aikido-zen 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 51eaea8541cd36bd28a72265eb65c03d603ca04200e4445c1ce9ef5f1eda161e
-  data.tar.gz: dbb1085f145533d7c432950e0960b35eae89f9b5c389d17971273fd16ae02da6
+  metadata.gz: c2d5b546f3efb35bf92037dadca096f182caa285fe03edd5192af3c967d1eb81
+  data.tar.gz: a745a9556f5d89a2ad3c7cb85aaa5a9d2f615d6c376c14fd99e7955f91a398fc
 SHA512:
-  metadata.gz: 298cd2aee853100f077036d8982c04cbcaafafda4554e279f855586bf379d68227005c7eb1869a7c64941e0fe2c06b7d0fb9cdf0f22232d1c9c4ad6b98b5d383
-  data.tar.gz: 4f8fa891bc625d17ed21e0c78ecee44af8fb6784202243982748fa6df86dbdb333f3242cc7890e28bef7cb9ce700b6567600e6ba4a5448af002915852db0c7e8
+  metadata.gz: ce63a42135ebabcdf81fa288fad9e21c8656b72829fdf1ce50be5085f5ab7020136e84a5ba043e3cf75f523abef02a913d6faa764dd57479a3988e347e03ab9b
+  data.tar.gz: 84b27a54558f890a1f34e217f1d16e6945345686a4e14ce03fa9f2965a30374984f55623ef45b713f3f5d8a3191a7cc6984294995ef946210d0b0e000aaa88bd

data/.simplecov

@@ -4,6 +4,7 @@
 # SimpleCov version, and it doesn't really give us any benefit to run coverage
 # in separate ruby versions since we don't branch on ruby version in the code.
 return if RUBY_VERSION < "3.0"
+return if ENV["DISABLE_COVERAGE"] == "true"
 
 SimpleCov.start do
   # Make sure SimpleCov waits until after the tests

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+### Fixed
+
+- Avoid an infinite loop when checking for SSRFs in a circular redirects loop.
+
 ## 0.1.1
 
 ### Fixed

data/README.md

@@ -1,5 +1,10 @@
 ![Zen by Aikido for Ruby](./docs/banner.svg)
 
+[![Gem Version](https://badge.fury.io/rb/aikido-zen.svg?icon=si%3Arubygems&style=flat)](https://badge.fury.io/rb/aikido-zen)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
+[![Unit tests](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml)
+[![Release](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml)
+
 # Zen, in-app firewall for Ruby | by Aikido
 
 Zen, your in-app firewall for peace of mind—at runtime.
@@ -13,8 +18,8 @@ Rails application, for simple installation and zero maintenance.
 
 * 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
 * 🛡️ [Server-side request forgery (SSRF)](https://github.com/AikidoSec/firewall-node/blob/main/docs/ssrf.md)
-* 🛡️ [Command injection attacks](https://owasp.org/www-community/attacks/Command_Injection) (coming soon)
-* 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
+* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked) (coming soon)
+* 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked) (coming soon)
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
 
 Zen operates autonomously on the same server as your Rails app to:
@@ -81,6 +86,10 @@ To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
 See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn
 how to send events to Aikido.
 
+## Additional configuration
+
+[Configure Zen using environment variables for authentication, mode settings, debugging, and more.](https://help.aikido.dev/doc/configuration-via-env-vars/docrSItUkeR9)
+
 ## Reporting to your Aikido Security dashboard
 
 > Aikido is your no nonsense application security platform. One central system

data/benchmarks/rails7.1_sql_injection.js

@@ -1,8 +1,5 @@
 import http from 'k6/http';
-import { textSummary } from 'https://jslib.k6.io/k6-summary/0.0.2/index.js';
-import { check, sleep, fail } from 'k6';
-import exec from 'k6/execution';
-import { Trend } from 'k6/metrics';
+import {Trend} from 'k6/metrics';
 
 const HTTP = {
   withZen: {
@@ -16,59 +13,58 @@ const HTTP = {
 }
 
 function test(name, fn) {
-  const duration = tests[name].duration;
-  const overhead = tests[name].overhead;
-
   const withZen = fn(HTTP.withZen);
   const withoutZen = fn(HTTP.withoutZen);
+  const timeWithZen = withZen.timings.duration;
+  const timeWithoutZen = withoutZen.timings.duration;
 
-  const timeWithZen = withZen.timings.duration,
-        timeWithoutZen = withoutZen.timings.duration;
-
-  duration.add(timeWithZen - timeWithoutZen);
+  tests[name].delta.add(timeWithZen - timeWithoutZen);
+  tests[name].overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
 
-  const ratio = withZen.timings.duration / withoutZen.timings.duration;
-  overhead.add(100 * (timeWithZen - timeWithoutZen) / timeWithoutZen)
+  tests[name].with_zen.add(timeWithZen);
+  tests[name].without_zen.add(timeWithoutZen);
 }
 
-const defaultHeaders = {
-  "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
-};
+function buildTestTrends(prefix) {
+  return {
+    delta: new Trend(`${prefix}_delta`),
+    with_zen: new Trend(`${prefix}_with_zen`),
+    without_zen: new Trend(`${prefix}_without_zen`),
+    overhead: new Trend(`${prefix}_overhead`)
+  };
+}
 
 const tests = {
-  test_post_page_with_json_body: {
-    duration: new Trend("test_post_page_with_json_body"),
-    overhead: new Trend("test_overhead_with_json_body")
-  },
-  test_get_page_without_attack: {
-    duration: new Trend("test_get_page_without_attack"),
-    overhead: new Trend("test_overhead_without_attack")
-  },
-  test_get_page_with_sql_injection: {
-    duration: new Trend("test_get_page_with_sql_injection"),
-    overhead: new Trend("test_overhead_with_sql_injection"),
-  }
+  test_post_page_with_json_body: buildTestTrends("test_post_page_with_json_body"),
+  test_get_page_without_attack: buildTestTrends("test_get_page_without_attack"),
+  test_get_page_with_sql_injection: buildTestTrends("test_get_page_with_sql_injection")
 }
 export const options = {
   vus: 1, // Number of virtual users
   iterations: 200,
   thresholds: {
-    test_post_page_with_json_body: ["med<10"],
-    test_get_page_without_attack: ["med<10"],
-    test_get_page_with_sql_injection: ["med<10"],
+    http_req_failed: ['rate==0'], // we are marking the attacks as expected, so we should have no errors
+    test_post_page_with_json_body_delta: ["med<10"],
+    test_get_page_without_attack_delta: ["med<10"],
+    test_get_page_with_sql_injection_delta: ["med<10"],
   }
 };
 
-const expectAttack = http.expectedStatuses(500);
+const expectAttack = http.expectedStatuses(200, 500);
 
 export default function () {
   test("test_post_page_with_json_body",
     (http) => http.post("/cats", JSON.stringify({cat: {name: "Féline Dion"}}), {
-      headers: {"Content-Type": "application/json"}
+      headers: {
+        "Content-Type": "application/json",
+        "Accept": "application/json"
+      }
     })
   )
+
   test("test_get_page_without_attack", (http) => http.get("/cats"))
+
   test("test_get_page_with_sql_injection", (http) =>
-    http.get("/cats/1'%20OR%20''='", {responseCallback: expectAttack})
+    http.get("/cats/1'%20OR%20''='", { responseCallback: expectAttack })
   )
 }