aikido-zen 0.1.0.alpha4-x86_64-linux

data/lib/aikido/zen/runtime_settings/endpoints.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require_relative "../route"
+require_relative "protection_settings"
+
+module Aikido::Zen
+  # Wraps the list of endpoint protection settings, providing an interface for
+  # checking the settings for any given route. If the route has no configured
+  # settings, that will return the singleton
+  # {RuntimeSettings::ProtectionSettings.none}.
+  #
+  # @example
+  #   endpoint = runtime_settings.endpoints[request.route]
+  #   block_request unless endpoint.allows?(request.ip)
+  class RuntimeSettings::Endpoints
+    # @param data [Array<Hash>]
+    # @return [Aikido::Zen::RuntimeSettings::Endpoints]
+    def self.from_json(data)
+      data = Array(data).map { |item|
+        route = Route.new(verb: item["method"], path: item["route"])
+        settings = RuntimeSettings::ProtectionSettings.from_json(item)
+        [route, settings]
+      }.to_h
+
+      new(data)
+    end
+
+    def initialize(data = {})
+      @endpoints = data
+      @endpoints.default = RuntimeSettings::ProtectionSettings.none
+    end
+
+    # @param route [Aikido::Zen::Route]
+    # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings]
+    def [](route)
+      @endpoints[route]
+    end
+
+    # @!visibility private
+    def ==(other)
+      other.is_a?(RuntimeSettings::Endpoints) && to_h == other.to_h
+    end
+
+    # @!visibility private
+    protected def to_h
+      @endpoints
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/ip_set.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+
+module Aikido::Zen
+  # Models a list of IP addresses or CIDR blocks, where we can check if a given
+  # address is part of any of the members.
+  class RuntimeSettings::IPSet
+    def self.from_json(ips)
+      new(Array(ips).map { |ip| IPAddr.new(ip) })
+    end
+
+    def initialize(ips = Set.new)
+      @ips = ips.to_set
+    end
+
+    def empty?
+      @ips.empty?
+    end
+
+    def include?(ip)
+      @ips.any? { |pattern| pattern === ip }
+    end
+    alias_method :===, :include?
+
+    def ==(other)
+      other.is_a?(RuntimeSettings::IPSet) && to_set == other.to_set
+    end
+
+    protected
+
+    def to_set
+      @ips
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/protection_settings.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require_relative "ip_set"
+require_relative "rate_limit_settings"
+
+module Aikido::Zen
+  # Models the settings for a given Route as configured in the Aikido UI.
+  class RuntimeSettings::ProtectionSettings
+    # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings] singleton
+    #   instance for endpoints with no configured protections on a given route,
+    #   that can be used as a default value for routes.
+    def self.none
+      @no_settings ||= new
+    end
+
+    # Initialize settings from an API response.
+    #
+    # @param data [Hash] the deserialized JSON data.
+    # @option data [Boolean] "forceProtectionOff" whether the user has
+    #   disabled attack protection for this route.
+    # @option data [Array<String>] "allowedIPAddresses" the list of IPs that
+    #   can make requests to this endpoint.
+    # @option data [Hash] "rateLimiting" the rate limiting options for this
+    #   endpoint. See {Aikido::Zen::RuntimeSettings::RateLimitSettings.from_json}.
+    #
+    # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings]
+    # @raise [IPAddr::InvalidAddressError] if any of the IPs in
+    #   "allowedIPAddresses" is not a valid address or family.
+    def self.from_json(data)
+      ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
+      rate_limiting = RuntimeSettings::RateLimitSettings.from_json(data["rateLimiting"])
+
+      new(
+        protected: !data["forceProtectionOff"],
+        allowed_ips: ips,
+        rate_limiting: rate_limiting
+      )
+    end
+
+    # @return [Aikido::Zen::RuntimeSettings::IPSet] list of IP addresses which
+    #   are allowed to make requests on this route. If empty, all IP addresses
+    #   are allowed.
+    attr_reader :allowed_ips
+
+    # @return [Aikido::Zen::RuntimeSettings::RateLimitSettings]
+    attr_reader :rate_limiting
+
+    def initialize(
+      protected: true,
+      allowed_ips: RuntimeSettings::IPSet.new,
+      rate_limiting: RuntimeSettings::RateLimitSettings.disabled
+    )
+      @protected = !!protected
+      @rate_limiting = rate_limiting
+      @allowed_ips = allowed_ips
+    end
+
+    def protected?
+      @protected
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/rate_limit_settings.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Simple data object that holds the configuration for rate limiting a given
+  # endpoint.
+  class RuntimeSettings::RateLimitSettings
+    # Initialize the settings from an API response.
+    #
+    # @param data [Hash] the deserialized JSON data.
+    # @option data [Boolean] "enabled"
+    # @option data [Integer] "maxRequests"
+    # @option data [Integer] "windowSizeInMS"
+    #
+    # @return [Aikido::Zen::RateLimitSettings]
+    def self.from_json(data)
+      new(
+        enabled: !!data["enabled"],
+        max_requests: Integer(data["maxRequests"]),
+        period: Integer(data["windowSizeInMS"]) / 1000
+      )
+    end
+
+    # Initializes a disabled object that we can use as a default value for
+    # endpoints that have not configured rate limiting.
+    #
+    # @return [Aikido::Zen::RuntimeSettings::RateLimitSettings]
+    def self.disabled
+      new(enabled: false)
+    end
+
+    # @return [Integer] the fixed window to bucket requests in, in seconds.
+    attr_reader :period
+
+    # @return [Integer]
+    attr_reader :max_requests
+
+    def initialize(enabled: false, max_requests: 1000, period: 60)
+      @enabled = enabled
+      @period = period
+      @max_requests = max_requests
+    end
+
+    def enabled?
+      @enabled
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Stores the firewall configuration sourced from the Aikido dashboard. This
+  # object is updated by the Agent regularly.
+  #
+  # Because the RuntimeSettings object can be modified in runtime, it implements
+  # the {Observable} API, allowing you to subscribe to updates. These are
+  # triggered whenever #update_from_json makes a change (i.e. if the settings
+  # don't change, no update is triggered).
+  #
+  # You can subscribe to changes with +#add_observer(object, func_name)+, which
+  # will call the function passing the settings as an argument.
+  class RuntimeSettings < Concurrent::MutableStruct.new(
+    :updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :skip_protection_for_ips, :received_any_stats
+  )
+    include Concurrent::Concern::Observable
+
+    def initialize(*)
+      self.observers = Concurrent::Collection::CopyOnWriteObserverSet.new
+      super
+      self.endpoints ||= Endpoints.new
+      self.skip_protection_for_ips ||= IPSet.new
+    end
+
+    # @!attribute [rw] updated_at
+    #   @return [Time] when these settings were updated in the Aikido dashboard.
+
+    # @!attribute [rw] heartbeat_interval
+    #   @return [Integer] duration in seconds between heartbeat requests to the
+    #     Aikido server.
+
+    # @!attribute [rw] received_any_stats
+    #   @return [Boolean] whether the Aikido server has received any data from
+    #     this application.
+
+    # @!attribute [rw] endpoints
+    #   @return [Aikido::Zen::RuntimeSettings::Endpoints]
+
+    # @!attribute [rw] blocked_user_ids
+    #   @return [Array]
+
+    # @!attribute [rw] skip_protection_for_ips
+    #   @return [Aikido::Zen::RuntimeSettings::IPSet]
+
+    # Parse and interpret the JSON response from the core API with updated
+    # settings, and apply the changes. This will also notify any subscriber
+    # to updates
+    #
+    # @param data [Hash] the decoded JSON payload from the /api/runtime/config
+    #   API endpoint.
+    #
+    # @return [void]
+    def update_from_json(data)
+      last_updated_at = updated_at
+
+      self.updated_at = Time.at(data["configUpdatedAt"].to_i / 1000)
+      self.heartbeat_interval = (data["heartbeatIntervalInMS"].to_i / 1000)
+      self.endpoints = Endpoints.from_json(data["endpoints"])
+      self.blocked_user_ids = data["blockedUserIds"]
+      self.skip_protection_for_ips = IPSet.from_json(data["allowedIPAddresses"])
+      self.received_any_stats = data["receivedAnyStats"]
+
+      observers.notify_observers(self) if updated_at != last_updated_at
+    end
+  end
+end
+
+require_relative "runtime_settings/ip_set"
+require_relative "runtime_settings/endpoints"

data/lib/aikido/zen/scan.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Scans track information about a single call made by one of our Sinks
+  # including whether it was detected as an attack or how long it took.
+  class Scan
+    # @return [Aikido::Zen::Sink] the originating Sink.
+    attr_reader :sink
+
+    # @return [Aikido::Zen::Context] the current Context, wrapping the HTTP
+    #   request during which this scan was performed.
+    attr_reader :context
+
+    # @return [Aikido::Zen::Attack, nil] a detected Attack, or
+    #   +nil+ if the scan was considered safe.
+    attr_reader :attack
+
+    # @return [Float, nil] duration in (fractional) seconds of the scan.
+    attr_reader :duration
+
+    # @return [Array<Hash>] list of captured exceptions while scanning.
+    attr_reader :errors
+
+    # @param sink [Aikido::Zen::Sink]
+    # @param context [Aikido::Zen::Context]
+    def initialize(sink:, context:)
+      @sink = sink
+      @context = context
+      @errors = []
+      @performed = false
+    end
+
+    def performed?
+      @performed
+    end
+
+    # @return [Boolean] whether this scan detected an Attack.
+    def attack?
+      @attack != nil
+    end
+
+    # @return [Boolean] whether any errors were caught by this Scan.
+    def errors?
+      @errors.any?
+    end
+
+    # Runs a block of code, capturing its return value as the potential
+    # Attack object (or nil, if safe), and how long it took to run.
+    #
+    # @yieldreturn [Aikido::Zen::Attack, nil]
+    # @return [void]
+    def perform
+      @performed = true
+      started_at = monotonic_time
+      @attack = yield
+    ensure
+      @duration = monotonic_time - started_at
+    end
+
+    # Keep track of exceptions encountered during scanning.
+    #
+    # @param error [Exception]
+    # @param scanner [#call]
+    #
+    # @return [nil]
+    def track_error(error, scanner)
+      @errors << {error: error, scanner: scanner}
+      nil
+    end
+
+    private def monotonic_time
+      Process.clock_gettime(Process::CLOCK_MONOTONIC)
+    end
+  end
+end

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require_relative "../attack"
+require_relative "../internals"
+
+module Aikido::Zen
+  module Scanners
+    class SQLInjectionScanner
+      # Checks if the given SQL query may have dangerous user input injected,
+      # and returns an Attack if so, based on the current request.
+      #
+      # @param query [String]
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param dialect [Symbol] one of +:mysql+, +:postgesql+, or +:sqlite+.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #   Expects +sink.operation+ being set to get the full module/name combo.
+      #
+      # @return [Aikido::Zen::Attack, nil] an Attack if any user input is
+      #   detected to be attempting a SQL injection, or nil if this is safe.
+      #
+      # @raise [Aikido::Zen::InternalsError] if an error occurs when loading or
+      #   calling zenlib. See Sink#scan.
+      def self.call(query:, dialect:, sink:, context:, operation:)
+        # FIXME: This assumes queries executed outside of an HTTP request are
+        # safe, but this is not the case. For example, if an HTTP request
+        # enqueues a background job, passing user input verbatim, the job might
+        # pass that input to a query without having a current request in scope.
+        return if context.nil?
+
+        dialect = DIALECTS.fetch(dialect) do
+          Aikido::Zen.config.logger.warn "Unknown SQL dialect #{dialect.inspect}"
+          DIALECTS[:common]
+        end
+
+        context.payloads.each do |payload|
+          next unless new(query, payload.value, dialect).attack?
+
+          return Attacks::SQLInjectionAttack.new(
+            sink: sink,
+            query: query,
+            input: payload,
+            dialect: dialect,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      def initialize(query, input, dialect)
+        @query = query.downcase
+        @input = input.downcase
+        @dialect = dialect
+      end
+
+      def attack?
+        # Ignore single char inputs since they shouldn't be able to do much harm
+        return false if @input.length <= 1
+
+        # If the input is longer than the query, then it is not part of it
+        return false if @input.length > @query.length
+
+        # If the input is not included in the query at all, then we are safe
+        return false unless @query.include?(@input)
+
+        # If the input is solely alphanumeric, we can ignore it
+        return false if /\A[[:alnum:]_]+\z/i.match?(@input)
+
+        # If the input is a comma-separated list of numbers, ignore it.
+        return false if /\A(?:\d+(?:,\s*)?)+\z/i.match?(@input)
+
+        Internals.detect_sql_injection(@query, @input, @dialect)
+      end
+
+      # @api private
+      Dialect = Struct.new(:name, :internals_key, keyword_init: true) do
+        alias_method :to_s, :name
+        alias_method :to_int, :internals_key
+      end
+
+      # Maps easy-to-use Symbols to a struct that keeps both the name and the
+      # internal identifier used by libzen.
+      #
+      # @see https://github.com/AikidoSec/zen-internals/blob/main/src/sql_injection/helpers/select_dialect_based_on_enum.rs
+      DIALECTS = {
+        common: Dialect.new(name: "SQL", internals_key: 0),
+        mysql: Dialect.new(name: "MySQL", internals_key: 8),
+        postgresql: Dialect.new(name: "PostgreSQL", internals_key: 9),
+        sqlite: Dialect.new(name: "SQLite", internals_key: 12)
+      }
+    end
+  end
+end

data/lib/aikido/zen/scanners/ssrf/dns_lookups.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "delegate"
+
+module Aikido::Zen
+  module Scanners
+    module SSRF
+      # Simple per-request cache of all DNS lookups performed for a given host.
+      # We can store this in the context after performing a lookup, and have the
+      # SSRF scanner make sure the hostname being inspected doesn't actually
+      # resolve to an internal/dangerous IP.
+      class DNSLookups < SimpleDelegator
+        def initialize
+          super(Hash.new { |h, k| h[k] = [] })
+        end
+
+        def add(hostname, addresses)
+          self[hostname].concat(Array(addresses))
+        end
+
+        def ===(hostname)
+          key?(hostname)
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require "resolv"
+require "ipaddr"
+
+module Aikido::Zen
+  module Scanners
+    module SSRF
+      # Little helper to check if a given hostname or address is to be
+      # considered "dangerous" when used for an outbound HTTP request.
+      #
+      # When given a hostname:
+      #
+      # * If any DNS lookups have been performed and stored in the current Zen
+      #   context (under the "dns.lookups" metadata key), we will map it to the
+      #   list of IPs that we've resolved it to.
+      #
+      # * If not, we'll still try to map it to any statically defined address in
+      #   the system hosts file (e.g. /etc/hosts).
+      #
+      # Once we mapped the hostname to an IP address (or, if given an IP
+      # address), this will check that it's not a loopback address, a private IP
+      # address (as defined by RFCs 1918 and 4193), or in one of the
+      # "special-use" IP ranges defined in RFC 5735.
+      class PrivateIPChecker
+        def initialize(resolver = Resolv::Hosts.new)
+          @resolver = resolver
+        end
+
+        # @param hostname_or_address [String]
+        # @return [Boolean]
+        def private?(hostname_or_address)
+          resolve(hostname_or_address).any? do |ip|
+            ip.loopback? || ip.private? || RFC5735.any? { |range| range === ip }
+          end
+        end
+
+        private
+
+        RFC5735 = [
+          IPAddr.new("0.0.0.0/8"),
+          IPAddr.new("100.64.0.0/10"),
+          IPAddr.new("127.0.0.0/8"),
+          IPAddr.new("169.254.0.0/16"),
+          IPAddr.new("192.0.0.0/24"),
+          IPAddr.new("192.0.2.0/24"),
+          IPAddr.new("192.31.196.0/24"),
+          IPAddr.new("192.52.193.0/24"),
+          IPAddr.new("192.88.99.0/24"),
+          IPAddr.new("192.175.48.0/24"),
+          IPAddr.new("198.18.0.0/15"),
+          IPAddr.new("198.51.100.0/24"),
+          IPAddr.new("203.0.113.0/24"),
+          IPAddr.new("240.0.0.0/4"),
+          IPAddr.new("224.0.0.0/4"),
+          IPAddr.new("255.255.255.255/32"),
+
+          IPAddr.new("::/128"),              # Unspecified address
+          IPAddr.new("fe80::/10"),           # Link-local address (LLA)
+          IPAddr.new("::ffff:127.0.0.1/128") # IPv4-mapped address
+        ]
+
+        def resolved_in_current_context
+          context = Aikido::Zen.current_context
+          context && context["dns.lookups"]
+        end
+
+        def resolve(hostname_or_address)
+          return [] if hostname_or_address.nil?
+
+          case hostname_or_address
+          when Resolv::AddressRegex
+            [IPAddr.new(hostname_or_address)]
+          when resolved_in_current_context
+            resolved_in_current_context[hostname_or_address]
+              .map { |address| IPAddr.new(address) }
+          else
+            @resolver.getaddresses(hostname_or_address.to_s)
+              .map { |address| IPAddr.new(address) }
+          end
+        end
+      end
+    end
+  end
+end