aikido-zen 0.2.0-arm64-darwin → 1.0.0.pre.beta.1-arm64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5f21c896f36460f4e901d44c5a235d0d7a677f86af95a9924326b28cfa0c8318
-  data.tar.gz: 70973e6cf74ca6a9ad25d69c88a137851ff5734d27f390470eb9ff6134a38822
+  metadata.gz: c9af80650dd2c7ede7a512e331275cc550787862f6126b4abe3d71fbb5d46cc9
+  data.tar.gz: d6210cdf5178bacf4de86938cd38ee6f046921ac8f6dbd343a4ee2c46995187d
 SHA512:
-  metadata.gz: 415faa79a7a49fc526c05b0418d3358933c7d297aabf3d84bad137ed2f67146c08d2c2dfaf1149c7b303da7a7d680a64317c6c44fff8d1db1169e7526fa5a994
-  data.tar.gz: 82c78ff577fe4695d8d003fa58e8ea78e3a1c78741684b65dbc14f2fbe315156ad79d265c8d8035fb279adf77b8b9805e0a88c72ab7da87a773a8c2db7dfdc7b
+  metadata.gz: ca670414aaab281b6eb34db7feaaf0ed13ccb32c93a4ddb00cafcbdce2603974756874df58947ac53910c1d70b411f8eef65843609cde1973c21ee3563468568
+  data.tar.gz: f5897199a127528a6c17d4768c1a8c55d42bd52fc53bcbdee2a7ab0cfdc4b1c68e2fd27f775e4fca336a1096c0faa85505765437d28665e6737d7bc6b476044b

data/.simplecov

@@ -15,6 +15,12 @@ SimpleCov.start do
   minimum_coverage line: 95, branch: 85
 
   add_filter "/test/"
+
+  # WebMock excludes EM-HTTP-Request on Ruby 3.4:
+  # https://github.com/c960657/webmock/commit/34d16285dbcc574c90b273a89f16cb5fb9f4222a
+  if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0") && Gem.loaded_specs["em-http-request"].version <= Gem::Version.new("1.1.7")
+    add_filter "lib/aikido/zen/sinks/em_http.rb"
+  end
 end
 
 # vim: ft=ruby

data/benchmarks/README.md

@@ -1,27 +1,23 @@
 # Benchmarking Zen for Ruby
 
-This directory contains the benchmarking scripts that we use to ensure adding
-Zen to your application does not impact performance significantly.
 
-We use [Grafana K6](https://k6.io) for these. For each sample application we
-include in this repo under [sample_apps](../sample_apps), you should find
-a script here that runs certain benchmarks against that app.
+We use [WRK](https://github.com/wg/wrk) & [Grafana K6](https://k6.io) for these.
 
-To run all the benchmarks, run the following from the root of the project:
+WRK benchmarks are only requesting a URL (`/benchmark`). In case you want to add more 
+of those test, you have to code them in the file `tasklib/bench.rake`.
 
-```
-$ bundle exec rake bench
-```
+K6 tests are defined in `benchmarks` folder. They are a javascript file, with calls 
+to different endpoints.
 
 In order to run a benchmarks against a single application, run the following
 from the root of the project:
 
 ```
-$ bundle exec rake bench:{app}:run
+$ BUNDLE_GEMFILE=./sample_apps/{app}/Gemfile bundle exec rake bench:{app}:(k6|wrk)_run
 ```
 
-For example, for the `rails7.1_sql_injection` application:
+For example, for the WRK of `rails7.1_benchmark` application:
 
 ```
-$ bundle exec rake bench:rails7.1_sql_injection:run
+$ BUNDLE_GEMFILE=./sample_apps/rails7.1_benchmark/Gemfile bundle exec rake bench:rails7.1_benchmark:wrk_run
 ```

data/docs/rails.md

@@ -40,7 +40,7 @@ You can just tell Zen to use it like so:
 
 ``` ruby
 # config/initializers/zen.rb
-Rails.application.config.zen.api_token = Rails.application.credentials.zen.token
+Rails.application.config.zen.token = Rails.application.credentials.zen.token
 ```
 
 [creds]: https://guides.rubyonrails.org/security.html#environmental-security

data/lib/aikido/zen/agent.rb

@@ -19,6 +19,7 @@ module Aikido::Zen
     def initialize(
       config: Aikido::Zen.config,
       collector: Aikido::Zen.collector,
+      detached_agent: Aikido::Zen.detached_agent,
       worker: Aikido::Zen::Worker.new(config: config),
       api_client: Aikido::Zen::APIClient.new(config: config)
     )
@@ -28,6 +29,7 @@ module Aikido::Zen
       @worker = worker
       @api_client = api_client
       @collector = collector
+      @detached_agent = detached_agent
     end
 
     def started?
@@ -35,7 +37,7 @@ module Aikido::Zen
     end
 
     def start!
-      @config.logger.info "Starting Aikido agent"
+      @config.logger.info "Starting Aikido agent v#{Aikido::Zen::VERSION}"
 
       raise Aikido::ZenError, "Aikido Agent already started!" if started?
       @started_at = Time.now.utc
@@ -57,7 +59,7 @@ module Aikido::Zen
       at_exit { stop! if started? }
 
       report(Events::Started.new(time: @started_at)) do |response|
-        Aikido::Zen.runtime_settings.update_from_json(response)
+        updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
         @config.logger.info "Updated runtime settings."
       rescue => err
         @config.logger.error(err.message)
@@ -141,11 +143,11 @@ module Aikido::Zen
     def send_heartbeat(at: Time.now.utc)
       return unless @api_client.can_make_requests?
 
-      event = @collector.flush(at: at)
-
-      report(event) do |response|
-        Aikido::Zen.runtime_settings.update_from_json(response)
-        @config.logger.info "Updated runtime settings after heartbeat"
+      @collector.flush_heartbeats.each do |heartbeat|
+        report(heartbeat) do |response|
+          updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
+          @config.logger.info "Updated runtime settings after heartbeat"
+        end
       end
     end
 
@@ -159,7 +161,7 @@ module Aikido::Zen
     def poll_for_setting_updates
       @worker.every(@config.polling_interval) do
         if @api_client.should_fetch_settings?
-          Aikido::Zen.runtime_settings.update_from_json(@api_client.fetch_settings)
+          updated_settings! if Aikido::Zen.runtime_settings.update_from_json(@api_client.fetch_settings)
           @config.logger.info "Updated runtime settings after polling"
         end
       end

data/lib/aikido/zen/api_client.rb

@@ -72,16 +72,26 @@ module Aikido::Zen
     #   @return (see #fetch_settings)
     #   @raise (see #request)
     def report(event)
-      if @rate_limiter.throttle?(event)
-        @config.logger.error("Not reporting #{event.type.upcase} event due to rate limiting")
+      event_type = if event.respond_to?(:type)
+        event.type
+      else
+        event[:type]
+      end
+
+      if @rate_limiter.throttle?(event_type)
+        @config.logger.error("Not reporting #{event_type.upcase} event due to rate limiting")
         return
       end
 
-      @config.logger.debug("Reporting #{event.type.upcase} event")
+      @config.logger.debug("Reporting #{event_type.upcase} event")
 
       req = Net::HTTP::Post.new("/api/runtime/events", default_headers)
       req.content_type = "application/json"
-      req.body = @config.json_encoder.call(event.as_json)
+      req.body = if event.respond_to?(:as_json)
+        @config.json_encoder.call(event.as_json)
+      else
+        @config.json_encoder.call(event)
+      end
 
       request(req)
     rescue Aikido::Zen::RateLimitedError

data/lib/aikido/zen/background_worker.rb

@@ -0,0 +1,52 @@
+module Aikido::Zen
+  # Generic background worker class backed by queue. Meant to be used by any
+  # background process that needs to do heavy tasks.
+  class BackgroundWorker
+    # @param block [block] A block that receives 1 message directly from the queue
+    def initialize(&block)
+      @queue = Queue.new
+      @block = block
+    end
+
+    # starts the background thread, blocking the thread until a new messages arrives
+    # or the queue is stopped.
+    def start
+      @thread = Thread.new do
+        while running? || actions?
+          action = wait_for_action
+          @block.call(action) unless action.nil?
+        end
+      end
+    end
+
+    def restart
+      stop
+      @queue = Queue.new # re-open the queue
+      start
+    end
+
+    # Drain the queue to do not lose any messages
+    def stop
+      @queue.close # stop accepting messages
+      @thread.join # wait for the queue to be drained
+    end
+
+    def enqueue(scan)
+      @queue.push(scan)
+    end
+
+    private
+
+    def actions?
+      !@queue.empty?
+    end
+
+    def running?
+      !@queue.closed?
+    end
+
+    def wait_for_action
+      @queue.pop(false)
+    end
+  end
+end

data/lib/aikido/zen/collector.rb

@@ -11,6 +11,7 @@ module Aikido::Zen
       @users = Concurrent::AtomicReference.new(Users.new(@config))
       @hosts = Concurrent::AtomicReference.new(Hosts.new(@config))
       @routes = Concurrent::AtomicReference.new(Routes.new(@config))
+      @heartbeats = Queue.new
       @middleware_installed = Concurrent::AtomicBoolean.new
     end
 
@@ -34,6 +35,16 @@ module Aikido::Zen
       )
     end
 
+    # Put heartbeats coming from child processes into the internal queue.
+    def push_heartbeat(heartbeat)
+      @heartbeats << heartbeat
+    end
+
+    # Drains into an array all the queued heartbeats
+    def flush_heartbeats
+      Array.new(@heartbeats.size) { @heartbeats.pop }
+    end
+
     # Sets the start time for this collection period.
     #
     # @param at [Time] defaults to now.
@@ -46,7 +57,7 @@ module Aikido::Zen
     #
     # @param request [Aikido::Zen::Request]
     # @return [void]
-    def track_request(request)
+    def track_request(*)
       synchronize(@stats) { |stats| stats.add_request }
     end
 

data/lib/aikido/zen/config.rb

@@ -55,6 +55,11 @@ module Aikido::Zen
     # @return [Logger]
     attr_reader :logger
 
+    # @return [string] Path of the socket where the detached agent will listen.
+    # By default, is stored under the root application path with file name
+    # `aikido-detached-agent.socket`
+    attr_reader :detached_agent_socket_path
+
     # @return [Boolean] is the agent in debugging mode?
     attr_accessor :debugging
     alias_method :debugging?, :debugging
@@ -153,6 +158,7 @@ module Aikido::Zen
       self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
       self.logger = Logger.new($stdout, progname: "aikido", level: debugging ? Logger::DEBUG : Logger::INFO)
       self.max_performance_samples = 5000
+      self.detached_agent_socket_path = "aikido-detached-agent.socket"
       self.max_compressed_stats = 100
       self.max_outbound_connections = 200
       self.max_users_tracked = 1000
@@ -210,6 +216,11 @@ module Aikido::Zen
       @api_timeouts.update(value)
     end
 
+    def detached_agent_socket_path=(path)
+      @detached_agent_socket_path = path
+      @detached_agent_socket_path = "drbunix:" + @detached_agent_socket_path unless @detached_agent_socket_path.start_with?("drbunix:")
+    end
+
     private
 
     def read_boolean_from_env(value)

data/lib/aikido/zen/detached_agent/agent.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "drb/drb"
+require "drb/unix"
+require_relative "front_object"
+require_relative "../background_worker"
+
+module Aikido::Zen::DetachedAgent
+  # Agent that runs in forked processes. It communicates with the parent process to dRB
+  # calls. It's in charge of schedule and send heartbeats to the *parent process*, to be
+  # later pushed.
+  #
+  # heartbeat & polling interval are configured to 10s , because they are connecting with
+  # parent process. We want to have the freshest data.
+  #
+  # It's possible to use `extend Forwardable` here for one-line forward calls to the
+  # @detached_agent_front object. Unfortunately, the methods to be called are
+  # created at runtime by `DRbObject`, which leads to an ugly warning about
+  # private methods after the delegator is bound.
+  class Agent
+    attr_reader :worker
+
+    def initialize(
+      heartbeat_interval: 10,
+      polling_interval: 10,
+      config: Aikido::Zen.config,
+      collector: Aikido::Zen.collector,
+      worker: Aikido::Zen::Worker.new(config: config)
+    )
+      @config = config
+      @heartbeat_interval = heartbeat_interval
+      @polling_interval = polling_interval
+      @worker = worker
+      @collector = collector
+      @detached_agent_front = DRbObject.new_with_uri(config.detached_agent_socket_path)
+      @has_forked = false
+      schedule_tasks
+    end
+
+    def send_heartbeat(at: Time.now.utc)
+      return unless @collector.stats.any?
+
+      heartbeat = @collector.flush(at: at)
+      @detached_agent_front.send_heartbeat_to_parent_process(heartbeat.as_json)
+    end
+
+    private def schedule_tasks
+      # For heartbeats is correct to send them from parent or child process. Otherwise, we'll lose
+      # stats made by the parent process.
+      @worker.every(@heartbeat_interval, run_now: false) { send_heartbeat }
+
+      # Runtime_settings fetch must happens only in the child processes, otherwise, due to
+      # we are updating the global runtime_settings, we could have an infinite recursion.
+      if @has_forked
+        @worker.every(@polling_interval) do
+          Aikido::Zen.runtime_settings = @detached_agent_front.updated_settings
+          @config.logger.debug "Updated runtime settings after polling from child process #{Process.pid}"
+        end
+      end
+    end
+
+    def calculate_rate_limits(request)
+      @detached_agent_front.calculate_rate_limits(request.route, request.ip, request.actor.to_json)
+    end
+
+    # Every time a fork occurs (a new child process is created), we need to start
+    # a DRb service in a background thread within the child process. This service
+    # will manage the connection and handle resource cleanup.
+    def handle_fork
+      @has_forked = true
+      DRb.start_service
+      # we need to ensure that there are not more jobs in the queue, but
+      # we reuse the same object
+      @worker.restart
+      schedule_tasks
+    end
+  end
+end

data/lib/aikido/zen/detached_agent/front_object.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+# dRB Front object that will work as a bridge communication between child & parent
+# processes.
+# Every method is called from the child but it runs in the parent process.
+module Aikido::Zen::DetachedAgent
+  class FrontObject
+    def initialize(
+      config: Aikido::Zen.config,
+      collector: Aikido::Zen.collector,
+      runtime_settings: Aikido::Zen.runtime_settings,
+      rate_limiter: Aikido::Zen::RateLimiter.new
+    )
+      @config = config
+      @collector = collector
+      @rate_limiter = rate_limiter
+      @runtime_settings = runtime_settings
+    end
+
+    RequestKind = Struct.new(:route, :schema, :ip, :actor)
+
+    def send_heartbeat_to_parent_process(heartbeat)
+      @collector.push_heartbeat(heartbeat)
+    end
+
+    # Method called by child processes to get an up-to-date version of the
+    # runtime_settings
+    def updated_settings
+      @runtime_settings
+    end
+
+    def calculate_rate_limits(route, ip, actor_hash)
+      actor = Aikido::Zen::Actor(actor_hash) if actor_hash
+      @rate_limiter.calculate_rate_limits(RequestKind.new(route, nil, ip, actor))
+    end
+  end
+end

data/lib/aikido/zen/detached_agent/server.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Aikido::Zen::DetachedAgent
+  class Server
+    def initialize(config: Aikido::Zen.config)
+      @detached_agent_front = FrontObject.new
+      @drb_server = DRb.start_service(config.detached_agent_socket_path, @detached_agent_front)
+
+      # We don't want to see drb logs unless in debug mode
+      @drb_server.verbose = config.logger.debug?
+    end
+
+    def alive?
+      @drb_server.alive?
+    end
+
+    def stop!
+      @drb_server.stop_service
+      DRb.stop_service
+    end
+
+    class << self
+      def start!
+        Aikido::Zen.config.logger.debug("Starting DRb Server...")
+        max_attempts = 10
+        @server = new
+
+        attempts = 0
+        until @server.alive?
+          Aikido::Zen.config.logger.info("DRb Server still not alive. #{max_attempts - attempts} attempts remaining")
+          sleep 0.1
+          attempts += 1
+          raise Aikido::Zen::DetachedAgentError.new("Impossible to start the dRB server (socket=#{Aikido::Zen.config.detached_agent_socket_path})") \
+            if attempts == max_attempts
+        end
+
+        @server
+      end
+    end
+  end
+end

data/lib/aikido/zen/detached_agent.rb

@@ -0,0 +1,2 @@
+require_relative "detached_agent/agent"
+require_relative "detached_agent/server"

data/lib/aikido/zen/errors.rb

@@ -95,5 +95,13 @@ module Aikido
         MSG
       end
     end
+
+    class DetachedAgentError < ZenError
+      extend Forwardable
+
+      def initialize(msg)
+        super
+      end
+    end
   end
 end

data/lib/aikido/zen/middleware/rack_throttler.rb

@@ -12,12 +12,12 @@ module Aikido::Zen
         app,
         config: Aikido::Zen.config,
         settings: Aikido::Zen.runtime_settings,
-        rate_limiter: Aikido::Zen::RateLimiter.new
+        detached_agent: Aikido::Zen.detached_agent
       )
         @app = app
         @config = config
         @settings = settings
-        @rate_limiter = rate_limiter
+        @detached_agent = detached_agent
       end
 
       def call(env)
@@ -33,9 +33,15 @@ module Aikido::Zen
       private
 
       def should_throttle?(request)
+        return false unless @settings.endpoints[request.route].rate_limiting.enabled?
         return false if @settings.skip_protection_for_ips.include?(request.ip)
 
-        @rate_limiter.throttle?(request)
+        result = @detached_agent.calculate_rate_limits(request)
+
+        return false unless result
+
+        request.env["aikido.rate_limiting"] = result
+        request.env["aikido.rate_limiting"].throttled?
       end
     end
   end

data/lib/aikido/zen/outbound_connection_monitor.rb

@@ -5,6 +5,10 @@ module Aikido::Zen
   # any Sink that wraps an HTTP library, and lets us keep track of any hosts to
   # which the app communicates over HTTP.
   module OutboundConnectionMonitor
+    def self.skips_on_nil_context?
+      false
+    end
+
     # This simply reports the connection to the Agent, and always returns +nil+
     # as it's not scanning for any particular attack.
     #

data/lib/aikido/zen/rails_engine.rb

@@ -61,6 +61,10 @@ module Aikido::Zen
       # accordingly.
       Aikido::Zen.load_sinks!
 
+      # It's important we start after loading sinks, so we can report the installed packages
+      Aikido::Zen.start!
+      Aikido::Zen.start!
+
       # Agent's bootstrap process has finished —Controllers are patched to block
       # unwanted requests, sinks are loaded, scanners are running—, so we mark
       # the agent as installed.

data/lib/aikido/zen/rate_limiter/breaker.rb

@@ -31,13 +31,13 @@ module Aikido::Zen
       @opened_at = @clock.call
     end
 
-    # @param event [#type] an event which we'll discriminate by type to decide
+    # @param event_type [String] an event type which we'll use to decide
     #   if we should throttle it.
     # @return [Boolean]
-    def throttle?(event)
+    def throttle?(event_type)
       return true if open? && !try_close
 
-      result = @bucket.increment(event.type)
+      result = @bucket.increment(event_type)
       result.throttled?
     end
 

data/lib/aikido/zen/rate_limiter.rb

@@ -24,23 +24,18 @@ module Aikido::Zen
       }
     end
 
-    # Checks whether the request requires rate limiting. As a side effect, this
-    # will annotate the request with the "aikido.rate_limiting" ENV key, holding
-    # the result of the check, and including useful stats in case you want to
-    # return RateLimit headers..
+    # Calculate based on the configuration whether a request will be
+    # rate-limited or not.
     #
     # @param request [Aikido::Zen::Request]
-    # @return [Boolean]
-    #
-    # @see Aikido::Zen::RateLimiter::Result
-    def throttle?(request)
+    # @return [Aikido::Zen::RateLimiter::Result, nil]
+    def calculate_rate_limits(request)
       settings = settings_for(request.route)
-      return false unless settings.enabled?
+      return nil unless settings.enabled?
 
       bucket = @buckets[request.route]
       key = @config.rate_limiting_discriminator.call(request)
-      request.env["aikido.rate_limiting"] = bucket.increment(key)
-      request.env["aikido.rate_limiting"].throttled?
+      bucket.increment(key)
     end
 
     private

data/lib/aikido/zen/request/rails_router.rb

@@ -58,27 +58,15 @@ module Aikido::Zen
     end
 
     private def build_route(route, request, prefix: request.script_name)
-      Rails::Route.new(route, prefix: prefix, verb: request.request_method)
-    end
-  end
-
-  module Rails
-    class Route < Aikido::Zen::Route
-      attr_reader :verb
+      route_wrapper = ActionDispatch::Routing::RouteWrapper.new(route)
 
-      def initialize(rails_route, verb: rails_route.verb, prefix: nil)
-        @route = ActionDispatch::Routing::RouteWrapper.new(rails_route)
-        @verb = verb
-        @prefix = prefix
+      path = if prefix.present?
+        File.join(prefix.to_s, route_wrapper.path).chomp("/")
+      else
+        route_wrapper.path
       end
 
-      def path
-        if @prefix.present?
-          File.join(@prefix.to_s, @route.path).chomp("/")
-        else
-          @route.path
-        end
-      end
+      Aikido::Zen::Route.new(verb: request.request_method, path: path)
     end
   end
 end

data/lib/aikido/zen/request/schema/auth_schemas.rb

@@ -18,6 +18,20 @@ module Aikido::Zen
         @schemas.map(&:as_json) unless @schemas.empty?
       end
 
+      def self.from_json(schemas_array)
+        return NONE if !schemas_array || schemas_array.empty?
+
+        AuthSchemas.new(schemas_array.map do |schema|
+          if schema[:type] == "http"
+            Authorization.new(schema[:scheme])
+          elsif schema[:type] == "apiKey"
+            ApiKey.new(schema[:in], schema[:name])
+          else
+            raise "Invalid schema type: #{schema[:type]}"
+          end
+        end)
+      end
+
       def ==(other)
         other.is_a?(self.class) && schemas == other.schemas
       end

data/lib/aikido/zen/request/schema.rb

@@ -48,6 +48,24 @@ module Aikido::Zen
       {body: body, query: query_schema.as_json, auth: auth_schema.as_json}.compact
     end
 
+    def self.from_json(data)
+      if data.empty?
+        return Request::Schema.new(
+          content_type: nil,
+          body_schema: EMPTY_SCHEMA,
+          query_schema: EMPTY_SCHEMA,
+          auth_schema: Aikido::Zen::Request::Schema::AuthSchemas.new([])
+        )
+      end
+
+      Request::Schema.new(
+        content_type: data[:body].nil? ? nil : data[:body][:type],
+        body_schema: data[:body].nil? ? EMPTY_SCHEMA : Aikido::Zen::Request::Schema::Definition.new(data[:body][:schema]),
+        query_schema: data[:query].nil? ? EMPTY_SCHEMA : Aikido::Zen::Request::Schema::Definition.new(data[:query]),
+        auth_schema: Aikido::Zen::Request::Schema::AuthSchemas.from_json(data[:auth])
+      )
+    end
+
     # Merges the request specification with another request's specification.
     #
     # @param other [Aikido::Zen::Request::Schema, nil]

data/lib/aikido/zen/runtime_settings.rb

@@ -45,7 +45,7 @@ module Aikido::Zen
     # @param data [Hash] the decoded JSON payload from the /api/runtime/config
     #   API endpoint.
     #
-    # @return [void]
+    # @return [bool]
     def update_from_json(data)
       last_updated_at = updated_at
 
@@ -56,7 +56,7 @@ module Aikido::Zen
       self.skip_protection_for_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
       self.received_any_stats = data["receivedAnyStats"]
 
-      Aikido::Zen.agent.updated_settings! if updated_at != last_updated_at
+      updated_at != last_updated_at
     end
   end
 end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -5,6 +5,10 @@ require_relative "path_traversal/helpers"
 module Aikido::Zen
   module Scanners
     class PathTraversalScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
       # Checks if the user introduced input is trying to access other path using
       # Path Traversal kind of attacks.
       #
@@ -16,8 +20,6 @@ module Aikido::Zen
       # @return [Aikido::Zen::Attacks::PathTraversalAttack, nil] an Attack if any
       # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
       def self.call(filepath:, sink:, context:, operation:)
-        return unless context
-
         context.payloads.each do |payload|
           next unless new(filepath, payload.value).attack?
 

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -5,14 +5,16 @@ require_relative "shell_injection/helpers"
 module Aikido::Zen
   module Scanners
     class ShellInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
       # @param command [String]
       # @param sink [Aikido::Zen::Sink]
       # @param context [Aikido::Zen::Context]
       # @param operation [Symbol, String]
       #
       def self.call(command:, sink:, context:, operation:)
-        return unless context
-
         context.payloads.each do |payload|
           next unless new(command, payload.value).attack?
 

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -6,6 +6,10 @@ require_relative "../internals"
 module Aikido::Zen
   module Scanners
     class SQLInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
       # Checks if the given SQL query may have dangerous user input injected,
       # and returns an Attack if so, based on the current request.
       #
@@ -22,8 +26,6 @@ module Aikido::Zen
       # @raise [Aikido::Zen::InternalsError] if an error occurs when loading or
       #   calling zenlib. See Sink#scan.
       def self.call(query:, dialect:, sink:, context:, operation:)
-        return if context.nil?
-
         dialect = DIALECTS.fetch(dialect) do
           Aikido::Zen.config.logger.warn "Unknown SQL dialect #{dialect.inspect}"
           DIALECTS[:common]

data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb

@@ -31,35 +31,47 @@ module Aikido::Zen
         # @return [Boolean]
         def private?(hostname_or_address)
           resolve(hostname_or_address).any? do |ip|
-            ip.loopback? || ip.private? || RFC5735.any? { |range| range === ip }
+            PRIVATE_RANGES.any? { |range| range === ip }
           end
         end
 
         private
 
-        RFC5735 = [
-          IPAddr.new("0.0.0.0/8"),
-          IPAddr.new("100.64.0.0/10"),
-          IPAddr.new("127.0.0.0/8"),
-          IPAddr.new("169.254.0.0/16"),
-          IPAddr.new("192.0.0.0/24"),
-          IPAddr.new("192.0.2.0/24"),
-          IPAddr.new("192.31.196.0/24"),
-          IPAddr.new("192.52.193.0/24"),
-          IPAddr.new("192.88.99.0/24"),
-          IPAddr.new("192.175.48.0/24"),
-          IPAddr.new("198.18.0.0/15"),
-          IPAddr.new("198.51.100.0/24"),
-          IPAddr.new("203.0.113.0/24"),
-          IPAddr.new("240.0.0.0/4"),
-          IPAddr.new("224.0.0.0/4"),
-          IPAddr.new("255.255.255.255/32"),
+        # Source: https://github.com/AikidoSec/firewall-node/blob/main/library/vulnerabilities/ssrf/isPrivateIP.ts
+        PRIVATE_IPV4_RANGES = [
+          IPAddr.new("0.0.0.0/8"),         # "This" network (RFC 1122)
+          IPAddr.new("10.0.0.0/8"),        # Private-Use Networks (RFC 1918)
+          IPAddr.new("100.64.0.0/10"),     # Shared Address Space (RFC 6598)
+          IPAddr.new("127.0.0.0/8"),       # Loopback (RFC 1122)
+          IPAddr.new("169.254.0.0/16"),    # Link Local (RFC 3927)
+          IPAddr.new("172.16.0.0/12"),     # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.0.0.0/24"),      # IETF Protocol Assignments (RFC 5736)
+          IPAddr.new("192.0.2.0/24"),      # TEST-NET-1 (RFC 5737)
+          IPAddr.new("192.31.196.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("192.52.193.0/24"),   # Automatic Multicast Tunneling (RFC 7450)
+          IPAddr.new("192.88.99.0/24"),    # 6to4 Relay Anycast (RFC 3068)
+          IPAddr.new("192.168.0.0/16"),    # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.175.48.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("198.18.0.0/15"),     # Network Interconnect Device Benchmark Testing (RFC 2544)
+          IPAddr.new("198.51.100.0/24"),   # TEST-NET-2 (RFC 5737)
+          IPAddr.new("203.0.113.0/24"),    # TEST-NET-3 (RFC 5737)
+          IPAddr.new("224.0.0.0/4"),       # Multicast (RFC 3171)
+          IPAddr.new("240.0.0.0/4"),       # Reserved for Future Use (RFC 1112)
+          IPAddr.new("255.255.255.255/32") # Limited Broadcast (RFC 919)
+        ]
 
-          IPAddr.new("::/128"),              # Unspecified address
-          IPAddr.new("fe80::/10"),           # Link-local address (LLA)
-          IPAddr.new("::ffff:127.0.0.1/128") # IPv4-mapped address
+        PRIVATE_IPV6_RANGES = [
+          IPAddr.new("::/128"),            # Unspecified address (RFC 4291)
+          IPAddr.new("::1/128"),           # Loopback address (RFC 4291)
+          IPAddr.new("fc00::/7"),          # Unique local address (ULA) (RFC 4193
+          IPAddr.new("fe80::/10"),         # Link-local address (LLA) (RFC 4291)
+          IPAddr.new("100::/64"),          # Discard prefix (RFC 6666)
+          IPAddr.new("2001:db8::/32"),     # Documentation prefix (RFC 3849)
+          IPAddr.new("3fff::/20")          # Documentation prefix (RFC 9637)
         ]
 
+        PRIVATE_RANGES = PRIVATE_IPV4_RANGES + PRIVATE_IPV6_RANGES + PRIVATE_IPV4_RANGES.map(&:ipv4_mapped)
+
         def resolved_in_current_context
           context = Aikido::Zen.current_context
           context && context["dns.lookups"]

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -6,6 +6,12 @@ require_relative "ssrf/dns_lookups"
 module Aikido::Zen
   module Scanners
     class SSRFScanner
+      # SSRF attacks can be triggered through external inputs, so it is essential
+      # to have a valid context to safeguard against these attacks.
+      def self.skips_on_nil_context?
+        true
+      end
+
       # Checks if an outbound HTTP request is to a hostname supplied from user
       # input that resolves to a "dangerous" address. This is called from two
       # different places:
@@ -32,7 +38,6 @@ module Aikido::Zen
       # @return [Aikido::Zen::Attacks::SSRFAttack, nil] an Attack if any user
       #   input is detected to be attempting SSRF, or +nil+ if not.
       def self.call(request:, sink:, context:, operation:, **)
-        return if context.nil?
         return if request.nil? # See NOTE above.
 
         context["ssrf.redirects"] ||= RedirectChains.new

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb

@@ -5,6 +5,12 @@ module Aikido::Zen
     # Inspects the result of DNS lookups, to determine if we're being the target
     # of a stored SSRF targeting IMDS addresses (169.254.169.254).
     class StoredSSRFScanner
+      # Stored-SSRF can occur without external input, so we do not require a
+      # context to determine if an attack is happening.
+      def self.skips_on_nil_context?
+        false
+      end
+
       def self.call(hostname:, addresses:, operation:, sink:, context:, **opts)
         offending_address = new(hostname, addresses).attack?
         return if offending_address.nil?

data/lib/aikido/zen/sink.rb

@@ -84,11 +84,16 @@ module Aikido::Zen
 
       scan = Scan.new(sink: self, context: context)
 
+      scans_performed = 0
       scan.perform do
         result = nil
 
         scanners.each do |scanner|
+          next if scanner.skips_on_nil_context? && context.nil?
+
           result = scanner.call(sink: self, context: context, **scan_params)
+          scans_performed += 1
+
           break result if result
         rescue Aikido::Zen::InternalsError => error
           Aikido::Zen.config.logger.warn(error.message)
@@ -100,7 +105,7 @@ module Aikido::Zen
         result
       end
 
-      @reporter.call(scan)
+      @reporter.call(scan) if scans_performed > 0
 
       scan
     end

data/lib/aikido/zen/sinks/action_controller.rb

@@ -12,11 +12,11 @@ module Aikido::Zen
         def initialize(
           config: Aikido::Zen.config,
           settings: Aikido::Zen.runtime_settings,
-          rate_limiter: Aikido::Zen::RateLimiter.new
+          detached_agent: Aikido::Zen.detached_agent
         )
           @config = config
           @settings = settings
-          @rate_limiter = rate_limiter
+          @detached_agent = detached_agent
         end
 
         def block?(controller)
@@ -43,16 +43,21 @@ module Aikido::Zen
         end
 
         private def should_throttle?(request)
+          return false unless @settings.endpoints[request.route].rate_limiting.enabled?
           return false if @settings.skip_protection_for_ips.include?(request.ip)
 
-          @rate_limiter.throttle?(request)
+          result = @detached_agent.calculate_rate_limits(request)
+          return false unless result
+
+          request.env["aikido.rate_limiting"] = result
+          request.env["aikido.rate_limiting"].throttled?
         end
 
         # @param request [Aikido::Zen::Request]
         private def should_block_user?(request)
           return false if request.actor.nil?
 
-          @settings.blocked_user_ids&.include?(request.actor.id)
+          Aikido::Zen.runtime_settings.blocked_user_ids&.include?(request.actor.id)
         end
       end
 

data/lib/aikido/zen/sinks/socket.rb

@@ -15,6 +15,19 @@ module Aikido::Zen
 
       module IPSocketExtensions
         def self.scan_socket(hostname, socket)
+          # We're patching IPSocket.open(..) method.
+          # The IPSocket class hierarchy is:
+          #             IPSocket
+          #            /        \
+          #       TCPSocket    UDPSocket
+          #       /       \
+          # TCPServer     SOCKSSocket
+          #
+          # Because we want to scan only HTTP requests, we skip in case the
+          # socket is not *exactly* an instance of TCPSocket — it's any
+          # of it subclasses
+          return unless socket.instance_of?(TCPSocket)
+
           # ["AF_INET", 80, "10.0.0.1", "10.0.0.1"]
           addr_family, *, remote_address = socket.peeraddr
 

data/lib/aikido/zen/version.rb

@@ -2,7 +2,7 @@
 
 module Aikido
   module Zen
-    VERSION = "0.2.0"
+    VERSION = "1.0.0-beta.1"
 
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.37"

data/lib/aikido/zen/worker.rb

@@ -78,5 +78,10 @@ module Aikido::Zen
       @executor.shutdown
       @executor.wait_for_termination(30)
     end
+
+    def restart
+      shutdown
+      @executor = Concurrent::SingleThreadExecutor.new
+    end
   end
 end

data/lib/aikido/zen.rb

@@ -10,6 +10,7 @@ require_relative "zen/worker"
 require_relative "zen/agent"
 require_relative "zen/api_client"
 require_relative "zen/context"
+require_relative "zen/detached_agent"
 require_relative "zen/middleware/check_allowed_addresses"
 require_relative "zen/middleware/middleware"
 require_relative "zen/middleware/request_tracker"
@@ -34,6 +35,10 @@ module Aikido
       @runtime_settings ||= RuntimeSettings.new
     end
 
+    def self.runtime_settings=(settings)
+      @runtime_settings = settings
+    end
+
     # Gets information about the current system configuration, which is sent to
     # the server along with any events.
     def self.system_info
@@ -43,9 +48,15 @@ module Aikido
     # Manages runtime metrics extracted from your app, which are uploaded to the
     # Aikido servers if configured to do so.
     def self.collector
+      check_and_handle_fork
       @collector ||= Collector.new
     end
 
+    def self.detached_agent
+      check_and_handle_fork
+      @detached_agent ||= DetachedAgent::Agent.new
+    end
+
     # Gets the current context object that holds all information about the
     # current request.
     #
@@ -68,12 +79,10 @@ module Aikido
     # @param request [Aikido::Zen::Request]
     # @return [void]
     def self.track_request(request)
-      autostart
-      collector.track_request(request)
+      collector.track_request
     end
 
     def self.track_discovered_route(request)
-      autostart
       collector.track_route(request)
     end
 
@@ -82,7 +91,6 @@ module Aikido
     # @param connection [Aikido::Zen::OutboundConnection]
     # @return [void]
     def self.track_outbound(connection)
-      autostart
       collector.track_outbound(connection)
     end
 
@@ -94,7 +102,6 @@ module Aikido
     # @raise [Aikido::Zen::UnderAttackError] if the scan detected an Attack
     #   and blocking_mode is enabled.
     def self.track_scan(scan)
-      autostart
       collector.track_scan(scan)
       agent.handle_attack(scan.attack) if scan.attack?
     end
@@ -107,7 +114,6 @@ module Aikido
       return if config.disabled?
 
       if (actor = Aikido::Zen::Actor(user))
-        autostart
         collector.track_user(actor)
         current_context.request.actor = actor if current_context
       else
@@ -140,7 +146,8 @@ module Aikido
     # @!visibility private
     # Stop any background threads.
     def self.stop!
-      agent&.stop!
+      @agent&.stop!
+      @detached_agent_server&.stop!
     end
 
     # @!visibility private
@@ -149,8 +156,34 @@ module Aikido
       @agent ||= Agent.start
     end
 
+    def self.detached_agent_server
+      @detached_agent_server ||= DetachedAgent::Server.start!
+    end
+
     class << self
-      alias_method :autostart, :agent
+      # `agent` and `detached_agent` are started on the first method call.
+      # A mutex controls thread execution to prevent multiple attempts.
+      LOCK = Mutex.new
+
+      def start!
+        @pid = Process.pid
+        LOCK.synchronize do
+          agent
+          detached_agent_server
+        end
+      end
+
+      def check_and_handle_fork
+        if has_forked
+          @detached_agent&.handle_fork
+        end
+      end
+
+      def has_forked
+        pid_changed = Process.pid != @pid
+        @pid = Process.pid
+        pid_changed
+      end
     end
   end
 end

data/tasklib/bench.rake

@@ -2,8 +2,11 @@
 
 require "socket"
 require "timeout"
+require_relative "wrk"
 
 SERVER_PIDS = {}
+PORT_PROTECTED = 3001
+PORT_UNPROTECTED = 3002
 
 def stop_servers
   SERVER_PIDS.each { |_, pid| Process.kill("TERM", pid) }
@@ -11,6 +14,8 @@ def stop_servers
 end
 
 def boot_server(dir, port:, env: {})
+  env["RAILS_MIN_THREADS"] = NUMBER_OF_THREADS
+  env["RAILS_MAX_THREADS"] = NUMBER_OF_THREADS
   env["PORT"] = port.to_s
   env["SECRET_KEY_BASE"] = rand(36**64).to_s(36)
 
@@ -49,8 +54,28 @@ end
 Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
   namespace :bench do
     namespace dir.basename.to_s do
-      desc "Run benchmarks for the #{dir.basename} sample app"
-      task run: [:boot_protected_app, :boot_unprotected_app] do
+      desc "Run WRK benchmarks for the #{dir.basename} sample app"
+      task wrk_run: [:boot_protected_app, :boot_unprotected_app] do
+        throughput_decrease_limit_perc = 25
+        if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.0.0") && Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.1.0")
+          # add higher limit for ruby 3.0
+          throughput_decrease_limit_perc = 35
+        end
+
+        wait_for_servers
+        run_benchmark(
+          route_zen: "http://localhost:#{PORT_PROTECTED}/benchmark", # Application with Zen
+          route_no_zen: "http://localhost:#{PORT_UNPROTECTED}/benchmark", # Application without Zen
+          description: "An empty route (1ms simulated delay)",
+          throughput_decrease_limit_perc: throughput_decrease_limit_perc,
+          latency_increase_limit_ms: 200
+        )
+      ensure
+        stop_servers
+      end
+
+      desc "Run K6 benchmarks for the #{dir.basename} sample app"
+      task k6_run: [:boot_protected_app, :boot_unprotected_app] do
         wait_for_servers
         Dir.chdir("benchmarks") { sh "k6 run #{dir.basename}.js" }
       ensure
@@ -58,14 +83,12 @@ Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
       end
 
       task :boot_protected_app do
-        boot_server(dir, port: 3001)
+        boot_server(dir, port: PORT_PROTECTED)
       end
 
       task :boot_unprotected_app do
-        boot_server(dir, port: 3002, env: {"AIKIDO_DISABLED" => "true"})
+        boot_server(dir, port: PORT_UNPROTECTED, env: {"AIKIDO_DISABLED" => "true"})
       end
     end
-
-    task default: "#{dir.basename}:run"
   end
 end

data/tasklib/wrk.rb

@@ -0,0 +1,88 @@
+require "open3"
+require "time"
+
+NUMBER_OF_THREADS = ENV.fetch("BENCHMARK_NUMBER_OF_THREADS") { 12 }.to_s
+CONNECTIONS = ENV.fetch("BENCHMARK_WRK_CONNECTIONS") { 400 }
+
+def generate_wrk_command_for_url(url)
+  # Define the command with wrk included
+  "wrk --threads #{NUMBER_OF_THREADS} --connections #{CONNECTIONS} --duration 15s --timeout 5s --latency #{url}"
+end
+
+def cold_start(url)
+  10.times do
+    _, err, status = Open3.capture3("curl #{url}")
+
+    if status != 0
+      puts err
+      exit(-1)
+    end
+  end
+end
+
+def extract_requests_and_latency_tuple(out, err, status)
+  if status == 0
+    # Extracting requests/sec
+    requests_sec_match = out.match(/Requests\/sec:\s+([\d.]+)/)
+    requests_sec = requests_sec_match[1].to_f if requests_sec_match
+
+    # Extracting latency
+    latency_match = out.match(/Latency\s+([\d.]+)(ms|s)/)
+    latency = latency_match[1].to_f if latency_match
+    latency_unit = latency_match[2] if latency_match
+
+    if latency_unit == "s"
+      latency *= 1000
+    end
+
+    {requests_sec: requests_sec, latency: latency}
+  else
+    puts "Error occurred running benchmark command:"
+    puts err.strip
+    exit(1)
+  end
+end
+
+def run_benchmark(route_no_zen:, route_zen:, description:, throughput_decrease_limit_perc:, latency_increase_limit_ms:)
+  # Cold start
+  cold_start(route_no_zen)
+  cold_start(route_zen)
+
+  out, err, status = Open3.capture3(generate_wrk_command_for_url(route_zen))
+  puts <<~MSG
+    WRK OUTPUT
+    ================
+    FIREWALL ENABLED:
+        #{out}
+    ----------------
+  MSG
+  result_zen_enabled = extract_requests_and_latency_tuple(out, err, status)
+
+  out, err, status = Open3.capture3(generate_wrk_command_for_url(route_no_zen))
+  puts <<~MSG
+    FIREWALL DISABLED:
+        #{out}
+    ================
+  MSG
+  result_zen_disabled = extract_requests_and_latency_tuple(out, err, status)
+
+  # Check if the command was successful
+  if result_zen_enabled && result_zen_disabled
+    # Print the output, which should be the Requests/sec value
+    puts "[ZEN ENABLED ] Requests/sec: #{result_zen_enabled[:requests_sec]} | Latency in ms: #{result_zen_enabled[:latency]}"
+    puts "[ZEN DISABLED] Requests/sec: #{result_zen_disabled[:requests_sec]} | Latency in ms: #{result_zen_disabled[:latency]}"
+
+    latency_increase_ms = (result_zen_enabled[:latency] - result_zen_disabled[:latency]).round(2)
+    puts "-> Delta in ms: #{latency_increase_ms}ms after running load test on #{description}"
+
+    throughput_decrease_perc = ((result_zen_disabled[:requests_sec] - result_zen_enabled[:requests_sec]) / result_zen_disabled[:requests_sec] * 100).round
+    puts "-> #{throughput_decrease_perc}% decrease in throughput after running load test on #{description}\n"
+
+    if latency_increase_ms >= latency_increase_limit_ms
+      exit(1)
+    end
+    if throughput_decrease_perc >= throughput_decrease_limit_perc
+      exit(1)
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.0.0.pre.beta.1
 platform: arm64-darwin
 authors:
 - Nicolas Sanguinetti
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-03-10 00:00:00.000000000 Z
+date: 2025-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -82,6 +82,7 @@ files:
 - lib/aikido/zen/agent/heartbeats_manager.rb
 - lib/aikido/zen/api_client.rb
 - lib/aikido/zen/attack.rb
+- lib/aikido/zen/background_worker.rb
 - lib/aikido/zen/capped_collections.rb
 - lib/aikido/zen/collector.rb
 - lib/aikido/zen/collector/hosts.rb
@@ -93,6 +94,10 @@ files:
 - lib/aikido/zen/context.rb
 - lib/aikido/zen/context/rack_request.rb
 - lib/aikido/zen/context/rails_request.rb
+- lib/aikido/zen/detached_agent.rb
+- lib/aikido/zen/detached_agent/agent.rb
+- lib/aikido/zen/detached_agent/front_object.rb
+- lib/aikido/zen/detached_agent/server.rb
 - lib/aikido/zen/errors.rb
 - lib/aikido/zen/event.rb
 - lib/aikido/zen/internals.rb
@@ -164,6 +169,7 @@ files:
 - lib/aikido/zen/worker.rb
 - tasklib/bench.rake
 - tasklib/libzen.rake
+- tasklib/wrk.rb
 homepage: https://aikido.dev
 licenses:
 - AGPL-3.0-or-later