aikido-zen 0.1.0 → 0.2.0

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -112,7 +112,8 @@ module Aikido::Zen
         is_port_relevant = input_uri.port != input_uri.default_port
         return false if is_port_relevant && input_uri.port != conn_uri.port
 
-        conn_uri.hostname == input_uri.hostname
+        conn_uri.hostname == input_uri.hostname &&
+          conn_uri.port == input_uri.port
       end
 
       def private_ip?(hostname)
@@ -128,8 +129,11 @@ module Aikido::Zen
       # * The input itself, if it already looks like a URI.
       # * The input prefixed with http://
       # * The input prefixed with https://
+      # * The input prefixed with the scheme of the request's URI, to consider
+      #   things like an FTP request (to "ftp://localhost") with a plain host
+      #   as a user-input ("localhost").
       #
-      # @return [Set<URI>]
+      # @return [Array<URI>] a list of unique URIs based on the above criteria.
       def uris_from_input
         input = @input.to_s
 
@@ -138,10 +142,12 @@ module Aikido::Zen
         # valid hostname. We should do the same for the input.
         input = format("[%s]", input) if unescaped_ipv6?(input)
 
-        [input, "http://#{input}", "https://#{input}"]
-          .map { |candidate| as_uri(candidate) }
-          .compact
-          .uniq
+        [
+          input,
+          "http://#{input}",
+          "https://#{input}",
+          "#{@request_uri.scheme}://#{input}"
+        ].map { |candidate| as_uri(candidate) }.compact.uniq
       end
 
       def as_uri(string)
@@ -222,11 +228,11 @@ module Aikido::Zen
       # @api private
       class RedirectChains
         def initialize
-          @redirects = {}
+          @redirects = Hash.new { |h, k| h[k] = [] }
         end
 
         def add(source:, destination:)
-          @redirects[destination] = source
+          @redirects[destination].push(source)
           self
         end
 
@@ -236,11 +242,14 @@ module Aikido::Zen
         #
         # @param uri [URI]
         # @return [URI, nil]
-        def origin(uri)
-          source = @redirects[uri]
+        def origin(uri, visited = Set.new)
+          source = @redirects[uri].first
 
-          if @redirects[source]
-            origin(source)
+          return source if visited.include?(source)
+          visited << source
+
+          if !@redirects[source].empty?
+            origin(source, visited)
           else
             source
           end

data/lib/aikido/zen/scanners.rb

@@ -3,3 +3,5 @@
 require_relative "scanners/sql_injection_scanner"
 require_relative "scanners/stored_ssrf_scanner"
 require_relative "scanners/ssrf_scanner"
+require_relative "scanners/path_traversal_scanner"
+require_relative "scanners/shell_injection_scanner"

data/lib/aikido/zen/sinks/action_controller.rb

@@ -3,12 +3,12 @@
 module Aikido::Zen
   module Sinks
     module ActionController
-      # Implements the "middleware" for rate limiting in Rails apps, where we
-      # need to check at the end of the `before_action` chain, rather than in
-      # an actual Rack middleware, to allow for calls to Zen.track_user being
-      # made from before_actions in the host app, thus allowing rate-limiting
-      # by user ID rather than solely by IP.
-      class Throttler
+      # Implements the "middleware" for blocking requests (i.e.: rate-limiting or blocking
+      # user/bots) in Rails apps, where we need to check at the end of the `before_action`
+      # chain, rather than in an actual Rack middleware, to allow for calls to
+      # `Zen.track_user` being made from before_actions in the host app, thus allowing
+      # block/rate-limit by user ID rather than solely by IP.
+      class BlockRequestChecker
         def initialize(
           config: Aikido::Zen.config,
           settings: Aikido::Zen.runtime_settings,
@@ -19,10 +19,18 @@ module Aikido::Zen
           @rate_limiter = rate_limiter
         end
 
-        def throttle(controller)
+        def block?(controller)
           context = controller.request.env[Aikido::Zen::ENV_KEY]
           request = context.request
 
+          if should_block_user?(request)
+            status, headers, body = @config.blocked_responder.call(request, :user)
+            controller.headers.update(headers)
+            controller.render plain: Array(body).join, status: status
+
+            return true
+          end
+
           if should_throttle?(request)
             status, headers, body = @config.rate_limited_responder.call(request)
             controller.headers.update(headers)
@@ -39,10 +47,17 @@ module Aikido::Zen
 
           @rate_limiter.throttle?(request)
         end
+
+        # @param request [Aikido::Zen::Request]
+        private def should_block_user?(request)
+          return false if request.actor.nil?
+
+          @settings.blocked_user_ids&.include?(request.actor.id)
+        end
       end
 
-      def self.throttler
-        @throttler ||= Aikido::Zen::Sinks::ActionController::Throttler.new
+      def self.block_request_checker
+        @block_request_checker ||= Aikido::Zen::Sinks::ActionController::BlockRequestChecker.new
       end
 
       module Extensions
@@ -50,10 +65,9 @@ module Aikido::Zen
           return super unless kind == :process_action
 
           super do
-            rate_limiter = Aikido::Zen::Sinks::ActionController.throttler
-            throttled = rate_limiter.throttle(self)
+            checker = Aikido::Zen::Sinks::ActionController.block_request_checker
 
-            yield if block_given? && !throttled
+            yield if block_given? && !checker.block?(self)
           end
         end
       end

data/lib/aikido/zen/sinks/file.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Sinks
+    module File
+      SINK = Sinks.add("File", scanners: [
+        Aikido::Zen::Scanners::PathTraversalScanner
+      ])
+
+      module Extensions
+        def self.scan_path(filepath, operation)
+          SINK.scan(
+            filepath: filepath,
+            operation: operation
+          )
+        end
+
+        # Module to extend only the initializer method of `File` (`File.new`)
+        module Initiliazer
+          def initialize(filename, *, **)
+            Extensions.scan_path(filename, "new")
+            super
+          end
+        end
+
+        def open(filename, *, **)
+          Extensions.scan_path(filename, "open")
+          super
+        end
+
+        def read(filename, *)
+          Extensions.scan_path(filename, "read")
+          super
+        end
+
+        def write(filename, *, **)
+          Extensions.scan_path(filename, "write")
+          super
+        end
+
+        def join(*)
+          joined = super
+          Extensions.scan_path(joined, "join")
+          joined
+        end
+
+        def chmod(mode, *paths)
+          paths.each { |path| Extensions.scan_path(path, "chmod") }
+          super
+        end
+
+        def chown(user, group, *paths)
+          paths.each { |path| Extensions.scan_path(path, "chown") }
+          super
+        end
+
+        def rename(from, to)
+          Extensions.scan_path(from, "rename")
+          Extensions.scan_path(to, "rename")
+          super
+        end
+
+        def symlink(from, to)
+          Extensions.scan_path(from, "symlink")
+          Extensions.scan_path(to, "symlink")
+          super
+        end
+
+        def truncate(file_name, *)
+          Extensions.scan_path(file_name, "truncate")
+          super
+        end
+
+        def unlink(*args)
+          args.each do |arg|
+            Extensions.scan_path(arg, "unlink")
+          end
+          super
+        end
+
+        def delete(*args)
+          args.each do |arg|
+            Extensions.scan_path(arg, "delete")
+          end
+          super
+        end
+
+        def utime(atime, mtime, *args)
+          args.each do |arg|
+            Extensions.scan_path(arg, "utime")
+          end
+          super
+        end
+
+        def expand_path(filename, *)
+          Extensions.scan_path(filename, "expand_path")
+          super
+        end
+
+        def realpath(filename, *)
+          Extensions.scan_path(filename, "realpath")
+          super
+        end
+
+        def realdirpath(filename, *)
+          Extensions.scan_path(filename, "realdirpath")
+          super
+        end
+      end
+    end
+  end
+end
+
+# Internally, Path Traversal's scanner logic uses `expand_path`, in order to avoid recursion issues we keep
+# a copy of the original method, only to be used internally.
+# It's important to keep this line before prepend the Extensions module, otherwise the alias will call
+# the extended method.
+::File.singleton_class.alias_method :expand_path__internal_for_aikido_zen, :expand_path
+::File.singleton_class.prepend(Aikido::Zen::Sinks::File::Extensions)
+::File.prepend Aikido::Zen::Sinks::File::Extensions::Initiliazer

data/lib/aikido/zen/sinks/http.rb

@@ -66,7 +66,7 @@ module Aikido::Zen
 
           response
         ensure
-          context["ssrf.request"] = prev_request
+          context["ssrf.request"] = prev_request if context
         end
       end
     end

data/lib/aikido/zen/sinks/kernel.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Sinks
+    module Kernel
+      SINK = Sinks.add("Kernel", scanners: [
+        Aikido::Zen::Scanners::ShellInjectionScanner
+      ])
+
+      module Extensions
+        # Checks if the user introduced input is trying to execute other commands
+        # using Shell Injection kind of attacks.
+        #
+        # @param command [String] the _full command_ that will be executed.
+        # @param context [Aikido::Zen::Context]
+        # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+        # @param operation [Symbol, String] name of the method being scanned.
+        #
+        # @return [Aikido::Zen::Attacks::ShellInjectionAttack, nil] an Attack if any
+        # user input is detected as part of a Shell Injection Attack, or +nil+ if it's safe.
+        def self.scan_command(command, operation)
+          SINK.scan(
+            command: command,
+            operation: operation
+          )
+        end
+
+        # `system, spawn` functions can be invoked in several ways. For more details,
+        # see [the documentation](https://ruby-doc.org/3.4.1/Kernel.html#method-i-spawn)
+        #
+        # In our context, we care primarily about two common scenarios:
+        #   - one argument (String)
+        #       e.g.: system("ls"), system("echo something")
+        #   - two arguments (Hash, String)
+        #       e.g.: system({"foo" => "bar"}, "ls"), system({"foo" => "bar"}, "echo something")
+        #
+        # In all other cases, we do not protect against shell argument injections. Specifically:
+        #
+        # If a user input contains something like $(whoami) and is passed as part of the command
+        # arguments (e.g., user_input = "$(whoami)"):
+        #
+        #   system("echo", user_input)   This is safe because Ruby automatically escapes arguments
+        #                                passed to system/spawn in this form.
+        #
+        #   system("echo #{user_input}") This is not safe because Ruby interpolates the user_input
+        #                                into the command string, resulting in a potentially harmful
+        #                                command like `echo $(whoami)`.
+        def send_arg_to_scan(args, operation)
+          if args.size == 1 && args[0].is_a?(String)
+            Extensions.scan_command(args[0], operation)
+          end
+
+          if args.size == 2 && args[0].is_a?(Hash)
+            Extensions.scan_command(args[1], operation)
+          end
+        end
+
+        def system(*args, **)
+          send_arg_to_scan(args, "system")
+          super
+        end
+
+        def spawn(*args, **)
+          send_arg_to_scan(args, "spawn")
+          super
+        end
+      end
+    end
+  end
+end
+
+::Kernel.singleton_class.prepend Aikido::Zen::Sinks::Kernel::Extensions
+::Kernel.prepend Aikido::Zen::Sinks::Kernel::Extensions

data/lib/aikido/zen/sinks/pg.rb

@@ -7,6 +7,17 @@ module Aikido::Zen
     module PG
       SINK = Sinks.add("pg", scanners: [Scanners::SQLInjectionScanner])
 
+      # For some reason, the ActiveRecord pg adapter does not wrap exceptions in
+      # StatementInvalid, which leads to inconsistent handling. This guarantees
+      # that all Zen errors are wrapped in a StatementInvalid, so documentation
+      # can be consistent.
+      WRAP_EXCEPTIONS = if defined?(ActiveRecord::StatementInvalid)
+        <<~RUBY
+          rescue Aikido::Zen::SQLInjectionError
+            raise ActiveRecord::StatementInvalid
+        RUBY
+      end
+
       module Extensions
         %i[
           send_query exec sync_exec async_exec
@@ -16,12 +27,7 @@ module Aikido::Zen
             def #{method}(query, *)
               SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
               super
-            rescue Aikido::Zen::SQLInjectionError
-              # The pg adapter does not wrap exceptions in StatementInvalid, which
-              # leads to inconsistent handling. This guarantees that all Aikido
-              # errors are wrapped in a StatementInvalid, so documentation can be
-              # consistent.
-              raise ActiveRecord::StatementInvalid
+            #{WRAP_EXCEPTIONS}
             end
           RUBY
         end
@@ -33,12 +39,7 @@ module Aikido::Zen
             def #{method}(_, query, *)
               SINK.scan(query: query, dialect: :postgresql, operation: :#{method})
               super
-            rescue Aikido::Zen::SQLInjectionError
-              # The pg adapter does not wrap exceptions in StatementInvalid, which
-              # leads to inconsistent handling. This guarantees that all Aikido
-              # errors are wrapped in a StatementInvalid, so documentation can be
-              # consistent.
-              raise ActiveRecord::StatementInvalid
+            #{WRAP_EXCEPTIONS}
             end
           RUBY
         end

data/lib/aikido/zen/sinks/typhoeus.rb

@@ -66,7 +66,7 @@ module Aikido::Zen
             operation: "request"
           )
         ensure
-          context["ssrf.request"] = nil
+          context["ssrf.request"] = nil if context
         end
 
         true

data/lib/aikido/zen/sinks.rb

@@ -5,6 +5,14 @@ require_relative "sink"
 require_relative "sinks/socket"
 
 require_relative "sinks/action_controller" if defined?(::ActionController)
+require_relative "sinks/file" if defined?(::File)
+
+# Sadly, in ruby versions lower than 3.0, it's not possible to patch the
+# Kernel module because how the `prepend` method is applied
+# (https://stackoverflow.com/questions/78110397/prepend-kernel-module-function-globally#comment137713906_78112924)
+if RUBY_VERSION >= "3.0"
+  require_relative "sinks/kernel" if defined?(::Kernel)
+end
 require_relative "sinks/resolv" if defined?(::Resolv)
 require_relative "sinks/net_http" if defined?(::Net::HTTP)
 require_relative "sinks/http" if defined?(::HTTP)

data/lib/aikido/zen/system_info.rb

@@ -60,7 +60,7 @@ module Aikido::Zen
     end
 
     def os_version
-      Gem::Platform.local.version
+      Gem::Platform.local.version || "unknown"
     end
 
     def as_json

data/lib/aikido/zen/version.rb

@@ -2,9 +2,9 @@
 
 module Aikido
   module Zen
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
 
     # The version of libzen_internals that we build against.
-    LIBZEN_VERSION = "0.1.30"
+    LIBZEN_VERSION = "0.1.37"
   end
 end

data/lib/aikido/zen.rb

@@ -10,13 +10,15 @@ require_relative "zen/worker"
 require_relative "zen/agent"
 require_relative "zen/api_client"
 require_relative "zen/context"
+require_relative "zen/middleware/check_allowed_addresses"
+require_relative "zen/middleware/middleware"
+require_relative "zen/middleware/request_tracker"
 require_relative "zen/middleware/set_context"
 require_relative "zen/outbound_connection"
 require_relative "zen/outbound_connection_monitor"
 require_relative "zen/runtime_settings"
 require_relative "zen/rate_limiter"
 require_relative "zen/scanners"
-require_relative "zen/middleware/check_allowed_addresses"
 require_relative "zen/rails_engine" if defined?(::Rails)
 
 module Aikido
@@ -70,6 +72,11 @@ module Aikido
       collector.track_request(request)
     end
 
+    def self.track_discovered_route(request)
+      autostart
+      collector.track_route(request)
+    end
+
     # Tracks a network connection made to an external service.
     #
     # @param connection [Aikido::Zen::OutboundConnection]
@@ -113,6 +120,12 @@ module Aikido
       end
     end
 
+    # Marks that the Zen middleware was installed properly
+    # @return void
+    def self.middleware_installed!
+      collector.middleware_installed!
+    end
+
     # Load all sinks matching libraries loaded into memory. This method should
     # be called after all other dependencies have been loaded into memory (i.e.
     # at the end of the initialization process).

data/tasklib/bench.rake

@@ -12,11 +12,12 @@ end
 
 def boot_server(dir, port:, env: {})
   env["PORT"] = port.to_s
+  env["SECRET_KEY_BASE"] = rand(36**64).to_s(36)
 
   Dir.chdir(dir) do
     SERVER_PIDS[port] = Process.spawn(
       env,
-      "rails", "server", "--pid", "#{Dir.pwd}/tmp/pids/server.#{port}.pid",
+      "rails", "server", "--pid", "#{Dir.pwd}/tmp/pids/server.#{port}.pid", "-e", "production",
       out: "/dev/null"
     )
   rescue
@@ -61,7 +62,7 @@ Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
       end
 
       task :boot_unprotected_app do
-        boot_server(dir, port: 3002, env: {"AIKIDO_DISABLE" => "true"})
+        boot_server(dir, port: 3002, env: {"AIKIDO_DISABLED" => "true"})
       end
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Nicolas Sanguinetti
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-11-15 00:00:00.000000000 Z
+date: 2025-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -52,7 +52,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - foca@foca.io
 executables: []
@@ -60,6 +60,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".ruby-version"
+- ".simplecov"
 - ".standard.yml"
 - CHANGELOG.md
 - LICENSE
@@ -93,8 +94,10 @@ files:
 - lib/aikido/zen/event.rb
 - lib/aikido/zen/internals.rb
 - lib/aikido/zen/middleware/check_allowed_addresses.rb
+- lib/aikido/zen/middleware/middleware.rb
+- lib/aikido/zen/middleware/rack_throttler.rb
+- lib/aikido/zen/middleware/request_tracker.rb
 - lib/aikido/zen/middleware/set_context.rb
-- lib/aikido/zen/middleware/throttler.rb
 - lib/aikido/zen/outbound_connection.rb
 - lib/aikido/zen/outbound_connection_monitor.rb
 - lib/aikido/zen/package.rb
@@ -121,6 +124,10 @@ files:
 - lib/aikido/zen/runtime_settings/rate_limit_settings.rb
 - lib/aikido/zen/scan.rb
 - lib/aikido/zen/scanners.rb
+- lib/aikido/zen/scanners/path_traversal/helpers.rb
+- lib/aikido/zen/scanners/path_traversal_scanner.rb
+- lib/aikido/zen/scanners/shell_injection/helpers.rb
+- lib/aikido/zen/scanners/shell_injection_scanner.rb
 - lib/aikido/zen/scanners/sql_injection_scanner.rb
 - lib/aikido/zen/scanners/ssrf/dns_lookups.rb
 - lib/aikido/zen/scanners/ssrf/private_ip_checker.rb
@@ -133,9 +140,11 @@ files:
 - lib/aikido/zen/sinks/curb.rb
 - lib/aikido/zen/sinks/em_http.rb
 - lib/aikido/zen/sinks/excon.rb
+- lib/aikido/zen/sinks/file.rb
 - lib/aikido/zen/sinks/http.rb
 - lib/aikido/zen/sinks/httpclient.rb
 - lib/aikido/zen/sinks/httpx.rb
+- lib/aikido/zen/sinks/kernel.rb
 - lib/aikido/zen/sinks/mysql2.rb
 - lib/aikido/zen/sinks/net_http.rb
 - lib/aikido/zen/sinks/patron.rb
@@ -158,7 +167,7 @@ metadata:
   homepage_uri: https://aikido.dev
   source_code_uri: https://github.com/aikidosec/firewall-ruby
   changelog_uri: https://github.com/aikidosec/firewall-ruby/blob/main/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -174,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.5.22
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Embedded Web Application Firewall that autonomously protects Ruby apps against
   common and critical attacks.