RubyGems - aikido-zen - Versions diffs - 1.0.1.beta.2-arm64-linux-musl - Mend

aikido-zen 1.0.1.beta.2-arm64-linux-musl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (115) hide show

checksums.yaml +7 -0
data/.aikido +6 -0
data/.ruby-version +1 -0
data/.simplecov +26 -0
data/.standard.yml +3 -0
data/LICENSE +674 -0
data/README.md +146 -0
data/Rakefile +67 -0
data/benchmarks/README.md +23 -0
data/benchmarks/rails7.1_sql_injection.js +70 -0
data/docs/banner.svg +202 -0
data/docs/config.md +125 -0
data/docs/rails.md +70 -0
data/lib/aikido/zen/actor.rb +116 -0
data/lib/aikido/zen/agent/heartbeats_manager.rb +66 -0
data/lib/aikido/zen/agent.rb +179 -0
data/lib/aikido/zen/api_client.rb +142 -0
data/lib/aikido/zen/attack.rb +207 -0
data/lib/aikido/zen/background_worker.rb +52 -0
data/lib/aikido/zen/capped_collections.rb +68 -0
data/lib/aikido/zen/collector/hosts.rb +15 -0
data/lib/aikido/zen/collector/routes.rb +66 -0
data/lib/aikido/zen/collector/sink_stats.rb +95 -0
data/lib/aikido/zen/collector/stats.rb +111 -0
data/lib/aikido/zen/collector/users.rb +30 -0
data/lib/aikido/zen/collector.rb +144 -0
data/lib/aikido/zen/config.rb +279 -0
data/lib/aikido/zen/context/rack_request.rb +24 -0
data/lib/aikido/zen/context/rails_request.rb +42 -0
data/lib/aikido/zen/context.rb +112 -0
data/lib/aikido/zen/detached_agent/agent.rb +78 -0
data/lib/aikido/zen/detached_agent/front_object.rb +37 -0
data/lib/aikido/zen/detached_agent/server.rb +41 -0
data/lib/aikido/zen/detached_agent.rb +2 -0
data/lib/aikido/zen/errors.rb +107 -0
data/lib/aikido/zen/event.rb +71 -0
data/lib/aikido/zen/internals.rb +102 -0
data/lib/aikido/zen/libzen-v0.1.39-arm64-linux-musl.so +0 -0
data/lib/aikido/zen/middleware/check_allowed_addresses.rb +26 -0
data/lib/aikido/zen/middleware/middleware.rb +11 -0
data/lib/aikido/zen/middleware/rack_throttler.rb +48 -0
data/lib/aikido/zen/middleware/request_tracker.rb +192 -0
data/lib/aikido/zen/middleware/set_context.rb +26 -0
data/lib/aikido/zen/outbound_connection.rb +45 -0
data/lib/aikido/zen/outbound_connection_monitor.rb +23 -0
data/lib/aikido/zen/package.rb +22 -0
data/lib/aikido/zen/payload.rb +50 -0
data/lib/aikido/zen/rails_engine.rb +70 -0
data/lib/aikido/zen/rate_limiter/breaker.rb +61 -0
data/lib/aikido/zen/rate_limiter/bucket.rb +76 -0
data/lib/aikido/zen/rate_limiter/result.rb +31 -0
data/lib/aikido/zen/rate_limiter.rb +50 -0
data/lib/aikido/zen/request/heuristic_router.rb +115 -0
data/lib/aikido/zen/request/rails_router.rb +72 -0
data/lib/aikido/zen/request/schema/auth_discovery.rb +86 -0
data/lib/aikido/zen/request/schema/auth_schemas.rb +54 -0
data/lib/aikido/zen/request/schema/builder.rb +121 -0
data/lib/aikido/zen/request/schema/definition.rb +107 -0
data/lib/aikido/zen/request/schema/empty_schema.rb +28 -0
data/lib/aikido/zen/request/schema.rb +87 -0
data/lib/aikido/zen/request.rb +103 -0
data/lib/aikido/zen/route.rb +39 -0
data/lib/aikido/zen/runtime_settings/endpoints.rb +49 -0
data/lib/aikido/zen/runtime_settings/ip_set.rb +36 -0
data/lib/aikido/zen/runtime_settings/protection_settings.rb +62 -0
data/lib/aikido/zen/runtime_settings/rate_limit_settings.rb +47 -0
data/lib/aikido/zen/runtime_settings.rb +65 -0
data/lib/aikido/zen/scan.rb +75 -0
data/lib/aikido/zen/scanners/path_traversal/helpers.rb +65 -0
data/lib/aikido/zen/scanners/path_traversal_scanner.rb +63 -0
data/lib/aikido/zen/scanners/shell_injection/helpers.rb +159 -0
data/lib/aikido/zen/scanners/shell_injection_scanner.rb +64 -0
data/lib/aikido/zen/scanners/sql_injection_scanner.rb +93 -0
data/lib/aikido/zen/scanners/ssrf/dns_lookups.rb +27 -0
data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb +97 -0
data/lib/aikido/zen/scanners/ssrf_scanner.rb +265 -0
data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb +49 -0
data/lib/aikido/zen/scanners.rb +7 -0
data/lib/aikido/zen/sink.rb +118 -0
data/lib/aikido/zen/sinks/action_controller.rb +83 -0
data/lib/aikido/zen/sinks/async_http.rb +82 -0
data/lib/aikido/zen/sinks/curb.rb +115 -0
data/lib/aikido/zen/sinks/em_http.rb +85 -0
data/lib/aikido/zen/sinks/excon.rb +121 -0
data/lib/aikido/zen/sinks/file.rb +116 -0
data/lib/aikido/zen/sinks/http.rb +95 -0
data/lib/aikido/zen/sinks/httpclient.rb +97 -0
data/lib/aikido/zen/sinks/httpx.rb +80 -0
data/lib/aikido/zen/sinks/kernel.rb +34 -0
data/lib/aikido/zen/sinks/mysql2.rb +33 -0
data/lib/aikido/zen/sinks/net_http.rb +103 -0
data/lib/aikido/zen/sinks/patron.rb +105 -0
data/lib/aikido/zen/sinks/pg.rb +74 -0
data/lib/aikido/zen/sinks/resolv.rb +62 -0
data/lib/aikido/zen/sinks/socket.rb +80 -0
data/lib/aikido/zen/sinks/sqlite3.rb +49 -0
data/lib/aikido/zen/sinks/trilogy.rb +33 -0
data/lib/aikido/zen/sinks/typhoeus.rb +78 -0
data/lib/aikido/zen/sinks.rb +39 -0
data/lib/aikido/zen/sinks_dsl.rb +226 -0
data/lib/aikido/zen/synchronizable.rb +24 -0
data/lib/aikido/zen/system_info.rb +84 -0
data/lib/aikido/zen/version.rb +10 -0
data/lib/aikido/zen/worker.rb +87 -0
data/lib/aikido/zen.rb +206 -0
data/lib/aikido-zen.rb +3 -0
data/placeholder/.gitignore +4 -0
data/placeholder/README.md +11 -0
data/placeholder/Rakefile +75 -0
data/placeholder/lib/placeholder.rb.template +3 -0
data/placeholder/placeholder.gemspec.template +20 -0
data/tasklib/bench.rake +94 -0
data/tasklib/libzen.rake +132 -0
data/tasklib/wrk.rb +88 -0
metadata +204 -0

data/lib/aikido/zen/sinks/async_http.rb ADDED Viewed

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module Async
+      module HTTP
+        def self.load_sinks!
+          if Gem.loaded_specs["async-http"]
+            require "async/http"
+            ::Async::HTTP::Client.prepend(Async::HTTP::ClientExtensions)
+          end
+        end
+        SINK = Sinks.add("async-http", scanners: [
+          Scanners::SSRFScanner,
+          OutboundConnectionMonitor
+        ])
+        module Helpers
+          def self.scan(request, connection, operation)
+            SINK.scan(
+              request: request,
+              connection: connection,
+              operation: operation
+            )
+          end
+        end
+        module ClientExtensions
+          extend Sinks::DSL
+          sink_around :call do |super_call, request|
+            uri = URI(format("%<scheme>s://%<authority>s%<path>s", {
+              scheme: request.scheme || scheme,
+              authority: request.authority || authority,
+              path: request.path
+            }))
+            wrapped_request = Scanners::SSRFScanner::Request.new(
+              verb: request.method,
+              uri: uri,
+              headers: request.headers.to_h,
+              header_normalizer: ->(value) { Array(value).join(", ") }
+            )
+            # Store the request information so the DNS sinks can pick it up.
+            context = Aikido::Zen.current_context
+            if context
+              prev_request = context["ssrf.request"]
+              context["ssrf.request"] = wrapped_request
+            end
+            connection = OutboundConnection.from_uri(uri)
+            Helpers.scan(wrapped_request, connection, "request")
+            response = super_call.call
+            Scanners::SSRFScanner.track_redirects(
+              request: wrapped_request,
+              response: Scanners::SSRFScanner::Response.new(
+                status: response.status,
+                headers: response.headers.to_h,
+                header_normalizer: ->(value) { Array(value).join(", ") }
+              )
+            )
+            response
+          ensure
+            context["ssrf.request"] = prev_request if context
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Async::HTTP.load_sinks!

data/lib/aikido/zen/sinks/curb.rb ADDED Viewed

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module Curl
+      def self.load_sinks!
+        if Gem.loaded_specs["curb"]
+          require "curb"
+          ::Curl::Easy.prepend(Curl::EasyExtensions)
+        end
+      end
+      SINK = Sinks.add("curb", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+      module Helpers
+        def self.wrap_request(curl, url: curl.url)
+          Scanners::SSRFScanner::Request.new(
+            verb: nil, # Curb hides this by directly setting an option in C
+            uri: URI(url),
+            headers: curl.headers
+          )
+        end
+        def self.wrap_response(curl)
+          # Curb made an… interesting choice by not parsing the response headers
+          # and forcing users to do this manually if they need to look at them.
+          _, *headers = curl.header_str.split(/[\r\n]+/).map(&:strip)
+          headers = headers.flat_map { |str| str.scan(/\A(\S+): (.+)\z/) }.to_h
+          if curl.url != curl.last_effective_url
+            status = 302 # We can't know what the original status was, but we just need a 3XX
+            headers["Location"] = curl.last_effective_url
+          else
+            status = curl.status.to_i
+          end
+          Scanners::SSRFScanner::Response.new(status: status, headers: headers)
+        end
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+      module EasyExtensions
+        extend Sinks::DSL
+        sink_around :perform do |super_call|
+          wrapped_request = Helpers.wrap_request(self)
+          # Store the request information so the DNS sinks can pick it up.
+          context = Aikido::Zen.current_context
+          if context
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+          connection = OutboundConnection.from_uri(URI(url))
+          Helpers.scan(wrapped_request, connection, "request")
+          response = super_call.call
+          Scanners::SSRFScanner.track_redirects(
+            request: wrapped_request,
+            response: Helpers.wrap_response(self)
+          )
+          # When libcurl has follow_location set, it will handle redirections
+          # internally, and expose the "last_effective_url" as the URI that was
+          # last requested in the redirect chain.
+          #
+          # In this case, we can't actually stop the request from happening, but
+          # we can scan again (now that we know another request happened), to
+          # stop the response from being exposed to the user. This downgrades
+          # the SSRF into a blind SSRF, which is better than doing nothing.
+          if url != last_effective_url
+            last_effective_request = Helpers.wrap_request(self, url: last_effective_url)
+            # Code coverage is disabled here because the else clause is a no-op,
+            # so there is nothing to cover.
+            # :nocov:
+            if context
+              context["ssrf.request"] = last_effective_request
+            else
+              # empty
+            end
+            # :nocov:
+            connection = OutboundConnection.from_uri(URI(last_effective_url))
+            Helpers.scan(last_effective_request, connection, "request")
+          end
+          response
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Curl.load_sinks!

data/lib/aikido/zen/sinks/em_http.rb ADDED Viewed

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module EventMachine
+      module HttpRequest
+        def self.load_sinks!
+          if Gem.loaded_specs["em-http-request"]
+            require "em-http-request"
+            ::EventMachine::HttpRequest.use(EventMachine::HttpRequest::Middleware)
+            # NOTE: We can't use middleware to intercept requests as we want to ensure any
+            # modifications to the request from user-supplied middleware are already applied
+            # before we scan the request.
+            ::EventMachine::HttpClient.prepend(EventMachine::HttpRequest::HttpClientExtensions)
+          end
+        end
+        SINK = Sinks.add("em-http-request", scanners: [
+          Scanners::SSRFScanner,
+          OutboundConnectionMonitor
+        ])
+        module Helpers
+          def self.scan(request, connection, operation)
+            SINK.scan(
+              request: request,
+              connection: connection,
+              operation: operation
+            )
+          end
+        end
+        module HttpClientExtensions
+          extend Sinks::DSL
+          sink_before :send_request do
+            wrapped_request = Scanners::SSRFScanner::Request.new(
+              verb: req.method.to_s,
+              uri: URI(req.uri),
+              headers: req.headers
+            )
+            # Store the request information so the DNS sinks can pick it up.
+            context = Aikido::Zen.current_context
+            context["ssrf.request"] = wrapped_request if context
+            connection = OutboundConnection.new(
+              host: req.host,
+              port: req.port
+            )
+            Helpers.scan(wrapped_request, connection, "request")
+          end
+        end
+        class Middleware
+          def response(client)
+            # Store the request information so the DNS sinks can pick it up.
+            context = Aikido::Zen.current_context
+            context["ssrf.request"] = nil if context
+            Scanners::SSRFScanner.track_redirects(
+              request: Scanners::SSRFScanner::Request.new(
+                verb: client.req.method,
+                uri: URI(client.req.uri),
+                headers: client.req.headers
+              ),
+              response: Scanners::SSRFScanner::Response.new(
+                status: client.response_header.status,
+                headers: client.response_header.to_h
+              )
+            )
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::EventMachine::HttpRequest.load_sinks!

data/lib/aikido/zen/sinks/excon.rb ADDED Viewed

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module Excon
+      def self.load_sinks!
+        if Gem.loaded_specs["excon"]
+          require "excon"
+          ::Excon::Connection.prepend(ConnectionExtensions)
+          ::Excon::Middleware::RedirectFollower.prepend(RedirectFollowerExtensions)
+        end
+      end
+      SINK = Sinks.add("excon", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+      module Helpers
+        def self.build_request(connection, request)
+          uri = URI(format("%<scheme>s://%<host>s:%<port>i%<path>s", {
+            scheme: request.fetch(:scheme) { connection[:scheme] },
+            host: request.fetch(:hostname) { connection[:hostname] },
+            port: request.fetch(:port) { connection[:port] },
+            path: request.fetch(:path) { connection[:path] }
+          }))
+          uri.query = request.fetch(:query) { connection[:query] }
+          Scanners::SSRFScanner::Request.new(
+            verb: request.fetch(:method) { connection[:method] },
+            uri: uri,
+            headers: connection[:headers].to_h.merge(request[:headers].to_h)
+          )
+        end
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+      module ConnectionExtensions
+        extend Sinks::DSL
+        sink_around :request do |super_call, params = {}|
+          request = Helpers.build_request(@data, params)
+          # Store the request information so the DNS sinks can pick it up.
+          context = Aikido::Zen.current_context
+          if context
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = request
+          end
+          connection = OutboundConnection.from_uri(request.uri)
+          Helpers.scan(request, connection, "request")
+          response = super_call.call
+          Scanners::SSRFScanner.track_redirects(
+            request: request,
+            response: Scanners::SSRFScanner::Response.new(
+              status: response.status,
+              headers: response.headers.to_h
+            )
+          )
+          response
+        rescue Sinks::DSL::PresafeError => err
+          outer_cause = err.cause
+          case outer_cause
+          when ::Excon::Error::Socket
+            inner_cause = outer_cause.cause
+            # Excon wraps errors inside the lower level layer. This only happens
+            # to our scanning exceptions when a request is using RedirectFollower,
+            # so we unwrap them when it happens so host apps can handle errors
+            # consistently.
+            raise inner_cause if inner_cause.is_a?(Aikido::Zen::UnderAttackError)
+          end
+          raise
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+      module RedirectFollowerExtensions
+        extend Sinks::DSL
+        sink_before :response_call do |datum|
+          response = datum[:response]
+          # Code coverage is disabled here because the else clause is a no-op,
+          # so there is nothing to cover.
+          # :nocov:
+          if !response.nil?
+            Scanners::SSRFScanner.track_redirects(
+              request: Helpers.build_request(datum, {}),
+              response: Scanners::SSRFScanner::Response.new(
+                status: response[:status],
+                headers: response[:headers]
+              )
+            )
+          else
+            # empty
+          end
+          # :nocov:
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Excon.load_sinks!

data/lib/aikido/zen/sinks/file.rb ADDED Viewed

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module File
+      def self.load_sinks!
+        # Create a copy of the original method for internal use only to prevent
+        # recursion in PathTraversalScanner.
+        #
+        # IMPORTANT: The alias must be created before the method is overridden,
+        # when the extensions are prepended.
+        ::File.singleton_class.alias_method(:expand_path__internal_for_aikido_zen, :expand_path)
+        ::File.singleton_class.prepend(FileClassExtensions)
+        ::File.prepend(FileExtensions)
+      end
+      SINK = Sinks.add("File", scanners: [Scanners::PathTraversalScanner])
+      module Helpers
+        def self.scan(filepath, operation)
+          SINK.scan(
+            filepath: filepath,
+            operation: operation
+          )
+        end
+      end
+      module FileClassExtensions
+        extend Sinks::DSL
+        sink_before :open do |path|
+          Helpers.scan(path, "open")
+        end
+        sink_before :read do |path|
+          Helpers.scan(path, "read")
+        end
+        sink_before :write do |path|
+          Helpers.scan(path, "write")
+        end
+        sink_before :truncate do |file_name|
+          Helpers.scan(file_name, "truncate")
+        end
+        sink_before :rename do |old_name, new_name|
+          Helpers.scan(old_name, "rename")
+          Helpers.scan(new_name, "rename")
+        end
+        sink_before :unlink do |*file_names|
+          file_names.each do |file_name|
+            Helpers.scan(file_name, "unlink")
+          end
+        end
+        sink_before :delete do |*file_names|
+          file_names.each do |file_name|
+            Helpers.scan(file_name, "delete")
+          end
+        end
+        sink_before :symlink do |old_name, new_name|
+          Helpers.scan(old_name, "symlink")
+          Helpers.scan(new_name, "symlink")
+        end
+        sink_before :chmod do |_mode_int, *file_names|
+          file_names.each do |file_name|
+            Helpers.scan(file_name, "chmod")
+          end
+        end
+        sink_before :chown do |_owner_int, group_int, *file_names|
+          file_names.each do |file_name|
+            Helpers.scan(file_name, "chown")
+          end
+        end
+        sink_before :utime do |_atime, _mtime, *file_names|
+          file_names.each do |file_name|
+            Helpers.scan(file_name, "utime")
+          end
+        end
+        sink_after :join do |result|
+          Helpers.scan(result, "join")
+        end
+        sink_before :expand_path do |file_name|
+          Helpers.scan(file_name, "expand_path")
+        end
+        sink_before :realpath do |file_name|
+          Helpers.scan(file_name, "realpath")
+        end
+        sink_before :realdirpath do |file_name|
+          Helpers.scan(file_name, "realdirpath")
+        end
+      end
+      module FileExtensions
+        extend Sinks::DSL
+        sink_before :initialize do |path|
+          Helpers.scan(path, "new")
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::File.load_sinks!

data/lib/aikido/zen/sinks/http.rb ADDED Viewed

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module HTTP
+      def self.load_sinks!
+        if Gem.loaded_specs["http"]
+          require "http"
+          ::HTTP::Client.prepend(ClientExtensions)
+        end
+      end
+      SINK = Sinks.add("http", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+      module Helpers
+        # Maps an HTTP Request to an Aikido OutboundConnection.
+        #
+        # @param req [HTTP::Request]
+        # @return [Aikido::Zen::OutboundConnection]
+        def self.build_outbound(req)
+          OutboundConnection.new(
+            host: req.socket_host,
+            port: req.socket_port
+          )
+        end
+        # Wraps the HTTP request with an API we can depend on.
+        #
+        # @param req [HTTP::Request]
+        # @return [Aikido::Zen::Scanners::SSRFScanner::Request]
+        def self.wrap_request(req)
+          Scanners::SSRFScanner::Request.new(
+            verb: req.verb,
+            uri: URI(req.uri.to_s),
+            headers: req.headers.to_h
+          )
+        end
+        def self.wrap_response(resp)
+          Scanners::SSRFScanner::Response.new(
+            status: resp.status,
+            headers: resp.headers.to_h
+          )
+        end
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+      module ClientExtensions
+        extend Sinks::DSL
+        sink_around :perform do |super_call, req|
+          wrapped_request = Helpers.wrap_request(req)
+          # Store the request information so the DNS sinks can pick it up.
+          context = Aikido::Zen.current_context
+          if context
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+          connection = Helpers.build_outbound(req)
+          Helpers.scan(wrapped_request, connection, "request")
+          response = super_call.call
+          Scanners::SSRFScanner.track_redirects(
+            request: wrapped_request,
+            response: Helpers.wrap_response(response)
+          )
+          response
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::HTTP.load_sinks!

data/lib/aikido/zen/sinks/httpclient.rb ADDED Viewed

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module HTTPClient
+      def self.load_sinks!
+        if Gem.loaded_specs["httpclient"]
+          require "httpclient"
+          ::HTTPClient.prepend(HTTPClient::HTTPClientExtensions)
+        end
+      end
+      SINK = Sinks.add("httpclient", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+      module Helpers
+        def self.wrap_request(req)
+          Scanners::SSRFScanner::Request.new(
+            verb: req.http_header.request_method,
+            uri: req.http_header.request_uri,
+            headers: req.headers
+          )
+        end
+        def self.wrap_response(resp)
+          # Code coverage is disabled here because `do_get_header` is not called,
+          # because WebMock does not mock it.
+          # :nocov:
+          Scanners::SSRFScanner::Response.new(
+            status: resp.http_header.status_code,
+            headers: resp.headers
+          )
+          # :nocov:
+        end
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+        def self.sink(req, &block)
+          wrapped_request = wrap_request(req)
+          connection = OutboundConnection.from_uri(req.http_header.request_uri)
+          # Store the request information so the DNS sinks can pick it up.
+          context = Aikido::Zen.current_context
+          if context
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+          scan(wrapped_request, connection, "request")
+          yield
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+      module HTTPClientExtensions
+        extend Sinks::DSL
+        private
+        sink_around :do_get_block do |super_call, req|
+          Helpers.sink(req, &super_call)
+        end
+        sink_around :do_get_stream do |super_call, req|
+          Helpers.sink(req, &super_call)
+        end
+        sink_after :do_get_header do |_result, req, res, _sess|
+          # Code coverage is disabled here because `do_get_header` is not called,
+          # because WebMock does not mock it.
+          # :nocov:
+          Scanners::SSRFScanner.track_redirects(
+            request: Helpers.wrap_request(req),
+            response: Helpers.wrap_response(res)
+          )
+          # :nocov:
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::HTTPClient.load_sinks!