aikido-zen 0.2.0-x86_64-darwin → 1.0.1.beta.2-x86_64-darwin

data/lib/aikido/zen/detached_agent/front_object.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+# dRB Front object that will work as a bridge communication between child & parent
+# processes.
+# Every method is called from the child but it runs in the parent process.
+module Aikido::Zen::DetachedAgent
+  class FrontObject
+    def initialize(
+      config: Aikido::Zen.config,
+      collector: Aikido::Zen.collector,
+      runtime_settings: Aikido::Zen.runtime_settings,
+      rate_limiter: Aikido::Zen::RateLimiter.new
+    )
+      @config = config
+      @collector = collector
+      @rate_limiter = rate_limiter
+      @runtime_settings = runtime_settings
+    end
+
+    RequestKind = Struct.new(:route, :schema, :ip, :actor)
+
+    def send_heartbeat_to_parent_process(heartbeat)
+      @collector.push_heartbeat(heartbeat)
+    end
+
+    # Method called by child processes to get an up-to-date version of the
+    # runtime_settings
+    def updated_settings
+      @runtime_settings
+    end
+
+    def calculate_rate_limits(route, ip, actor_hash)
+      actor = Aikido::Zen::Actor(actor_hash) if actor_hash
+      @rate_limiter.calculate_rate_limits(RequestKind.new(route, nil, ip, actor))
+    end
+  end
+end

data/lib/aikido/zen/detached_agent/server.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Aikido::Zen::DetachedAgent
+  class Server
+    def initialize(config: Aikido::Zen.config)
+      @detached_agent_front = FrontObject.new
+      @drb_server = DRb.start_service(config.detached_agent_socket_path, @detached_agent_front)
+
+      # We don't want to see drb logs unless in debug mode
+      @drb_server.verbose = config.logger.debug?
+    end
+
+    def alive?
+      @drb_server.alive?
+    end
+
+    def stop!
+      @drb_server.stop_service
+      DRb.stop_service
+    end
+
+    class << self
+      def start!
+        Aikido::Zen.config.logger.debug("Starting DRb Server...")
+        max_attempts = 10
+        @server = new
+
+        attempts = 0
+        until @server.alive?
+          Aikido::Zen.config.logger.info("DRb Server still not alive. #{max_attempts - attempts} attempts remaining")
+          sleep 0.1
+          attempts += 1
+          raise Aikido::Zen::DetachedAgentError.new("Impossible to start the dRB server (socket=#{Aikido::Zen.config.detached_agent_socket_path})") \
+            if attempts == max_attempts
+        end
+
+        @server
+      end
+    end
+  end
+end

data/lib/aikido/zen/detached_agent.rb

@@ -0,0 +1,2 @@
+require_relative "detached_agent/agent"
+require_relative "detached_agent/server"

data/lib/aikido/zen/errors.rb

@@ -95,5 +95,13 @@ module Aikido
         MSG
       end
     end
+
+    class DetachedAgentError < ZenError
+      extend Forwardable
+
+      def initialize(msg)
+        super
+      end
+    end
   end
 end

data/lib/aikido/zen/internals.rb

@@ -13,14 +13,48 @@ module Aikido::Zen
       attr_accessor :libzen_name
     end
 
-    self.libzen_name = [
-      "libzen-v#{LIBZEN_VERSION}",
-      FFI::Platform::ARCH,
-      FFI::Platform::LIBSUFFIX
-    ].join(".")
+    def self.libzen_names
+      lib_name = "libzen-v#{LIBZEN_VERSION}"
+      lib_ext = FFI::Platform::LIBSUFFIX
+
+      # Gem::Platform#version should be understood as an arbitrary Ruby defined
+      # OS specific string. A platform with a version string is considered more
+      # specific than a platform without a version string.
+      # https://docs.ruby-lang.org/en/3.3/Gem/Platform.html
+
+      platform = Gem::Platform.local.dup
+
+      # Library names in preferred order.
+      #
+      # If two library names are added, the specific platform library names is
+      # first and the generic platform library name is second.
+      names = []
+
+      names << "#{lib_name}-#{platform}.#{lib_ext}"
+
+      unless platform.version.nil?
+        platform.version = nil
+        names << "#{lib_name}-#{platform}.#{lib_ext}"
+      end
+
+      names
+    end
+
+    # Load the most specific library
+    def self.load_libzen
+      libzen_names.each do |libzen_name|
+        libzen_path = File.expand_path(libzen_name, __dir__)
+        begin
+          return ffi_lib(libzen_path)
+        rescue LoadError
+          # empty
+        end
+      end
+      raise LoadError, "Could not load libzen"
+    end
 
     begin
-      ffi_lib File.expand_path(libzen_name, __dir__)
+      load_libzen
 
       # @!method self.detect_sql_injection_native(query, input, dialect)
       # @param (see .detect_sql_injection)
@@ -30,7 +64,7 @@ module Aikido::Zen
       #   calling libzen.
       attach_function :detect_sql_injection_native, :detect_sql_injection,
         [:string, :string, :int], :int
-    rescue LoadError, FFI::NotFoundError => err
+    rescue LoadError, FFI::NotFoundError => err # rubocop:disable Lint/ShadowedException
       # :nocov:
 
       # Emit an $stderr warning at startup.

data/lib/aikido/zen/middleware/rack_throttler.rb

@@ -12,12 +12,12 @@ module Aikido::Zen
         app,
         config: Aikido::Zen.config,
         settings: Aikido::Zen.runtime_settings,
-        rate_limiter: Aikido::Zen::RateLimiter.new
+        detached_agent: Aikido::Zen.detached_agent
       )
         @app = app
         @config = config
         @settings = settings
-        @rate_limiter = rate_limiter
+        @detached_agent = detached_agent
       end
 
       def call(env)
@@ -33,9 +33,15 @@ module Aikido::Zen
       private
 
       def should_throttle?(request)
+        return false unless @settings.endpoints[request.route].rate_limiting.enabled?
         return false if @settings.skip_protection_for_ips.include?(request.ip)
 
-        @rate_limiter.throttle?(request)
+        result = @detached_agent.calculate_rate_limits(request)
+
+        return false unless result
+
+        request.env["aikido.rate_limiting"] = result
+        request.env["aikido.rate_limiting"].throttled?
       end
     end
   end

data/lib/aikido/zen/middleware/request_tracker.rb

@@ -13,14 +13,16 @@ module Aikido::Zen
         request = Aikido::Zen::Middleware.request_from(env)
         response = @app.call(env)
 
-        Aikido::Zen.track_request request
-
-        if Aikido::Zen.config.collect_api_schema? && request.route && track?(
+        if request.route && track?(
           status_code: response[0],
           route: request.route.path,
           http_method: request.request_method
         )
-          Aikido::Zen.track_discovered_route(request)
+          Aikido::Zen.track_request request
+
+          if Aikido::Zen.config.collect_api_schema?
+            Aikido::Zen.track_discovered_route(request)
+          end
         end
 
         response

data/lib/aikido/zen/outbound_connection_monitor.rb

@@ -5,6 +5,10 @@ module Aikido::Zen
   # any Sink that wraps an HTTP library, and lets us keep track of any hosts to
   # which the app communicates over HTTP.
   module OutboundConnectionMonitor
+    def self.skips_on_nil_context?
+      false
+    end
+
     # This simply reports the connection to the Agent, and always returns +nil+
     # as it's not scanning for any particular attack.
     #

data/lib/aikido/zen/rails_engine.rb

@@ -10,7 +10,7 @@ module Aikido::Zen
     end
 
     initializer "aikido.add_middleware" do |app|
-      next if config.zen.disabled?
+      next unless config.zen.protect?
 
       app.middleware.use Aikido::Zen::Middleware::SetContext
       app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
@@ -33,9 +33,9 @@ module Aikido::Zen
     initializer "aikido.configuration" do |app|
       # Allow the logger to be configured before checking if disabled? so we can
       # let the user know that the agent is disabled.
-      app.config.zen.logger = ::Rails.logger.tagged("aikido")
-
-      next if config.zen.disabled?
+      logger = ::Rails.logger
+      logger = ActiveSupport::TaggedLogging.new(logger) unless logger.respond_to?(:tagged)
+      app.config.zen.logger = logger.tagged("aikido")
 
       app.config.zen.request_builder = Aikido::Zen::Context::RAILS_REQUEST_BUILDER
 
@@ -51,16 +51,16 @@ module Aikido::Zen
     end
 
     config.after_initialize do
-      if config.zen.disabled?
-        config.zen.logger.warn("Zen has been disabled and will not run.")
-        next
-      end
+      next unless config.zen.protect?
 
       # Make sure this is run at the end of the initialization process, so
       # that any gems required after aikido-zen are detected and patched
       # accordingly.
       Aikido::Zen.load_sinks!
 
+      # It's important we start after loading sinks, so we can report the installed packages
+      Aikido::Zen.start!
+
       # Agent's bootstrap process has finished —Controllers are patched to block
       # unwanted requests, sinks are loaded, scanners are running—, so we mark
       # the agent as installed.

data/lib/aikido/zen/rate_limiter/breaker.rb

@@ -31,13 +31,13 @@ module Aikido::Zen
       @opened_at = @clock.call
     end
 
-    # @param event [#type] an event which we'll discriminate by type to decide
+    # @param event_type [String] an event type which we'll use to decide
     #   if we should throttle it.
     # @return [Boolean]
-    def throttle?(event)
+    def throttle?(event_type)
       return true if open? && !try_close
 
-      result = @bucket.increment(event.type)
+      result = @bucket.increment(event_type)
       result.throttled?
     end
 

data/lib/aikido/zen/rate_limiter.rb

@@ -24,23 +24,18 @@ module Aikido::Zen
       }
     end
 
-    # Checks whether the request requires rate limiting. As a side effect, this
-    # will annotate the request with the "aikido.rate_limiting" ENV key, holding
-    # the result of the check, and including useful stats in case you want to
-    # return RateLimit headers..
+    # Calculate based on the configuration whether a request will be
+    # rate-limited or not.
     #
     # @param request [Aikido::Zen::Request]
-    # @return [Boolean]
-    #
-    # @see Aikido::Zen::RateLimiter::Result
-    def throttle?(request)
+    # @return [Aikido::Zen::RateLimiter::Result, nil]
+    def calculate_rate_limits(request)
       settings = settings_for(request.route)
-      return false unless settings.enabled?
+      return nil unless settings.enabled?
 
       bucket = @buckets[request.route]
       key = @config.rate_limiting_discriminator.call(request)
-      request.env["aikido.rate_limiting"] = bucket.increment(key)
-      request.env["aikido.rate_limiting"].throttled?
+      bucket.increment(key)
     end
 
     private

data/lib/aikido/zen/request/heuristic_router.rb

@@ -30,6 +30,10 @@ module Aikido::Zen
 
     private def parameterize_segment(segment)
       case segment
+      when ULID
+        ":ulid"
+      when OBJECT_ID
+        ":objectId"
       when NUMBER
         ":number"
       when UUID
@@ -57,6 +61,8 @@ module Aikido::Zen
             | 00000000-0000-0000-0000-000000000000
             | ffffffff-ffff-ffff-ffff-ffffffffffff
             )\z/ix
+    ULID = /\A[0-9A-HJKMNP-TV-Z]{26}\z/i
+    OBJECT_ID = /\A[0-9a-f]{24}\z/i
     EMAIL = /\A
               [a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+
               @

data/lib/aikido/zen/request/rails_router.rb

@@ -58,27 +58,15 @@ module Aikido::Zen
     end
 
     private def build_route(route, request, prefix: request.script_name)
-      Rails::Route.new(route, prefix: prefix, verb: request.request_method)
-    end
-  end
-
-  module Rails
-    class Route < Aikido::Zen::Route
-      attr_reader :verb
+      route_wrapper = ActionDispatch::Routing::RouteWrapper.new(route)
 
-      def initialize(rails_route, verb: rails_route.verb, prefix: nil)
-        @route = ActionDispatch::Routing::RouteWrapper.new(rails_route)
-        @verb = verb
-        @prefix = prefix
+      path = if prefix.present?
+        File.join(prefix.to_s, route_wrapper.path).chomp("/")
+      else
+        route_wrapper.path
       end
 
-      def path
-        if @prefix.present?
-          File.join(@prefix.to_s, @route.path).chomp("/")
-        else
-          @route.path
-        end
-      end
+      Aikido::Zen::Route.new(verb: request.request_method, path: path)
     end
   end
 end

data/lib/aikido/zen/request/schema/auth_schemas.rb

@@ -18,6 +18,20 @@ module Aikido::Zen
         @schemas.map(&:as_json) unless @schemas.empty?
       end
 
+      def self.from_json(schemas_array)
+        return NONE if !schemas_array || schemas_array.empty?
+
+        AuthSchemas.new(schemas_array.map do |schema|
+          if schema[:type] == "http"
+            Authorization.new(schema[:scheme])
+          elsif schema[:type] == "apiKey"
+            ApiKey.new(schema[:in], schema[:name])
+          else
+            raise "Invalid schema type: #{schema[:type]}"
+          end
+        end)
+      end
+
       def ==(other)
         other.is_a?(self.class) && schemas == other.schemas
       end

data/lib/aikido/zen/request/schema.rb

@@ -48,6 +48,24 @@ module Aikido::Zen
       {body: body, query: query_schema.as_json, auth: auth_schema.as_json}.compact
     end
 
+    def self.from_json(data)
+      if data.empty?
+        return Request::Schema.new(
+          content_type: nil,
+          body_schema: EMPTY_SCHEMA,
+          query_schema: EMPTY_SCHEMA,
+          auth_schema: Aikido::Zen::Request::Schema::AuthSchemas.new([])
+        )
+      end
+
+      Request::Schema.new(
+        content_type: data[:body].nil? ? nil : data[:body][:type],
+        body_schema: data[:body].nil? ? EMPTY_SCHEMA : Aikido::Zen::Request::Schema::Definition.new(data[:body][:schema]),
+        query_schema: data[:query].nil? ? EMPTY_SCHEMA : Aikido::Zen::Request::Schema::Definition.new(data[:query]),
+        auth_schema: Aikido::Zen::Request::Schema::AuthSchemas.from_json(data[:auth])
+      )
+    end
+
     # Merges the request specification with another request's specification.
     #
     # @param other [Aikido::Zen::Request::Schema, nil]

data/lib/aikido/zen/runtime_settings.rb

@@ -45,7 +45,7 @@ module Aikido::Zen
     # @param data [Hash] the decoded JSON payload from the /api/runtime/config
     #   API endpoint.
     #
-    # @return [void]
+    # @return [bool]
     def update_from_json(data)
       last_updated_at = updated_at
 
@@ -56,7 +56,7 @@ module Aikido::Zen
       self.skip_protection_for_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
       self.received_any_stats = data["receivedAnyStats"]
 
-      Aikido::Zen.agent.updated_settings! if updated_at != last_updated_at
+      updated_at != last_updated_at
     end
   end
 end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -5,6 +5,10 @@ require_relative "path_traversal/helpers"
 module Aikido::Zen
   module Scanners
     class PathTraversalScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
       # Checks if the user introduced input is trying to access other path using
       # Path Traversal kind of attacks.
       #
@@ -16,8 +20,6 @@ module Aikido::Zen
       # @return [Aikido::Zen::Attacks::PathTraversalAttack, nil] an Attack if any
       # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
       def self.call(filepath:, sink:, context:, operation:)
-        return unless context
-
         context.payloads.each do |payload|
           next unless new(filepath, payload.value).attack?
 

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -5,14 +5,16 @@ require_relative "shell_injection/helpers"
 module Aikido::Zen
   module Scanners
     class ShellInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
       # @param command [String]
       # @param sink [Aikido::Zen::Sink]
       # @param context [Aikido::Zen::Context]
       # @param operation [Symbol, String]
       #
       def self.call(command:, sink:, context:, operation:)
-        return unless context
-
         context.payloads.each do |payload|
           next unless new(command, payload.value).attack?
 

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -6,6 +6,10 @@ require_relative "../internals"
 module Aikido::Zen
   module Scanners
     class SQLInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
       # Checks if the given SQL query may have dangerous user input injected,
       # and returns an Attack if so, based on the current request.
       #
@@ -22,8 +26,6 @@ module Aikido::Zen
       # @raise [Aikido::Zen::InternalsError] if an error occurs when loading or
       #   calling zenlib. See Sink#scan.
       def self.call(query:, dialect:, sink:, context:, operation:)
-        return if context.nil?
-
         dialect = DIALECTS.fetch(dialect) do
           Aikido::Zen.config.logger.warn "Unknown SQL dialect #{dialect.inspect}"
           DIALECTS[:common]

data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb

@@ -31,35 +31,47 @@ module Aikido::Zen
         # @return [Boolean]
         def private?(hostname_or_address)
           resolve(hostname_or_address).any? do |ip|
-            ip.loopback? || ip.private? || RFC5735.any? { |range| range === ip }
+            PRIVATE_RANGES.any? { |range| range === ip }
           end
         end
 
         private
 
-        RFC5735 = [
-          IPAddr.new("0.0.0.0/8"),
-          IPAddr.new("100.64.0.0/10"),
-          IPAddr.new("127.0.0.0/8"),
-          IPAddr.new("169.254.0.0/16"),
-          IPAddr.new("192.0.0.0/24"),
-          IPAddr.new("192.0.2.0/24"),
-          IPAddr.new("192.31.196.0/24"),
-          IPAddr.new("192.52.193.0/24"),
-          IPAddr.new("192.88.99.0/24"),
-          IPAddr.new("192.175.48.0/24"),
-          IPAddr.new("198.18.0.0/15"),
-          IPAddr.new("198.51.100.0/24"),
-          IPAddr.new("203.0.113.0/24"),
-          IPAddr.new("240.0.0.0/4"),
-          IPAddr.new("224.0.0.0/4"),
-          IPAddr.new("255.255.255.255/32"),
+        # Source: https://github.com/AikidoSec/firewall-node/blob/main/library/vulnerabilities/ssrf/isPrivateIP.ts
+        PRIVATE_IPV4_RANGES = [
+          IPAddr.new("0.0.0.0/8"),         # "This" network (RFC 1122)
+          IPAddr.new("10.0.0.0/8"),        # Private-Use Networks (RFC 1918)
+          IPAddr.new("100.64.0.0/10"),     # Shared Address Space (RFC 6598)
+          IPAddr.new("127.0.0.0/8"),       # Loopback (RFC 1122)
+          IPAddr.new("169.254.0.0/16"),    # Link Local (RFC 3927)
+          IPAddr.new("172.16.0.0/12"),     # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.0.0.0/24"),      # IETF Protocol Assignments (RFC 5736)
+          IPAddr.new("192.0.2.0/24"),      # TEST-NET-1 (RFC 5737)
+          IPAddr.new("192.31.196.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("192.52.193.0/24"),   # Automatic Multicast Tunneling (RFC 7450)
+          IPAddr.new("192.88.99.0/24"),    # 6to4 Relay Anycast (RFC 3068)
+          IPAddr.new("192.168.0.0/16"),    # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.175.48.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("198.18.0.0/15"),     # Network Interconnect Device Benchmark Testing (RFC 2544)
+          IPAddr.new("198.51.100.0/24"),   # TEST-NET-2 (RFC 5737)
+          IPAddr.new("203.0.113.0/24"),    # TEST-NET-3 (RFC 5737)
+          IPAddr.new("224.0.0.0/4"),       # Multicast (RFC 3171)
+          IPAddr.new("240.0.0.0/4"),       # Reserved for Future Use (RFC 1112)
+          IPAddr.new("255.255.255.255/32") # Limited Broadcast (RFC 919)
+        ]
 
-          IPAddr.new("::/128"),              # Unspecified address
-          IPAddr.new("fe80::/10"),           # Link-local address (LLA)
-          IPAddr.new("::ffff:127.0.0.1/128") # IPv4-mapped address
+        PRIVATE_IPV6_RANGES = [
+          IPAddr.new("::/128"),            # Unspecified address (RFC 4291)
+          IPAddr.new("::1/128"),           # Loopback address (RFC 4291)
+          IPAddr.new("fc00::/7"),          # Unique local address (ULA) (RFC 4193
+          IPAddr.new("fe80::/10"),         # Link-local address (LLA) (RFC 4291)
+          IPAddr.new("100::/64"),          # Discard prefix (RFC 6666)
+          IPAddr.new("2001:db8::/32"),     # Documentation prefix (RFC 3849)
+          IPAddr.new("3fff::/20")          # Documentation prefix (RFC 9637)
         ]
 
+        PRIVATE_RANGES = PRIVATE_IPV4_RANGES + PRIVATE_IPV6_RANGES + PRIVATE_IPV4_RANGES.map(&:ipv4_mapped)
+
         def resolved_in_current_context
           context = Aikido::Zen.current_context
           context && context["dns.lookups"]

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -6,6 +6,12 @@ require_relative "ssrf/dns_lookups"
 module Aikido::Zen
   module Scanners
     class SSRFScanner
+      # SSRF attacks can be triggered through external inputs, so it is essential
+      # to have a valid context to safeguard against these attacks.
+      def self.skips_on_nil_context?
+        true
+      end
+
       # Checks if an outbound HTTP request is to a hostname supplied from user
       # input that resolves to a "dangerous" address. This is called from two
       # different places:
@@ -32,7 +38,6 @@ module Aikido::Zen
       # @return [Aikido::Zen::Attacks::SSRFAttack, nil] an Attack if any user
       #   input is detected to be attempting SSRF, or +nil+ if not.
       def self.call(request:, sink:, context:, operation:, **)
-        return if context.nil?
         return if request.nil? # See NOTE above.
 
         context["ssrf.redirects"] ||= RedirectChains.new

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb

@@ -5,6 +5,12 @@ module Aikido::Zen
     # Inspects the result of DNS lookups, to determine if we're being the target
     # of a stored SSRF targeting IMDS addresses (169.254.169.254).
     class StoredSSRFScanner
+      # Stored-SSRF can occur without external input, so we do not require a
+      # context to determine if an attack is happening.
+      def self.skips_on_nil_context?
+        false
+      end
+
       def self.call(hostname:, addresses:, operation:, sink:, context:, **opts)
         offending_address = new(hostname, addresses).attack?
         return if offending_address.nil?

data/lib/aikido/zen/sink.rb

@@ -80,15 +80,23 @@ module Aikido::Zen
     # @raise [Aikido::UnderAttackError] if an attack is detected and
     #   blocking_mode is enabled.
     def scan(context: Aikido::Zen.current_context, **scan_params)
+      return if context&.scanning
+      context&.scanning = true
+
       return if context&.protection_disabled?
 
       scan = Scan.new(sink: self, context: context)
 
+      scans_performed = 0
       scan.perform do
         result = nil
 
         scanners.each do |scanner|
+          next if scanner.skips_on_nil_context? && context.nil?
+
           result = scanner.call(sink: self, context: context, **scan_params)
+          scans_performed += 1
+
           break result if result
         rescue Aikido::Zen::InternalsError => error
           Aikido::Zen.config.logger.warn(error.message)
@@ -100,9 +108,11 @@ module Aikido::Zen
         result
       end
 
-      @reporter.call(scan)
+      @reporter.call(scan) if scans_performed > 0
 
       scan
+    ensure
+      context&.scanning = false
     end
   end
 end