aikido-zen 0.1.1-x86_64-linux → 0.2.0-x86_64-linux

data/lib/aikido/zen/middleware/request_tracker.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Middleware
+    # Rack middleware used to track request
+    # It implements the logic under that which is considered worthy of being tracked.
+    class RequestTracker
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+        response = @app.call(env)
+
+        Aikido::Zen.track_request request
+
+        if Aikido::Zen.config.collect_api_schema? && request.route && track?(
+          status_code: response[0],
+          route: request.route.path,
+          http_method: request.request_method
+        )
+          Aikido::Zen.track_discovered_route(request)
+        end
+
+        response
+      end
+
+      IGNORED_METHODS = %w[OPTIONS HEAD]
+      IGNORED_EXTENSIONS = %w[properties config webmanifest]
+      IGNORED_SEGMENTS = ["cgi-bin"]
+      WELL_KNOWN_URIS = %w[
+        /.well-known/acme-challenge
+        /.well-known/amphtml
+        /.well-known/api-catalog
+        /.well-known/appspecific
+        /.well-known/ashrae
+        /.well-known/assetlinks.json
+        /.well-known/broadband-labels
+        /.well-known/brski
+        /.well-known/caldav
+        /.well-known/carddav
+        /.well-known/change-password
+        /.well-known/cmp
+        /.well-known/coap
+        /.well-known/coap-eap
+        /.well-known/core
+        /.well-known/csaf
+        /.well-known/csaf-aggregator
+        /.well-known/csvm
+        /.well-known/did.json
+        /.well-known/did-configuration.json
+        /.well-known/dnt
+        /.well-known/dnt-policy.txt
+        /.well-known/dots
+        /.well-known/ecips
+        /.well-known/edhoc
+        /.well-known/enterprise-network-security
+        /.well-known/enterprise-transport-security
+        /.well-known/est
+        /.well-known/genid
+        /.well-known/gnap-as-rs
+        /.well-known/gpc.json
+        /.well-known/gs1resolver
+        /.well-known/hoba
+        /.well-known/host-meta
+        /.well-known/host-meta.json
+        /.well-known/hosting-provider
+        /.well-known/http-opportunistic
+        /.well-known/idp-proxy
+        /.well-known/jmap
+        /.well-known/keybase.txt
+        /.well-known/knx
+        /.well-known/looking-glass
+        /.well-known/masque
+        /.well-known/matrix
+        /.well-known/mercure
+        /.well-known/mta-sts.txt
+        /.well-known/mud
+        /.well-known/nfv-oauth-server-configuration
+        /.well-known/ni
+        /.well-known/nodeinfo
+        /.well-known/nostr.json
+        /.well-known/oauth-authorization-server
+        /.well-known/oauth-protected-resource
+        /.well-known/ohttp-gateway
+        /.well-known/openid-federation
+        /.well-known/open-resource-discovery
+        /.well-known/openid-configuration
+        /.well-known/openorg
+        /.well-known/oslc
+        /.well-known/pki-validation
+        /.well-known/posh
+        /.well-known/privacy-sandbox-attestations.json
+        /.well-known/private-token-issuer-directory
+        /.well-known/probing.txt
+        /.well-known/pvd
+        /.well-known/rd
+        /.well-known/related-website-set.json
+        /.well-known/reload-config
+        /.well-known/repute-template
+        /.well-known/resourcesync
+        /.well-known/sbom
+        /.well-known/security.txt
+        /.well-known/ssf-configuration
+        /.well-known/sshfp
+        /.well-known/stun-key
+        /.well-known/terraform.json
+        /.well-known/thread
+        /.well-known/time
+        /.well-known/timezone
+        /.well-known/tdmrep.json
+        /.well-known/tor-relay
+        /.well-known/tpcd
+        /.well-known/traffic-advice
+        /.well-known/trust.txt
+        /.well-known/uma2-configuration
+        /.well-known/void
+        /.well-known/webfinger
+        /.well-known/webweaver.json
+        /.well-known/wot
+      ]
+
+      # @param status_code [Integer]
+      # @param route [String]
+      # @param http_method [String]
+      def track?(status_code:, route:, http_method:)
+        # In the UI we want to show only successful (2xx) or redirect (3xx) responses
+        # anything else is discarded.
+        return false unless status_code >= 200 && status_code <= 399
+
+        return false if IGNORED_METHODS.include?(http_method)
+
+        segments = route.split "/"
+
+        # Do not discover routes with dot files like `/path/to/.file` or `/.directory/file`
+        # We want to allow discovery of well-known URIs like `/.well-known/acme-challenge`
+        return false if segments.any? { |s| is_dot_file s } && !is_well_known_uri(route)
+
+        return false if segments.any? { |s| contains_ignored_string s }
+
+        # Check for every file segment if it contains a file extension and if it
+        # should be discovered or ignored
+        segments.all? { |s| should_track_extension s }
+      end
+
+      private
+
+      # Check if a path is a well-known URI
+      # e.g. /.well-known/acme-challenge
+      # https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
+      def is_well_known_uri(route)
+        WELL_KNOWN_URIS.include?(route)
+      end
+
+      def is_dot_file(segment)
+        segment.start_with?(".") && segment.size > 1
+      end
+
+      def contains_ignored_string(segment)
+        IGNORED_SEGMENTS.any? { |ignored| segment.include?(ignored) }
+      end
+
+      # Ignore routes which contain file extensions
+      def should_track_extension(segment)
+        extension = get_file_extension(segment)
+
+        return true unless extension
+
+        # Do not discover files with extensions of 1 to 5 characters,
+        # e.g. file.css, file.js, file.woff2
+        return false if extension.size > 1 && extension.size < 6
+
+        # Ignore some file extensions that are longer than 5 characters or shorter than 2 chars
+        return false if IGNORED_EXTENSIONS.include?(extension)
+
+        true
+      end
+
+      def get_file_extension(segment)
+        extension = File.extname(segment)
+        if extension&.start_with?(".")
+          # Remove the dot from the extension
+          return extension[1..]
+        end
+        extension
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/set_context.rb

@@ -15,10 +15,7 @@ module Aikido::Zen
       end
 
       def call(env)
-        context = Context.from_rack_env(env)
-
-        Aikido::Zen.current_context = env[ENV_KEY] = context
-        Aikido::Zen.track_request(context.request)
+        Aikido::Zen.current_context = env[ENV_KEY] = Context.from_rack_env(env)
 
         @app.call(env)
       ensure

data/lib/aikido/zen/payload.rb

@@ -12,6 +12,8 @@ module Aikido::Zen
       @path = path
     end
 
+    UNKNOWN_PAYLOAD = Payload.new("unknown", "unknown", "unknown")
+
     alias_method :to_s, :value
 
     def ==(other)

data/lib/aikido/zen/rails_engine.rb

@@ -14,6 +14,9 @@ module Aikido::Zen
 
       app.middleware.use Aikido::Zen::Middleware::SetContext
       app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
+      # Request Tracker stats do not consider failed request or 40x, so the middleware
+      # must be the last one wrapping the request.
+      app.middleware.use Aikido::Zen::Middleware::RequestTracker
 
       ActiveSupport.on_load(:action_controller) do
         # Due to how Rails sets up its middleware chain, the routing is evaluated
@@ -57,6 +60,11 @@ module Aikido::Zen
       # that any gems required after aikido-zen are detected and patched
       # accordingly.
       Aikido::Zen.load_sinks!
+
+      # Agent's bootstrap process has finished —Controllers are patched to block
+      # unwanted requests, sinks are loaded, scanners are running—, so we mark
+      # the agent as installed.
+      Aikido::Zen.middleware_installed!
     end
   end
 end

data/lib/aikido/zen/rate_limiter.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require_relative "synchronizable"
-require_relative "middleware/throttler"
+require_relative "middleware/rack_throttler"
 
 module Aikido::Zen
   # Keeps track of all requests in this process, broken up by Route and further

data/lib/aikido/zen/request/schema/builder.rb

@@ -68,8 +68,6 @@ module Aikido::Zen
           new(type: "boolean")
         when String
           new(type: "string")
-        when Integer
-          new(type: "integer")
         when Numeric
           new(type: "number")
         when Array

data/lib/aikido/zen/request/schema/definition.rb

@@ -65,11 +65,6 @@ module Aikido::Zen
         in {type: _}, {type: "null"}
           new(definition.merge(optional: true))
 
-        # number | integer => number
-        in [{type: "integer"}, {type: "number"}] |
-           [{type: "number"}, {type: "integer"}]
-          new(definition.merge(other.definition).merge(type: "number"))
-
         # x | y => [x, y] if x != y
         else
           left_type, right_type = definition[:type], other.definition[:type]

data/lib/aikido/zen/request/schema.rb

@@ -56,9 +56,6 @@ module Aikido::Zen
       return self if other.nil?
 
       self.class.new(
-        # TODO: this is currently overriding the content type with the new
-        # value, but we should support APIs that accept input in many types
-        # (e.g. JSON and XML)
         content_type: other.content_type,
         body_schema: body_schema.merge(other.body_schema),
         query_schema: query_schema.merge(other.query_schema),

data/lib/aikido/zen/scanners/path_traversal/helpers.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Scanners
+    module PathTraversal
+      DANGEROUS_PATH_PARTS = ["../", "..\\"]
+      LINUX_ROOT_FOLDERS = [
+        "/bin/",
+        "/boot/",
+        "/dev/",
+        "/etc/",
+        "/home/",
+        "/init/",
+        "/lib/",
+        "/media/",
+        "/mnt/",
+        "/opt/",
+        "/proc/",
+        "/root/",
+        "/run/",
+        "/sbin/",
+        "/srv/",
+        "/sys/",
+        "/tmp/",
+        "/usr/",
+        "/var/"
+      ]
+
+      DANGEROUS_PATH_STARTS = LINUX_ROOT_FOLDERS + ["c:/", "c:\\"]
+
+      module Helpers
+        def self.contains_unsafe_path_parts(filepath)
+          DANGEROUS_PATH_PARTS.each do |dangerous_part|
+            return true if filepath.include?(dangerous_part)
+          end
+
+          false
+        end
+
+        def self.starts_with_unsafe_path(filepath, user_input)
+          # Check if path is relative (not absolute or drive letter path)
+          # Required because `expand_path` will build absolute paths from relative paths
+          return false if Pathname.new(filepath).relative? || Pathname.new(user_input).relative?
+
+          normalized_path = File.expand_path__internal_for_aikido_zen(filepath).downcase
+          normalized_user_input = File.expand_path__internal_for_aikido_zen(user_input).downcase
+
+          DANGEROUS_PATH_STARTS.each do |dangerous_start|
+            if normalized_path.start_with?(dangerous_start) && normalized_path.start_with?(normalized_user_input)
+              # If the user input is the same as the dangerous start, we don't want to flag it
+              # to prevent false positives.
+              # e.g., if user input is /etc/ and the path is /etc/passwd, we don't want to flag it,
+              # as long as the user input does not contain a subdirectory or filename
+              if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
+                return false
+              end
+              return true
+            end
+          end
+          false
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "path_traversal/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class PathTraversalScanner
+      # Checks if the user introduced input is trying to access other path using
+      # Path Traversal kind of attacks.
+      #
+      # @param filepath [String] the expanded path that is tried to be read
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #
+      # @return [Aikido::Zen::Attacks::PathTraversalAttack, nil] an Attack if any
+      # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
+      def self.call(filepath:, sink:, context:, operation:)
+        return unless context
+
+        context.payloads.each do |payload|
+          next unless new(filepath, payload.value).attack?
+
+          return Attacks::PathTraversalAttack.new(
+            sink: sink,
+            input: payload,
+            filepath: filepath,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      def initialize(filepath, input)
+        @filepath = filepath.downcase
+        @input = input.downcase
+      end
+
+      def attack?
+        # Single character are ignored because they don't pose a big threat
+        return false if @input.length <= 1
+
+        # We ignore cases where the user input is longer than the file path.
+        # Because the user input can't be part of the file path.
+        return false if @input.length > @filepath.length
+
+        # We ignore cases where the user input is not part of the file path.
+        return false unless @filepath.include?(@input)
+
+        if PathTraversal::Helpers.contains_unsafe_path_parts(@filepath) && PathTraversal::Helpers.contains_unsafe_path_parts(@input)
+          return true
+        end
+
+        # Check for absolute path traversal
+        PathTraversal::Helpers.starts_with_unsafe_path(@filepath, @input)
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/shell_injection/helpers.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module Aikido::Zen::Scanners::ShellInjection
+  module Helpers
+    ESCAPE_CHARS = %W[' "]
+    DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES = %W[$ ` \\ !]
+    DANGEROUS_CHARS = [
+      "#", "!", '"', "$", "&", "'", "(", ")", "*", ";", "<", "=", ">", "?",
+      "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~"
+    ]
+
+    COMMANDS = %w[sleep shutdown reboot poweroff halt ifconfig chmod chown ping
+      ssh scp curl wget telnet kill killall rm mv cp touch echo cat head
+      tail grep find awk sed sort uniq wc ls env ps who whoami id w df du
+      pwd uname hostname netstat passwd arch printenv logname pstree hostnamectl
+      set lsattr killall5 dmesg history free uptime finger top shopt :]
+
+    PATH_PREFIXES = %w[/bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/]
+
+    SEPARATORS = [" ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">"]
+
+    # @param command [string]
+    # @param user_input [string]
+    def self.is_safely_encapsulated(command, user_input)
+      segments = command.split(user_input)
+
+      # The next condition is merely here to be compliant with what javascript does when splitting strings:
+      # From js doc https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/split
+      #   > If separator appears at the beginning (or end) of the string, it still has the effect of splitting,
+      #   > resulting in an empty (i.e. zero length) string appearing at the first (or last) position of
+      #   > the returned array.
+      # This is necessary because this code is ported form the firewall-node code.
+      if user_input.length > 1
+        if command.start_with? user_input
+          segments.unshift ""
+        end
+
+        if command.end_with? user_input
+          segments << ""
+        end
+      end
+
+      # Call the helper function to get current and next segments
+      get_current_and_next_segments(segments).all? do |segments_pair|
+        char_before_user_input = segments_pair[:current_segment][-1]
+        char_after_user_input = segments_pair[:next_segment][0]
+
+        # Check if the character before is an escape character
+        is_escape_char = ESCAPE_CHARS.include?(char_before_user_input)
+
+        unless is_escape_char
+          next false
+        end
+
+        # If characters before and after the user input do not match, return false
+        next false if char_before_user_input != char_after_user_input
+
+        # If user input contains the escape character, return false
+        next false if user_input.include?(char_before_user_input)
+
+        # Handle dangerous characters inside double quotes
+        if char_before_user_input == '"' && DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES.any? { |char| user_input.include?(char) }
+          next false
+        end
+
+        next true
+      end
+    end
+
+    def self.get_current_and_next_segments(segments)
+      segments.each_cons(2).map { |current_segment, next_segment| {current_segment: current_segment, next_segment: next_segment} }
+    end
+
+    # Helper function for sorting commands by length (longer commands first)
+    def self.by_length(a, b)
+      b.length - a.length
+    end
+
+    # Escape characters with special meaning either inside or outside character sets.
+    # Use a simple backslash escape when it’s always valid, and a `\xnn` escape when the simpler
+    # form would be disallowed by Unicode patterns’ stricter grammar.
+    #
+    # Inspired by https://github.com/sindresorhus/escape-string-regexp/
+    def self.escape_string_regexp(string)
+      string.gsub(/[|\\{}()\[\]^$+*?.]/) { "\\#{$&}" }.gsub("-", '\\x2d')
+    end
+
+    # Construct the regex for commands
+    COMMANDS_REGEX = Regexp.new(
+      "([/.]*((#{PATH_PREFIXES.map { |p| Helpers.escape_string_regexp(p) }.join("|")})?((#{COMMANDS.sort(&method(:by_length)).join("|")}))))",
+      Regexp::IGNORECASE
+    )
+
+    def self.contains_shell_syntax(command, user_input)
+      # Check if input is only whitespace
+      return false if user_input.strip.empty?
+
+      # Check if the user input contains any dangerous characters
+      if DANGEROUS_CHARS.any? { |c| user_input.include?(c) }
+        return true
+      end
+
+      # If the command is exactly the same as the user input, check if it matches the regex
+      if command == user_input
+        return match_all(command, COMMANDS_REGEX).any? do |match|
+          match[:match].length == command.length && match[:match] == command
+        end
+      end
+
+      # Check if the command contains a commonly used command
+      match_all(command, COMMANDS_REGEX).each do |match|
+        # We found a command like `rm` or `/sbin/shutdown` in the command
+        # Check if the command is the same as the user input
+        # If it's not the same, continue searching
+        next if user_input != match[:match]
+
+        # Otherwise, we'll check if the command is surrounded by separators
+        # These separators are used to separate commands and arguments
+        # e.g. `rm<space>-rf`
+        # e.g. `ls<newline>whoami`
+        # e.g. `echo<tab>hello` Check if the command is surrounded by separators
+        char_before = if match[:index] - 1 < 0
+          nil
+        else
+          command[match[:index] - 1]
+        end
+
+        char_after = if match[:index] + match[:match].length >= command.length
+          nil
+        else
+          command[match[:index] + match[:match].length]
+        end
+
+        # e.g. `<separator>rm<separator>`
+        if SEPARATORS.include?(char_before) && SEPARATORS.include?(char_after)
+          return true
+        end
+
+        # e.g. `<separator>rm`
+        if SEPARATORS.include?(char_before) && char_after.nil?
+          return true
+        end
+
+        # e.g. `rm<separator>`
+        if char_before.nil? && SEPARATORS.include?(char_after)
+          return true
+        end
+      end
+
+      false
+    end
+
+    def self.match_all(string, regex)
+      string.enum_for(:scan, regex).map do |match|
+        {match: match[0], index: $~.begin(0)}
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require_relative "shell_injection/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class ShellInjectionScanner
+      # @param command [String]
+      # @param sink [Aikido::Zen::Sink]
+      # @param context [Aikido::Zen::Context]
+      # @param operation [Symbol, String]
+      #
+      def self.call(command:, sink:, context:, operation:)
+        return unless context
+
+        context.payloads.each do |payload|
+          next unless new(command, payload.value).attack?
+
+          return Attacks::ShellInjectionAttack.new(
+            sink: sink,
+            input: payload,
+            command: command,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      # @param command [String]
+      # @param input [String]
+      def initialize(command, input)
+        @command = command
+        @input = input
+      end
+
+      def attack?
+        # Block single ~ character. For example `echo ~`
+        if @input == "~"
+          if @command.size > 1 && @command.include?("~")
+            return true
+          end
+        end
+
+        # we ignore single character since they don't pose a big threat.
+        # They are only able to crash the shell, not execute arbitraty commands.
+        return false if @input.size <= 1
+
+        # We ignore cases where the user input is longer than the command because
+        # the user input can't be part of the command
+        return false if @input.size > @command.size
+
+        return false unless @command.include?(@input)
+
+        return false if ShellInjection::Helpers.is_safely_encapsulated @command, @input
+
+        ShellInjection::Helpers.contains_shell_syntax @command, @input
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -22,10 +22,6 @@ module Aikido::Zen
       # @raise [Aikido::Zen::InternalsError] if an error occurs when loading or
       #   calling zenlib. See Sink#scan.
       def self.call(query:, dialect:, sink:, context:, operation:)
-        # FIXME: This assumes queries executed outside of an HTTP request are
-        # safe, but this is not the case. For example, if an HTTP request
-        # enqueues a background job, passing user input verbatim, the job might
-        # pass that input to a query without having a current request in scope.
         return if context.nil?
 
         dialect = DIALECTS.fetch(dialect) do

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -228,11 +228,11 @@ module Aikido::Zen
       # @api private
       class RedirectChains
         def initialize
-          @redirects = {}
+          @redirects = Hash.new { |h, k| h[k] = [] }
         end
 
         def add(source:, destination:)
-          @redirects[destination] = source
+          @redirects[destination].push(source)
           self
         end
 
@@ -242,11 +242,14 @@ module Aikido::Zen
         #
         # @param uri [URI]
         # @return [URI, nil]
-        def origin(uri)
-          source = @redirects[uri]
+        def origin(uri, visited = Set.new)
+          source = @redirects[uri].first
 
-          if @redirects[source]
-            origin(source)
+          return source if visited.include?(source)
+          visited << source
+
+          if !@redirects[source].empty?
+            origin(source, visited)
           else
             source
           end

data/lib/aikido/zen/scanners.rb

@@ -3,3 +3,5 @@
 require_relative "scanners/sql_injection_scanner"
 require_relative "scanners/stored_ssrf_scanner"
 require_relative "scanners/ssrf_scanner"
+require_relative "scanners/path_traversal_scanner"
+require_relative "scanners/shell_injection_scanner"