ac62e7973369b9b1e72beb628d4efd08c5ccc64464360923493dc71d3f5069c73dc7c5dd62d33c4de242ce11c28496e67a44dd3109ef1bcd1396e0135
+  data.tar.gz: 00ddf6f7584bd29a3f556de726ac701a86bde8b5135a94d155c9a57a7c7d811f1d664a3905d41d2ee1c096329817f822dc67d83e06562a0360e15ae7f3f5acea

data/.simplecov

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# Due to dependency resolution, on Ruby 2.x we're stuck with a _very_ old
+# SimpleCov version, and it doesn't really give us any benefit to run coverage
+# in separate ruby versions since we don't branch on ruby version in the code.
+return if RUBY_VERSION < "3.0"
+
+SimpleCov.start do
+  # Make sure SimpleCov waits until after the tests
+  # are finished to generate the coverage reports.
+  self.external_at_exit = true
+
+  enable_coverage :branch
+  minimum_coverage line: 95, branch: 85
+
+  add_filter "/test/"
+end
+
+# vim: ft=ruby

data/CHANGELOG.md

@@ -2,4 +2,20 @@
 
 ## [Unreleased]
 
+## 0.1.1
+
+### Fixed
+
+- Avoid an error when sending the initial heartbeat if the Aikido server hasn't
+  received stats yet.
+- Fix the SSRF scanner to ensure the port in the user-supplied payload matches
+  the port in the request.
+- Don't break the HTTP.rb sink when a Zen context isn't set.
+- Don't break the Typhoeus sink when a Zen context isn't set.
+- Don't break the PG sink outside of Rails.
+- Updated [libzen](https://github.com/AikidoSec/zen-internals) to v0.1.31 to
+  prevent flagging false positives in SQL queries with comments.
+
+## 0.1.0
+
 - Initial version

data/README.md

@@ -1,40 +1,153 @@
-# Aikido::Firewall
+![Zen by Aikido for Ruby](./docs/banner.svg)
 
-TODO: Write me :)
+# Zen, in-app firewall for Ruby | by Aikido
+
+Zen, your in-app firewall for peace of mind—at runtime.
+
+Zen by Aikido is an embedded Web Application Firewall that autonomously protects
+Ruby on Rails apps against common and critical attacks.
+
+It protects your Rails apps by preventing user input containing dangerous
+strings, preventing SQL injection and SSRF attacks. It runs embedded on your
+Rails application, for simple installation and zero maintenance.
+
+* 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
+* 🛡️ [Server-side request forgery (SSRF)](https://github.com/AikidoSec/firewall-node/blob/main/docs/ssrf.md)
+* 🛡️ [Command injection attacks](https://owasp.org/www-community/attacks/Command_Injection) (coming soon)
+* 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
+* 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
+
+Zen operates autonomously on the same server as your Rails app to:
+
+* ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
+* ✅ Rate limit specific API endpoints by IP or by user.
+* ✅ Allow you to block specific users manually.
+
+## Supported libraries and frameworks
+
+Zen for Ruby 2.7+ is compatible with:
+
+### Database drivers
+
+* ✅ [sqlite3](https://github.com/sparklemotion/sqlite3-ruby) 1.x, 2.x
+* ✅ [pg](https://github.com/ged/ruby-pg) 1.x
+* ✅ [trilogy](https://github.com/trilogy-libraries/trilogy) 2.x
+* ✅ [mysql2](https://github.com/brianmario/mysql2) 0.x
+
+### ORMs and Query Builders
+
+See list above for supported database drivers.
+
+* ✅ [ActiveRecord](https://github.com/rails/rails)
+* ✅ [Sequel](https://github.com/jeremyevans/sequel)
+
+### HTTP Clients
+
+* ✅ [net-http](https://github.com/ruby/net-http)
+* ✅ [http.rb](https://github.com/httprb/http) 1.x, 2.x, 3.x, 4.x, 5.x
+* ✅ [httpx](https://gitlab.com/os85/httpx) 1.x (1.1.3+)
+* ✅ [HttpClient](https://github.com/nahi/httpclient) 2.x, 3.x
+* ✅ [excon](https://github.com/excon/excon) 0.x (0.50.0+), 1.x
+* ✅ [patron](https://github.com/toland/patron) 0.x (0.6.4+)
+* ✅ [typhoeus](https://github.com/typhoeus/typhoeus) 0.x (0.5.0+), 1.x
+* ✅ [curb](https://github.com/taf2/curb) 0.x (0.2.3+), 1.x
+* ✅ [em-http-request](https://github.com/igrigorik/em-http-request) 1.x
+* ✅ [async-http](https://github.com/igrigorik/em-http-request) 0.x (0.70.0+)
 
 ## Installation
 
-Install the gem and add to the application's Gemfile by executing:
+We recommend testing Zen locally or on staging before deploying to production.
+
+```
+bundle add aikido-zen
+```
+
+or, if not using bundler:
+
+```
+gem install aikido-zen
+```
 
-    $ bundle add aikido-firewall
+For framework specific instructions, check out our docs:
 
-If bundler is not being used to manage dependencies, install the gem by executing:
+* [Ruby on Rails apps](docs/rails.md)
 
-    $ gem install aikido-firewall
+## Running in production (blocking) mode
 
-## Development
+By default, Zen will only detect and report attacks to Aikido.
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run
-`rake test` to run the tests. You can also run `bin/console` for an interactive
-prompt that will allow you to experiment.
+To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To
-release a new version, update the version number in `version.rb`, and then run
-`bundle exec rake release`, which will create a git tag for the version, push
-git commits and the created tag, and push the `.gem` file to
-[rubygems.org](https://rubygems.org).
+See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn
+how to send events to Aikido.
+
+## Reporting to your Aikido Security dashboard
+
+> Aikido is your no nonsense application security platform. One central system
+> that scans your source code & cloud, shows you what vulnerabilities matter,
+> and how to fix them - fast. So you can get back to building.
+
+Zen is a new product by Aikido. Built for developers to level up their security.
+While Aikido scans, get Zen for always-on protection.
+
+You can use some of Zen’s features without Aikido, of course. Peace of mind is
+just a few lines of code away.
+
+But you will get the most value by reporting your data to Aikido.
+
+You will need an Aikido account and a token to report events to Aikido. If you
+don't have an account, you can sign up for free.
+
+Here's how:
+
+* Log in to your Aikido account.
+* Go to "Zen" on the sidebar.
+* Click on "Add App".
+* Choose a name for your App.
+* Click "Continue to Install"
+* Click "Generate Token".
+* Copy the token.
+* Set the token as an environment variable, `AIKIDO_TOKEN`, using
+  [dotenv](https://github.com/bkeepers/dotenv) or another method
+  of your choosing.
+
+## Performance
+
+We run a benchmark on every commit to ensure Zen has a minimal impact on your
+application's performance.
+
+For example, here's a benchmark that runs a single GET request to a Rails
+endpoint that performs a single SQL SELECT query:
+
+| Without Zen      | With Zen      | Difference    |
+|------------------|---------------|---------------|
+| 3.527ms          | 3.583ms       | +0.056ms      |
+
+Using Ruby 3.3, Rails 7.1, SQLite 1.7, running on a MacBook Pro M1 Pro. Results
+will vary based on hardware.
+
+See [benchmarks](benchmarks) for more information.
+
+## Bug bounty program
+
+Our bug bounty program is public and can be found by all registered Intigriti
+users at: https://app.intigriti.com/researcher/programs/aikido/aikidoruntime
 
 ## Contributing
 
-Bug reports and pull requests are welcome [on GitHub][repo]. This project is
-intended to be a safe, welcoming space for collaboration, and contributors are
-expected to adhere to the [code of conduct][coc].
+See [CONTRIBUTING.md](.github/CONTRIBUTING.md) for more information.
 
 ## Code of Conduct
 
-Everyone interacting in the `Aikido::Firewall` project's codebases, issue
-trackers, chat rooms and mailing lists is expected to follow the [code of
-conduct][coc].
+See [CODE_OF_CONDUCT.md](.github/CODE_OF_CONDUCT.md) for more information.
+
+## License
+
+This program is offered under a commercial and under the AGPL license. You can
+be released from the requirements of the AGPL license by purchasing a commercial
+license. Buying such a license is mandatory as soon as you develop commercial
+activities involving the Zen software without disclosing the source code of your
+own applications.
 
-[repo]: https://github.com/aikidosec/firewall-ruby
-[coc]: https://github.com/aikidosec/firewall-ruby/blob/main/CODE_OF_CONDUCT.md
+For more information, please contact Aikido Security at this address:
+support@aikido.dev or create an account at https://app.aikido.dev.

data/Rakefile

@@ -6,6 +6,10 @@ require "standard/rake"
 require "rake/clean"
 
 load "tasklib/libzen.rake"
+load "tasklib/bench.rake"
+
+desc "Run all benchmarks"
+task bench: "bench:default"
 
 namespace :build do
   desc "Ensure Gemfile.lock is up-to-date"

data/benchmarks/README.md

@@ -0,0 +1,27 @@
+# Benchmarking Zen for Ruby
+
+This directory contains the benchmarking scripts that we use to ensure adding
+Zen to your application does not impact performance significantly.
+
+We use [Grafana K6](https://k6.io) for these. For each sample application we
+include in this repo under [sample_apps](../sample_apps), you should find
+a script here that runs certain benchmarks against that app.
+
+To run all the benchmarks, run the following from the root of the project:
+
+```
+$ bundle exec rake bench
+```
+
+In order to run a benchmarks against a single application, run the following
+from the root of the project:
+
+```
+$ bundle exec rake bench:{app}:run
+```
+
+For example, for the `rails7.1_sql_injection` application:
+
+```
+$ bundle exec rake bench:rails7.1_sql_injection:run
+```

data/benchmarks/rails7.1_sql_injection.js

@@ -0,0 +1,74 @@
+import http from 'k6/http';
+import { textSummary } from 'https://jslib.k6.io/k6-summary/0.0.2/index.js';
+import { check, sleep, fail } from 'k6';
+import exec from 'k6/execution';
+import { Trend } from 'k6/metrics';
+
+const HTTP = {
+  withZen: {
+    get: (path, ...args) => http.get("http://localhost:3001" + path, ...args),
+    post: (path, ...args) => http.post("http://localhost:3001" + path, ...args)
+  },
+  withoutZen: {
+    get: (path, ...args) => http.get("http://localhost:3002" + path, ...args),
+    post: (path, ...args) => http.post("http://localhost:3002" + path, ...args)
+  }
+}
+
+function test(name, fn) {
+  const duration = tests[name].duration;
+  const overhead = tests[name].overhead;
+
+  const withZen = fn(HTTP.withZen);
+  const withoutZen = fn(HTTP.withoutZen);
+
+  const timeWithZen = withZen.timings.duration,
+        timeWithoutZen = withoutZen.timings.duration;
+
+  duration.add(timeWithZen - timeWithoutZen);
+
+  const ratio = withZen.timings.duration / withoutZen.timings.duration;
+  overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
+}
+
+const defaultHeaders = {
+  "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
+};
+
+const tests = {
+  test_post_page_with_json_body: {
+    duration: new Trend("test_post_page_with_json_body"),
+    overhead: new Trend("test_overhead_with_json_body")
+  },
+  test_get_page_without_attack: {
+    duration: new Trend("test_get_page_without_attack"),
+    overhead: new Trend("test_overhead_without_attack")
+  },
+  test_get_page_with_sql_injection: {
+    duration: new Trend("test_get_page_with_sql_injection"),
+    overhead: new Trend("test_overhead_with_sql_injection"),
+  }
+}
+export const options = {
+  vus: 1, // Number of virtual users
+  iterations: 200,
+  thresholds: {
+    test_post_page_with_json_body: ["med<10"],
+    test_get_page_without_attack: ["med<10"],
+    test_get_page_with_sql_injection: ["med<10"],
+  }
+};
+
+const expectAttack = http.expectedStatuses(500);
+
+export default function () {
+  test("test_post_page_with_json_body",
+    (http) => http.post("/cats", JSON.stringify({cat: {name: "Féline Dion"}}), {
+      headers: {"Content-Type": "application/json"}
+    })
+  )
+  test("test_get_page_without_attack", (http) => http.get("/cats"))
+  test("test_get_page_with_sql_injection", (http) =>
+    http.get("/cats/1'%20OR%20''='", {responseCallback: expectAttack})
+  )
+}