aikido-zen 0.1.0.alpha4-x86_64-linux

data/lib/aikido/zen/middleware/check_allowed_addresses.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative "../context"
+
+module Aikido::Zen
+  module Middleware
+    # Middleware that rejects requests from IPs blocked in the Aikido dashboard.
+    class CheckAllowedAddresses
+      def initialize(app, config: Aikido::Zen.config, settings: Aikido::Zen.runtime_settings)
+        @app = app
+        @config = config
+        @settings = settings
+      end
+
+      def call(env)
+        request = request_from(env)
+
+        allowed_ips = @settings.endpoints[request.route].allowed_ips
+
+        if allowed_ips.empty? || allowed_ips.include?(request.ip)
+          @app.call(env)
+        else
+          @config.blocked_ip_responder.call(request)
+        end
+      end
+
+      private
+
+      def request_from(env)
+        if (current_context = Aikido::Zen.current_context)
+          current_context.request
+        else
+          Context.from_rack_env(env).request
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/set_context.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "../context"
+
+module Aikido::Zen
+  module Middleware
+    # Rack middleware that keeps the current context in a Thread/Fiber-local
+    # variable so that other parts of the agent/firewall can access it.
+    class SetContext
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        context = Context.from_rack_env(env)
+
+        Aikido::Zen.current_context = context
+        Aikido::Zen.track_request(context.request)
+
+        @app.call(env)
+      ensure
+        Aikido::Zen.current_context = nil
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/throttler.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require_relative "../context"
+
+module Aikido::Zen
+  module Middleware
+    # Middleware that rejects requests from clients that are making too many
+    # requests to a given endpoint, based in the runtime configuration in the
+    # Aikido dashboard.
+    class Throttler
+      def initialize(
+        app,
+        config: Aikido::Zen.config,
+        settings: Aikido::Zen.runtime_settings,
+        rate_limiter: Aikido::Zen::RateLimiter.new
+      )
+        @app = app
+        @config = config
+        @settings = settings
+        @rate_limiter = rate_limiter
+      end
+
+      def call(env)
+        request = request_from(env)
+
+        if should_throttle?(request)
+          @config.rate_limited_responder.call(request)
+        else
+          @app.call(env)
+        end
+      end
+
+      private
+
+      def should_throttle?(request)
+        return false if @settings.skip_protection_for_ips.include?(request.ip)
+
+        @rate_limiter.throttle?(request)
+      end
+
+      def request_from(env)
+        if (current_context = Aikido::Zen.current_context)
+          current_context.request
+        else
+          Context.from_rack_env(env).request
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/outbound_connection.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Simple data object to identify connections performed to outbound servers.
+  class OutboundConnection
+    # Convenience factory to create connection descriptions out of URI objects.
+    #
+    # @param uri [URI]
+    # @return [Aikido::Zen::OutboundConnection]
+    def self.from_uri(uri)
+      new(host: uri.hostname, port: uri.port)
+    end
+
+    # @return [String] the hostname or IP address to which the connection was
+    #   attempted.
+    attr_reader :host
+
+    # @return [Integer] the port number to which the connection was attempted.
+    attr_reader :port
+
+    def initialize(host:, port:)
+      @host = host
+      @port = port
+    end
+
+    def as_json
+      {hostname: host, port: port}
+    end
+
+    def ==(other)
+      other.is_a?(OutboundConnection) &&
+        host == other.host &&
+        port == other.port
+    end
+    alias_method :eql?, :==
+
+    def hash
+      [host, port].hash
+    end
+
+    def inspect
+      "#<#{self.class.name} #{host}:#{port}>"
+    end
+  end
+end

data/lib/aikido/zen/outbound_connection_monitor.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # This simple callable follows the Scanner API so that it can be injected into
+  # any Sink that wraps an HTTP library, and lets us keep track of any hosts to
+  # which the app communicates over HTTP.
+  module OutboundConnectionMonitor
+    # This simply reports the connection to the Agent, and always returns +nil+
+    # as it's not scanning for any particular attack.
+    #
+    # @param connection [Aikido::Zen::OutboundConnection]
+    # @return [nil]
+    def self.call(connection:, **)
+      Aikido::Zen.track_outbound(connection)
+
+      nil
+    end
+  end
+end

data/lib/aikido/zen/package.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative "sink"
+
+module Aikido::Zen
+  Package = Struct.new(:name, :version) do
+    def initialize(name, version, sinks = Aikido::Zen::Sinks.registry)
+      super(name, version)
+      @sinks = sinks
+    end
+
+    # @return [Boolean] whether we explicitly protect against exploits in this
+    #   library.
+    def supported?
+      @sinks.include?(name)
+    end
+
+    def as_json
+      {name => version.to_s}
+    end
+  end
+end

data/lib/aikido/zen/payload.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # An individual user input in a request, which may come from different
+  # sources (query string, body, cookies, etc).
+  class Payload
+    attr_reader :value, :source, :path
+
+    def initialize(value, source, path)
+      @value = value
+      @source = source
+      @path = path
+    end
+
+    alias_method :to_s, :value
+
+    def ==(other)
+      other.is_a?(Payload) &&
+        other.value == value &&
+        other.source == source &&
+        other.path == path
+    end
+
+    def as_json
+      {
+        payload: value.to_s,
+        source: SOURCE_SERIALIZATIONS[source],
+        pathToPayload: path.to_s
+      }
+    end
+
+    SOURCE_SERIALIZATIONS = {
+      query: "query",
+      body: "body",
+      header: "headers",
+      cookie: "cookies",
+      route: "routeParams",
+      graphql: "graphql",
+      xml: "xml",
+      subdomain: "subdomains"
+    }
+
+    def inspect
+      val = (value.to_s.size > 128) ? value[0..125] + "..." : value
+      "#<Aikido::Zen::Payload #{source}(#{path}) #{val.inspect}>"
+    end
+  end
+end

data/lib/aikido/zen/rails_engine.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "action_dispatch"
+
+module Aikido::Zen
+  class RailsEngine < ::Rails::Engine
+    config.before_configuration do
+      # Access library configuration at `Rails.application.config.aikido_zen`.
+      config.aikido_zen = Aikido::Zen.config
+    end
+
+    initializer "aikido.add_middleware" do |app|
+      app.middleware.use Aikido::Zen::Middleware::SetContext
+      app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
+      app.middleware.use Aikido::Zen::Middleware::Throttler
+
+      # Due to how Rails sets up its middleware chain, the routing is evaluated
+      # (and the Request object constructed) in the app that terminates the
+      # chain, so no amount of middleware will be able to access it.
+      #
+      # This way, we overwrite the Request object as early as we can in the
+      # request handling, so that by the time we start evaluating inputs, we
+      # have assigned the request correctly.
+      ActiveSupport.on_load(:action_controller) do
+        before_action { Aikido::Zen.current_context.update_request(request) }
+      end
+    end
+
+    initializer "aikido.configuration" do |app|
+      app.config.aikido_zen.logger = ::Rails.logger.tagged("aikido")
+      app.config.aikido_zen.request_builder = Aikido::Zen::Context::RAILS_REQUEST_BUILDER
+
+      # Plug Rails' JSON encoder/decoder, but only if the user hasn't changed
+      # them for something else.
+      if app.config.aikido_zen.json_encoder == Aikido::Zen::Config::DEFAULT_JSON_ENCODER
+        app.config.aikido_zen.json_encoder = ActiveSupport::JSON.method(:encode)
+      end
+
+      if app.config.aikido_zen.json_decoder == Aikido::Zen::Config::DEFAULT_JSON_DECODER
+        app.config.aikido_zen.json_decoder = ActiveSupport::JSON.method(:decode)
+      end
+    end
+
+    config.after_initialize do
+      Aikido::Zen.initialize!
+
+      # Make sure this is run at the end of the initialization process, so
+      # that any gems required after aikido-zen are detected and patched
+      # accordingly.
+      Aikido::Zen.load_sinks!
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/breaker.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "bucket"
+
+module Aikido::Zen
+  # @api private
+  #
+  # Circuit breaker that rate limits internal API requests in two ways: By using
+  # a sliding window, to allow only a certain number of events over that window,
+  # and with the ability of manually being tripped open when the API responds to
+  # a request with a 429.
+  class RateLimiter::Breaker
+    def initialize(config: Aikido::Zen.config, clock: RateLimiter::Bucket::DEFAULT_CLOCK)
+      @config = config
+      @clock = clock
+
+      @bucket = RateLimiter::Bucket.new(
+        ttl: config.client_rate_limit_period,
+        max_size: config.client_rate_limit_max_events,
+        clock: clock
+      )
+      @opened_at = nil
+    end
+
+    # Trip the circuit open to force all events to be throttled until the
+    # deadline passes.
+    #
+    # @see Aikido::Zen::Config#server_rate_limit_deadline
+    # @return [void]
+    def open!
+      @opened_at = @clock.call
+    end
+
+    # @param event [#type] an event which we'll discriminate by type to decide
+    #   if we should throttle it.
+    # @return [Boolean]
+    def throttle?(event)
+      return true if open? && !try_close
+
+      result = @bucket.increment(event.type)
+      result.throttled?
+    end
+
+    # @!visibility private
+    # @return [Boolean]
+    def open?
+      @opened_at
+    end
+
+    private
+
+    def past_deadline?
+      @opened_at < @clock.call - @config.server_rate_limit_deadline
+    end
+
+    def try_close
+      @opened_at = nil if past_deadline?
+      @opened_at.nil?
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/bucket.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require_relative "../synchronizable"
+require_relative "result"
+
+module Aikido::Zen
+  # This models a "sliding window" rate limiting bucket (where we keep a bucket
+  # per endpoint). The timestamps of requests are kept grouped by client, and
+  # when a new request is made, we check if the number of requests falls within
+  # the configured limit.
+  #
+  # @example
+  #   bucket = Aikido::Zen::RateLimiter::Bucket.new(ttl: 60, max_size: 3)
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 1)
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 2)
+  #
+  #   # 30 seconds go by
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 3)
+  #
+  #   # 20 more seconds go by
+  #   bucket.increment("1.2.3.4") #=> false (count for this key: 3)
+  #
+  #   # 20 more seconds go by
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 2)
+  #
+  class RateLimiter::Bucket
+    prepend Synchronizable
+
+    # @!visibility private
+    #
+    # Use the monotonic clock to ensure time differences are consistent
+    # and not affected by timezones.or daylight savings changes.
+    DEFAULT_CLOCK = -> { Process.clock_gettime(Process::CLOCK_MONOTONIC).round }
+
+    def initialize(ttl:, max_size:, clock: DEFAULT_CLOCK)
+      @ttl = ttl
+      @max_size = max_size
+      @data = Hash.new { |h, k| h[k] = [] }
+      @clock = clock
+    end
+
+    # Increments the key if the number of entries within the current TTL window
+    # is below the configured threshold.
+    #
+    # @param key [String] discriminating key to identify a client.
+    #   See {Aikido::Zen::Config#rate_limiting_discriminator}.
+    #
+    # @return [Aikido::Zen::RateLimiter::Result] the result of the operation and
+    #   statistics on this bucket for the given key.
+    def increment(key)
+      synchronize do
+        time = @clock.call
+        evict(key, at: time)
+
+        entries = @data[key]
+        throttled = entries.size >= @max_size
+
+        entries << time unless throttled
+
+        RateLimiter::Result.new(
+          throttled: throttled,
+          discriminator: key,
+          current_requests: entries.size,
+          max_requests: @max_size,
+          time_remaining: @ttl - (time - entries.min)
+        )
+      end
+    end
+
+    private
+
+    def evict(key, at: @clock.call)
+      synchronize { @data[key].delete_if { |time| time < (at - @ttl) } }
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/result.rb

@@ -0,0 +1,31 @@
+module Aikido::Zen
+  # Holds the stats after checking if a request should be rate limited, which
+  # will be added to the Rack env.
+  class RateLimiter::Result
+    # @return [String] the output of the configured discriminator block, used to
+    #   uniquely identify a client (e.g. the remote IP).
+    attr_reader :discriminator
+
+    # @return [Integer] number of requests for the client in the current window.
+    attr_reader :current_requests
+
+    # @return [Integer] configured max number of requests per client.
+    attr_reader :max_requests
+
+    # @return [Integer] number of seconds remaining until the window resets.
+    attr_reader :time_remaining
+
+    def initialize(throttled:, discriminator:, current_requests:, max_requests:, time_remaining:)
+      @throttled = throttled
+      @discriminator = discriminator
+      @current_requests = current_requests
+      @max_requests = max_requests
+      @time_remaining = time_remaining
+    end
+
+    # @return [Boolean] whether the current request was throttled or not.
+    def throttled?
+      @throttled
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require_relative "synchronizable"
+require_relative "middleware/throttler"
+
+module Aikido::Zen
+  # Keeps track of all requests in this process, broken up by Route and further
+  # discriminated by client. Provides a single method that checks if a certain
+  # Request needs to be throttled or not.
+  class RateLimiter
+    prepend Synchronizable
+
+    def initialize(
+      config: Aikido::Zen.config,
+      settings: Aikido::Zen.runtime_settings
+    )
+      @config = config
+      @settings = settings
+      @buckets = Hash.new { |store, route|
+        synchronize {
+          settings = settings_for(route)
+          store[route] = Bucket.new(ttl: settings.period, max_size: settings.max_requests)
+        }
+      }
+    end
+
+    # Checks whether the request requires rate limiting. As a side effect, this
+    # will annotate the request with the "aikido.rate_limiting" ENV key, holding
+    # the result of the check, and including useful stats in case you want to
+    # return RateLimit headers..
+    #
+    # @param request [Aikido::Zen::Request]
+    # @return [Boolean]
+    #
+    # @see Aikido::Zen::RateLimiter::Result
+    def throttle?(request)
+      settings = settings_for(request.route)
+      return false unless settings.enabled?
+
+      bucket = @buckets[request.route]
+      key = @config.rate_limiting_discriminator.call(request)
+      request.env["aikido.rate_limiting"] = bucket.increment(key)
+      request.env["aikido.rate_limiting"].throttled?
+    end
+
+    private
+
+    def settings_for(route)
+      @settings.endpoints[route].rate_limiting
+    end
+  end
+end
+
+require_relative "rate_limiter/bucket"
+require_relative "rate_limiter/breaker"

data/lib/aikido/zen/request/heuristic_router.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+require_relative "../route"
+require_relative "../request"
+
+module Aikido::Zen
+  # Simple router implementation that just identifies the currently requested
+  # URL as a route, attempting to heuristically substitute any path segments
+  # that may look like a parameterized value by something descriptive.
+  #
+  # For example, "/categories/123/events/2024-10-01" would be matched as
+  # "/categories/:number/events/:date"
+  class Request::HeuristicRouter
+    # @param request [Aikido::Zen::Request]
+    # @return [Aikido::Zen::Route, nil]
+    def recognize(request)
+      path = parameterize(request.path)
+      Route.new(verb: request.request_method, path: path)
+    end
+
+    private def parameterize(path)
+      return if path.nil?
+
+      path = path.split("/").map { |part| parameterize_segment(part) }.join("/")
+      path.prepend("/") unless path.start_with?("/")
+      path.chomp!("/") if path.size > 1
+      path
+    end
+
+    private def parameterize_segment(segment)
+      case segment
+      when NUMBER
+        ":number"
+      when UUID
+        ":uuid"
+      when DATE
+        ":date"
+      when EMAIL
+        ":email"
+      when IP
+        ":ip"
+      when HASH
+        ":hash"
+      when SecretMatcher
+        ":secret"
+      else
+        segment
+      end
+    end
+
+    NUMBER = /\A\d+\z/
+    HEX = /\A[a-f0-9]+\z/i
+    DATE = /\A\d{4}-\d{2}-\d{2}|\d{2}-\d{2}-\d{4}\z/
+    UUID = /\A
+            (?:[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}
+            | 00000000-0000-0000-0000-000000000000
+            | ffffffff-ffff-ffff-ffff-ffffffffffff
+            )\z/ix
+    EMAIL = /\A
+              [a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+
+              @
+              [a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?
+              (?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*
+            \z/x
+    IP = ->(segment) {
+      IPAddr::RE_IPV4ADDRLIKE.match?(segment) ||
+        IPAddr::RE_IPV6ADDRLIKE_COMPRESSED.match?(segment) ||
+        IPAddr::RE_IPV6ADDRLIKE_FULL.match?(segment)
+    }
+    HASH = ->(segment) { [32, 40, 64, 128].include?(segment.size) && HEX === segment }
+
+    class SecretMatcher
+      # Decides if a given string looks random enough to be a "secret".
+      #
+      # @param candidate [String]
+      # @return [Boolean]
+      def self.===(candidate)
+        new(candidate).matches?
+      end
+
+      private def initialize(string)
+        @string = string
+      end
+
+      def matches?
+        return false if @string.size <= MIN_LENGTH
+        return false if SEPARATORS === @string
+        return false unless DIGIT === @string
+        return false if [LOWER, UPPER, SPECIAL].none? { |pattern| pattern === @string }
+
+        ratios = @string.chars.each_cons(MIN_LENGTH).map do |window|
+          window.to_set.size / MIN_LENGTH.to_f
+        end
+
+        ratios.sum / ratios.size > SECRET_THRESHOLD
+      end
+
+      MIN_LENGTH = 10
+      SECRET_THRESHOLD = 0.75
+
+      LOWER = /[[:lower:]]/
+      UPPER = /[[:upper:]]/
+      DIGIT = /[[:digit:]]/
+      SPECIAL = /[!#\$%^&*|;:<>]/
+      SEPARATORS = /[[:space:]]|-/
+    end
+  end
+end