aikido-zen 0.1.1-arm64-linux → 1.0.0.pre.beta.1-arm64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 31bd721c8bf4bee4a140897184340b717fe53b7df7cd48cf7d31fb32ee8a5710
-  data.tar.gz: cac854f8a57916caca2ed97c3090d552b5d6f812abd6cbd4f3f16354eccb8c2c
+  metadata.gz: b2ec39a099fb18356244ef6c4634f1a03190a486d08b89d2e455badd06d4f5a2
+  data.tar.gz: 65950e78805aec6fe99cd38957748f989bcad7c90462ad1ee41648290ad6d5f4
 SHA512:
-  metadata.gz: b8434d5cb98769ab4446b91d346448fdd92e08fedb5f722b099484a2a8a03dccb4a7c27ef1f8e84770e5374c5124081d30c08d59198947fe93bf73e2aad7a64e
-  data.tar.gz: 5e67365f580302b3c98befe7bce01d72391ff363f6c5aa4ad2c5356bc9675f4308b87f70cf86e137a5aee6e914e258e76330902c0e207aac2329c2e081415622
+  metadata.gz: 836a0bca75d8e2d0dda23b8820eedce546274207e22f9603d1a49b749f72c17d56df5878f6a7d627b35b2d0c49e9e1449dc79ff346a843000087871e4869a9b2
+  data.tar.gz: 0d603bb1618c423e7c0ac47807d6ff442aa54a2e094d12ca4936f87e004fab05995e41d69f706555188804b8cc2ec27276b87364e1654f5b33b468c2637367e7

data/.simplecov

@@ -4,6 +4,7 @@
 # SimpleCov version, and it doesn't really give us any benefit to run coverage
 # in separate ruby versions since we don't branch on ruby version in the code.
 return if RUBY_VERSION < "3.0"
+return if ENV["DISABLE_COVERAGE"] == "true"
 
 SimpleCov.start do
   # Make sure SimpleCov waits until after the tests
@@ -14,6 +15,12 @@ SimpleCov.start do
   minimum_coverage line: 95, branch: 85
 
   add_filter "/test/"
+
+  # WebMock excludes EM-HTTP-Request on Ruby 3.4:
+  # https://github.com/c960657/webmock/commit/34d16285dbcc574c90b273a89f16cb5fb9f4222a
+  if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0") && Gem.loaded_specs["em-http-request"].version <= Gem::Version.new("1.1.7")
+    add_filter "lib/aikido/zen/sinks/em_http.rb"
+  end
 end
 
 # vim: ft=ruby

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+### Fixed
+
+- Avoid an infinite loop when checking for SSRFs in a circular redirects loop.
+
 ## 0.1.1
 
 ### Fixed

data/README.md

@@ -1,5 +1,10 @@
 ![Zen by Aikido for Ruby](./docs/banner.svg)
 
+[![Gem Version](https://badge.fury.io/rb/aikido-zen.svg?icon=si%3Arubygems&style=flat)](https://badge.fury.io/rb/aikido-zen)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
+[![Unit tests](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml)
+[![Release](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml)
+
 # Zen, in-app firewall for Ruby | by Aikido
 
 Zen, your in-app firewall for peace of mind—at runtime.
@@ -13,8 +18,8 @@ Rails application, for simple installation and zero maintenance.
 
 * 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
 * 🛡️ [Server-side request forgery (SSRF)](https://github.com/AikidoSec/firewall-node/blob/main/docs/ssrf.md)
-* 🛡️ [Command injection attacks](https://owasp.org/www-community/attacks/Command_Injection) (coming soon)
-* 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
+* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked) (coming soon)
+* 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked) (coming soon)
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
 
 Zen operates autonomously on the same server as your Rails app to:
@@ -81,6 +86,10 @@ To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
 See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn
 how to send events to Aikido.
 
+## Additional configuration
+
+[Configure Zen using environment variables for authentication, mode settings, debugging, and more.](https://help.aikido.dev/doc/configuration-via-env-vars/docrSItUkeR9)
+
 ## Reporting to your Aikido Security dashboard
 
 > Aikido is your no nonsense application security platform. One central system

data/benchmarks/README.md

@@ -1,27 +1,23 @@
 # Benchmarking Zen for Ruby
 
-This directory contains the benchmarking scripts that we use to ensure adding
-Zen to your application does not impact performance significantly.
 
-We use [Grafana K6](https://k6.io) for these. For each sample application we
-include in this repo under [sample_apps](../sample_apps), you should find
-a script here that runs certain benchmarks against that app.
+We use [WRK](https://github.com/wg/wrk) & [Grafana K6](https://k6.io) for these.
 
-To run all the benchmarks, run the following from the root of the project:
+WRK benchmarks are only requesting a URL (`/benchmark`). In case you want to add more 
+of those test, you have to code them in the file `tasklib/bench.rake`.
 
-```
-$ bundle exec rake bench
-```
+K6 tests are defined in `benchmarks` folder. They are a javascript file, with calls 
+to different endpoints.
 
 In order to run a benchmarks against a single application, run the following
 from the root of the project:
 
 ```
-$ bundle exec rake bench:{app}:run
+$ BUNDLE_GEMFILE=./sample_apps/{app}/Gemfile bundle exec rake bench:{app}:(k6|wrk)_run
 ```
 
-For example, for the `rails7.1_sql_injection` application:
+For example, for the WRK of `rails7.1_benchmark` application:
 
 ```
-$ bundle exec rake bench:rails7.1_sql_injection:run
+$ BUNDLE_GEMFILE=./sample_apps/rails7.1_benchmark/Gemfile bundle exec rake bench:rails7.1_benchmark:wrk_run
 ```

data/benchmarks/rails7.1_sql_injection.js

@@ -1,8 +1,5 @@
 import http from 'k6/http';
-import { textSummary } from 'https://jslib.k6.io/k6-summary/0.0.2/index.js';
-import { check, sleep, fail } from 'k6';
-import exec from 'k6/execution';
-import { Trend } from 'k6/metrics';
+import {Trend} from 'k6/metrics';
 
 const HTTP = {
   withZen: {
@@ -16,59 +13,58 @@ const HTTP = {
 }
 
 function test(name, fn) {
-  const duration = tests[name].duration;
-  const overhead = tests[name].overhead;
-
   const withZen = fn(HTTP.withZen);
   const withoutZen = fn(HTTP.withoutZen);
+  const timeWithZen = withZen.timings.duration;
+  const timeWithoutZen = withoutZen.timings.duration;
 
-  const timeWithZen = withZen.timings.duration,
-        timeWithoutZen = withoutZen.timings.duration;
-
-  duration.add(timeWithZen - timeWithoutZen);
+  tests[name].delta.add(timeWithZen - timeWithoutZen);
+  tests[name].overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
 
-  const ratio = withZen.timings.duration / withoutZen.timings.duration;
-  overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
+  tests[name].with_zen.add(timeWithZen);
+  tests[name].without_zen.add(timeWithoutZen);
 }
 
-const defaultHeaders = {
-  "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
-};
+function buildTestTrends(prefix) {
+  return {
+    delta: new Trend(`${prefix}_delta`),
+    with_zen: new Trend(`${prefix}_with_zen`),
+    without_zen: new Trend(`${prefix}_without_zen`),
+    overhead: new Trend(`${prefix}_overhead`)
+  };
+}
 
 const tests = {
-  test_post_page_with_json_body: {
-    duration: new Trend("test_post_page_with_json_body"),
-    overhead: new Trend("test_overhead_with_json_body")
-  },
-  test_get_page_without_attack: {
-    duration: new Trend("test_get_page_without_attack"),
-    overhead: new Trend("test_overhead_without_attack")
-  },
-  test_get_page_with_sql_injection: {
-    duration: new Trend("test_get_page_with_sql_injection"),
-    overhead: new Trend("test_overhead_with_sql_injection"),
-  }
+  test_post_page_with_json_body: buildTestTrends("test_post_page_with_json_body"),
+  test_get_page_without_attack: buildTestTrends("test_get_page_without_attack"),
+  test_get_page_with_sql_injection: buildTestTrends("test_get_page_with_sql_injection")
 }
 export const options = {
   vus: 1, // Number of virtual users
   iterations: 200,
   thresholds: {
-    test_post_page_with_json_body: ["med<10"],
-    test_get_page_without_attack: ["med<10"],
-    test_get_page_with_sql_injection: ["med<10"],
+    http_req_failed: ['rate==0'], // we are marking the attacks as expected, so we should have no errors
+    test_post_page_with_json_body_delta: ["med<10"],
+    test_get_page_without_attack_delta: ["med<10"],
+    test_get_page_with_sql_injection_delta: ["med<10"],
   }
 };
 
-const expectAttack = http.expectedStatuses(500);
+const expectAttack = http.expectedStatuses(200, 500);
 
 export default function () {
   test("test_post_page_with_json_body",
     (http) => http.post("/cats", JSON.stringify({cat: {name: "Féline Dion"}}), {
-      headers: {"Content-Type": "application/json"}
+      headers: {
+        "Content-Type": "application/json",
+        "Accept": "application/json"
+      }
     })
   )
+
   test("test_get_page_without_attack", (http) => http.get("/cats"))
+
   test("test_get_page_with_sql_injection", (http) =>
-    http.get("/cats/1'%20OR%20''='", {responseCallback: expectAttack})
+    http.get("/cats/1'%20OR%20''='", { responseCallback: expectAttack })
   )
 }