aikido-zen 0.1.1-x86_64-mingw-64 → 1.0.0.pre.beta.1-x86_64-mingw-64

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2bf73cb057d4bce27e28d941fd1230ff3f27d0e8f4ce284c2fcc3adc86848ee7
-  data.tar.gz: 55fb8ec7251826f85749a4ab35ddc50963d3cabde8fcacd3b2fa5ff0090e697f
+  metadata.gz: 612c8be80af943e42d497eef7621c500acce361d8a269f35042df322b97f44ca
+  data.tar.gz: 50ead136c69a3c8a90896bf430b7632b3771ea0a2c2891cdb57abda83fb3220f
 SHA512:
-  metadata.gz: 977f2a178da981f428c70ef18a43e6874eda2b328d6d665a063b5c0dd770839e9814c447724737e86e3ac0419ccd5ceda7ce666dec869aac9e5ba4d4a820fd5c
-  data.tar.gz: c54e7c8ac63affb10bfae8b13515c817024d0a9ccfeedca4e1395fe81db378c6d055f941018dfc35323643cbc3e34e05f3ae309c05739536699203ca5ccd5a0d
+  metadata.gz: 97315d03785d9dc8b4dda1d31ff7ccb299812d5da789b2a5473883c975b07fac9c0c1d5336030f27bb9e21f162c2726d51dd39ffb00071e9d550f111aa098092
+  data.tar.gz: a83eb6028d858b19dbb3514d9a7565b804fcfa9d812d8670dce2a0abf41c750b7b9328208b44f60192018652d0dc5c8dec144d2caea6d920ec45362e1fb09ea4

data/.simplecov

@@ -4,6 +4,7 @@
 # SimpleCov version, and it doesn't really give us any benefit to run coverage
 # in separate ruby versions since we don't branch on ruby version in the code.
 return if RUBY_VERSION < "3.0"
+return if ENV["DISABLE_COVERAGE"] == "true"
 
 SimpleCov.start do
   # Make sure SimpleCov waits until after the tests
@@ -14,6 +15,12 @@ SimpleCov.start do
   minimum_coverage line: 95, branch: 85
 
   add_filter "/test/"
+
+  # WebMock excludes EM-HTTP-Request on Ruby 3.4:
+  # https://github.com/c960657/webmock/commit/34d16285dbcc574c90b273a89f16cb5fb9f4222a
+  if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0") && Gem.loaded_specs["em-http-request"].version <= Gem::Version.new("1.1.7")
+    add_filter "lib/aikido/zen/sinks/em_http.rb"
+  end
 end
 
 # vim: ft=ruby

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+### Fixed
+
+- Avoid an infinite loop when checking for SSRFs in a circular redirects loop.
+
 ## 0.1.1
 
 ### Fixed

data/README.md

@@ -1,5 +1,10 @@
 ![Zen by Aikido for Ruby](./docs/banner.svg)
 
+[![Gem Version](https://badge.fury.io/rb/aikido-zen.svg?icon=si%3Arubygems&style=flat)](https://badge.fury.io/rb/aikido-zen)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
+[![Unit tests](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml)
+[![Release](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml)
+
 # Zen, in-app firewall for Ruby | by Aikido
 
 Zen, your in-app firewall for peace of mind—at runtime.
@@ -13,8 +18,8 @@ Rails application, for simple installation and zero maintenance.
 
 * 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
 * 🛡️ [Server-side request forgery (SSRF)](https://github.com/AikidoSec/firewall-node/blob/main/docs/ssrf.md)
-* 🛡️ [Command injection attacks](https://owasp.org/www-community/attacks/Command_Injection) (coming soon)
-* 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
+* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked) (coming soon)
+* 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked) (coming soon)
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
 
 Zen operates autonomously on the same server as your Rails app to:
@@ -81,6 +86,10 @@ To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
 See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn
 how to send events to Aikido.
 
+## Additional configuration
+
+[Configure Zen using environment variables for authentication, mode settings, debugging, and more.](https://help.aikido.dev/doc/configuration-via-env-vars/docrSItUkeR9)
+
 ## Reporting to your Aikido Security dashboard
 
 > Aikido is your no nonsense application security platform. One central system

data/benchmarks/README.md

@@ -1,27 +1,23 @@
 # Benchmarking Zen for Ruby
 
-This directory contains the benchmarking scripts that we use to ensure adding
-Zen to your application does not impact performance significantly.
 
-We use [Grafana K6](https://k6.io) for these. For each sample application we
-include in this repo under [sample_apps](../sample_apps), you should find
-a script here that runs certain benchmarks against that app.
+We use [WRK](https://github.com/wg/wrk) & [Grafana K6](https://k6.io) for these.
 
-To run all the benchmarks, run the following from the root of the project:
+WRK benchmarks are only requesting a URL (`/benchmark`). In case you want to add more 
+of those test, you have to code them in the file `tasklib/bench.rake`.
 
-```
-$ bundle exec rake bench
-```
+K6 tests are defined in `benchmarks` folder. They are a javascript file, with calls 
+to different endpoints.
 
 In order to run a benchmarks against a single application, run the following
 from the root of the project:
 
 ```
-$ bundle exec rake bench:{app}:run
+$ BUNDLE_GEMFILE=./sample_apps/{app}/Gemfile bundle exec rake bench:{app}:(k6|wrk)_run
 ```
 
-For example, for the `rails7.1_sql_injection` application:
+For example, for the WRK of `rails7.1_benchmark` application:
 
 ```
-$ bundle exec rake bench:rails7.1_sql_injection:run
+$ BUNDLE_GEMFILE=./sample_apps/rails7.1_benchmark/Gemfile bundle exec rake bench:rails7.1_benchmark:wrk_run
 ```

data/benchmarks/rails7.1_sql_injection.js

@@ -1,8 +1,5 @@
 import http from 'k6/http';
-import { textSummary } from 'https://jslib.k6.io/k6-summary/0.0.2/index.js';
-import { check, sleep, fail } from 'k6';
-import exec from 'k6/execution';
-import { Trend } from 'k6/metrics';
+import {Trend} from 'k6/metrics';
 
 const HTTP = {
   withZen: {
@@ -16,59 +13,58 @@ const HTTP = {
 }
 
 function test(name, fn) {
-  const duration = tests[name].duration;
-  const overhead = tests[name].overhead;
-
   const withZen = fn(HTTP.withZen);
   const withoutZen = fn(HTTP.withoutZen);
+  const timeWithZen = withZen.timings.duration;
+  const timeWithoutZen = withoutZen.timings.duration;
 
-  const timeWithZen = withZen.timings.duration,
-        timeWithoutZen = withoutZen.timings.duration;
-
-  duration.add(timeWithZen - timeWithoutZen);
+  tests[name].delta.add(timeWithZen - timeWithoutZen);
+  tests[name].overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
 
-  const ratio = withZen.timings.duration / withoutZen.timings.duration;
-  overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
+  tests[name].with_zen.add(timeWithZen);
+  tests[name].without_zen.add(timeWithoutZen);
 }
 
-const defaultHeaders = {
-  "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
-};
+function buildTestTrends(prefix) {
+  return {
+    delta: new Trend(`${prefix}_delta`),
+    with_zen: new Trend(`${prefix}_with_zen`),
+    without_zen: new Trend(`${prefix}_without_zen`),
+    overhead: new Trend(`${prefix}_overhead`)
+  };
+}
 
 const tests = {
-  test_post_page_with_json_body: {
-    duration: new Trend("test_post_page_with_json_body"),
-    overhead: new Trend("test_overhead_with_json_body")
-  },
-  test_get_page_without_attack: {
-    duration: new Trend("test_get_page_without_attack"),
-    overhead: new Trend("test_overhead_without_attack")
-  },
-  test_get_page_with_sql_injection: {
-    duration: new Trend("test_get_page_with_sql_injection"),
-    overhead: new Trend("test_overhead_with_sql_injection"),
-  }
+  test_post_page_with_json_body: buildTestTrends("test_post_page_with_json_body"),
+  test_get_page_without_attack: buildTestTrends("test_get_page_without_attack"),
+  test_get_page_with_sql_injection: buildTestTrends("test_get_page_with_sql_injection")
 }
 export const options = {
   vus: 1, // Number of virtual users
   iterations: 200,
   thresholds: {
-    test_post_page_with_json_body: ["med<10"],
-    test_get_page_without_attack: ["med<10"],
-    test_get_page_with_sql_injection: ["med<10"],
+    http_req_failed: ['rate==0'], // we are marking the attacks as expected, so we should have no errors
+    test_post_page_with_json_body_delta: ["med<10"],
+    test_get_page_without_attack_delta: ["med<10"],
+    test_get_page_with_sql_injection_delta: ["med<10"],
   }
 };
 
-const expectAttack = http.expectedStatuses(500);
+const expectAttack = http.expectedStatuses(200, 500);
 
 export default function () {
   test("test_post_page_with_json_body",
     (http) => http.post("/cats", JSON.stringify({cat: {name: "Féline Dion"}}), {
-      headers: {"Content-Type": "application/json"}
+      headers: {
+        "Content-Type": "application/json",
+        "Accept": "application/json"
+      }
     })
   )
+
   test("test_get_page_without_attack", (http) => http.get("/cats"))
+
   test("test_get_page_with_sql_injection", (http) =>
-    http.get("/cats/1'%20OR%20''='", {responseCallback: expectAttack})
+    http.get("/cats/1'%20OR%20''='", { responseCallback: expectAttack })
   )
 }