RubyGems - aikido-zen - Versions diffs - 1.0.1.beta.2-arm64-linux-musl - Mend

aikido-zen 1.0.1.beta.2-arm64-linux-musl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (115) hide show

checksums.yaml +7 -0
data/.aikido +6 -0
data/.ruby-version +1 -0
data/.simplecov +26 -0
data/.standard.yml +3 -0
data/LICENSE +674 -0
data/README.md +146 -0
data/Rakefile +67 -0
data/benchmarks/README.md +23 -0
data/benchmarks/rails7.1_sql_injection.js +70 -0
data/docs/banner.svg +202 -0
data/docs/config.md +125 -0
data/docs/rails.md +70 -0
data/lib/aikido/zen/actor.rb +116 -0
data/lib/aikido/zen/agent/heartbeats_manager.rb +66 -0
data/lib/aikido/zen/agent.rb +179 -0
data/lib/aikido/zen/api_client.rb +142 -0
data/lib/aikido/zen/attack.rb +207 -0
data/lib/aikido/zen/background_worker.rb +52 -0
data/lib/aikido/zen/capped_collections.rb +68 -0
data/lib/aikido/zen/collector/hosts.rb +15 -0
data/lib/aikido/zen/collector/routes.rb +66 -0
data/lib/aikido/zen/collector/sink_stats.rb +95 -0
data/lib/aikido/zen/collector/stats.rb +111 -0
data/lib/aikido/zen/collector/users.rb +30 -0
data/lib/aikido/zen/collector.rb +144 -0
data/lib/aikido/zen/config.rb +279 -0
data/lib/aikido/zen/context/rack_request.rb +24 -0
data/lib/aikido/zen/context/rails_request.rb +42 -0
data/lib/aikido/zen/context.rb +112 -0
data/lib/aikido/zen/detached_agent/agent.rb +78 -0
data/lib/aikido/zen/detached_agent/front_object.rb +37 -0
data/lib/aikido/zen/detached_agent/server.rb +41 -0
data/lib/aikido/zen/detached_agent.rb +2 -0
data/lib/aikido/zen/errors.rb +107 -0
data/lib/aikido/zen/event.rb +71 -0
data/lib/aikido/zen/internals.rb +102 -0
data/lib/aikido/zen/libzen-v0.1.39-arm64-linux-musl.so +0 -0
data/lib/aikido/zen/middleware/check_allowed_addresses.rb +26 -0
data/lib/aikido/zen/middleware/middleware.rb +11 -0
data/lib/aikido/zen/middleware/rack_throttler.rb +48 -0
data/lib/aikido/zen/middleware/request_tracker.rb +192 -0
data/lib/aikido/zen/middleware/set_context.rb +26 -0
data/lib/aikido/zen/outbound_connection.rb +45 -0
data/lib/aikido/zen/outbound_connection_monitor.rb +23 -0
data/lib/aikido/zen/package.rb +22 -0
data/lib/aikido/zen/payload.rb +50 -0
data/lib/aikido/zen/rails_engine.rb +70 -0
data/lib/aikido/zen/rate_limiter/breaker.rb +61 -0
data/lib/aikido/zen/rate_limiter/bucket.rb +76 -0
data/lib/aikido/zen/rate_limiter/result.rb +31 -0
data/lib/aikido/zen/rate_limiter.rb +50 -0
data/lib/aikido/zen/request/heuristic_router.rb +115 -0
data/lib/aikido/zen/request/rails_router.rb +72 -0
data/lib/aikido/zen/request/schema/auth_discovery.rb +86 -0
data/lib/aikido/zen/request/schema/auth_schemas.rb +54 -0
data/lib/aikido/zen/request/schema/builder.rb +121 -0
data/lib/aikido/zen/request/schema/definition.rb +107 -0
data/lib/aikido/zen/request/schema/empty_schema.rb +28 -0
data/lib/aikido/zen/request/schema.rb +87 -0
data/lib/aikido/zen/request.rb +103 -0
data/lib/aikido/zen/route.rb +39 -0
data/lib/aikido/zen/runtime_settings/endpoints.rb +49 -0
data/lib/aikido/zen/runtime_settings/ip_set.rb +36 -0
data/lib/aikido/zen/runtime_settings/protection_settings.rb +62 -0
data/lib/aikido/zen/runtime_settings/rate_limit_settings.rb +47 -0
data/lib/aikido/zen/runtime_settings.rb +65 -0
data/lib/aikido/zen/scan.rb +75 -0
data/lib/aikido/zen/scanners/path_traversal/helpers.rb +65 -0
data/lib/aikido/zen/scanners/path_traversal_scanner.rb +63 -0
data/lib/aikido/zen/scanners/shell_injection/helpers.rb +159 -0
data/lib/aikido/zen/scanners/shell_injection_scanner.rb +64 -0
data/lib/aikido/zen/scanners/sql_injection_scanner.rb +93 -0
data/lib/aikido/zen/scanners/ssrf/dns_lookups.rb +27 -0
data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb +97 -0
data/lib/aikido/zen/scanners/ssrf_scanner.rb +265 -0
data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb +49 -0
data/lib/aikido/zen/scanners.rb +7 -0
data/lib/aikido/zen/sink.rb +118 -0
data/lib/aikido/zen/sinks/action_controller.rb +83 -0
data/lib/aikido/zen/sinks/async_http.rb +82 -0
data/lib/aikido/zen/sinks/curb.rb +115 -0
data/lib/aikido/zen/sinks/em_http.rb +85 -0
data/lib/aikido/zen/sinks/excon.rb +121 -0
data/lib/aikido/zen/sinks/file.rb +116 -0
data/lib/aikido/zen/sinks/http.rb +95 -0
data/lib/aikido/zen/sinks/httpclient.rb +97 -0
data/lib/aikido/zen/sinks/httpx.rb +80 -0
data/lib/aikido/zen/sinks/kernel.rb +34 -0
data/lib/aikido/zen/sinks/mysql2.rb +33 -0
data/lib/aikido/zen/sinks/net_http.rb +103 -0
data/lib/aikido/zen/sinks/patron.rb +105 -0
data/lib/aikido/zen/sinks/pg.rb +74 -0
data/lib/aikido/zen/sinks/resolv.rb +62 -0
data/lib/aikido/zen/sinks/socket.rb +80 -0
data/lib/aikido/zen/sinks/sqlite3.rb +49 -0
data/lib/aikido/zen/sinks/trilogy.rb +33 -0
data/lib/aikido/zen/sinks/typhoeus.rb +78 -0
data/lib/aikido/zen/sinks.rb +39 -0
data/lib/aikido/zen/sinks_dsl.rb +226 -0
data/lib/aikido/zen/synchronizable.rb +24 -0
data/lib/aikido/zen/system_info.rb +84 -0
data/lib/aikido/zen/version.rb +10 -0
data/lib/aikido/zen/worker.rb +87 -0
data/lib/aikido/zen.rb +206 -0
data/lib/aikido-zen.rb +3 -0
data/placeholder/.gitignore +4 -0
data/placeholder/README.md +11 -0
data/placeholder/Rakefile +75 -0
data/placeholder/lib/placeholder.rb.template +3 -0
data/placeholder/placeholder.gemspec.template +20 -0
data/tasklib/bench.rake +94 -0
data/tasklib/libzen.rake +132 -0
data/tasklib/wrk.rb +88 -0
metadata +204 -0

data/lib/aikido/zen/sinks/httpx.rb ADDED Viewed

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module HTTPX
+      def self.load_sinks!
+        if Gem.loaded_specs["httpx"]
+          require "httpx"
+          ::HTTPX::Session.prepend(HTTPX::SessionExtensions)
+        end
+      end
+      SINK = Sinks.add("httpx", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+      module Helpers
+        def self.wrap_request(request)
+          Scanners::SSRFScanner::Request.new(
+            verb: request.verb,
+            uri: request.uri,
+            headers: request.headers.to_hash
+          )
+        end
+        def self.wrap_response(response)
+          Scanners::SSRFScanner::Response.new(
+            status: response.status,
+            headers: response.headers.to_hash
+          )
+        end
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+      module SessionExtensions
+        extend Sinks::DSL
+        sink_around :send_request do |super_call, request|
+          wrapped_request = Helpers.wrap_request(request)
+          # Store the request information so the DNS sinks can pick it up.
+          context = Aikido::Zen.current_context
+          if context
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+          connection = OutboundConnection.from_uri(request.uri)
+          Helpers.scan(wrapped_request, connection, "request")
+          request.on(:response) do |response|
+            Scanners::SSRFScanner.track_redirects(
+              request: wrapped_request,
+              response: Helpers.wrap_response(response)
+            )
+          end
+          super_call.call
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::HTTPX.load_sinks!

data/lib/aikido/zen/sinks/kernel.rb ADDED Viewed

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module Kernel
+      def self.load_sinks!
+        ::Kernel.singleton_class.prepend(KernelExtensions)
+        ::Kernel.prepend(KernelExtensions)
+      end
+      SINK = Sinks.add("Kernel", scanners: [Scanners::ShellInjectionScanner])
+      module Helpers
+        def self.scan(command, operation)
+          SINK.scan(command: command, operation: operation)
+        end
+      end
+      module KernelExtensions
+        extend Sinks::DSL
+        %i[system spawn].each do |method_name|
+          sink_before method_name do |*args|
+            # Remove the optional environment argument before the command-line.
+            args.shift if args.first.is_a?(Hash)
+            Helpers.scan(args.first, method_name)
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Kernel.load_sinks!

data/lib/aikido/zen/sinks/mysql2.rb ADDED Viewed

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module Mysql2
+      def self.load_sinks!
+        if Gem.loaded_specs["mysql2"]
+          require "mysql2"
+          ::Mysql2::Client.prepend(ClientExtensions)
+        end
+      end
+      SINK = Sinks.add("mysql2", scanners: [Scanners::SQLInjectionScanner])
+      module Helpers
+        def self.scan(query, operation)
+          SINK.scan(query: query, dialect: :mysql, operation: operation)
+        end
+      end
+      module ClientExtensions
+        extend Sinks::DSL
+        sink_before :query do |sql|
+          Helpers.scan(sql, "query")
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Mysql2.load_sinks!

data/lib/aikido/zen/sinks/net_http.rb ADDED Viewed

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module Net
+      module HTTP
+        def self.load_sinks!
+          # In stdlib but not always required
+          require "net/http"
+          ::Net::HTTP.prepend(Net::HTTP::HTTPExtensions)
+        end
+        SINK = Sinks.add("net-http", scanners: [
+          Scanners::SSRFScanner,
+          OutboundConnectionMonitor
+        ])
+        module Helpers
+          # Maps a Net::HTTP connection to an Aikido OutboundConnection,
+          # which our tooling expects.
+          #
+          # @param http [Net::HTTP]
+          # @return [Aikido::Zen::OutboundConnection]
+          def self.build_outbound(http)
+            OutboundConnection.new(
+              host: http.address,
+              port: http.port
+            )
+          end
+          def self.wrap_request(req, session)
+            uri = req.uri if req.uri.is_a?(URI)
+            uri ||= URI(format("%<scheme>s://%<hostname>s:%<port>s%<path>s", {
+              scheme: session.use_ssl? ? "https" : "http",
+              hostname: session.address,
+              port: session.port,
+              path: req.path
+            }))
+            Scanners::SSRFScanner::Request.new(
+              verb: req.method,
+              uri: uri,
+              headers: req.to_hash,
+              header_normalizer: ->(val) { Array(val).join(", ") }
+            )
+          end
+          def self.wrap_response(response)
+            Scanners::SSRFScanner::Response.new(
+              status: response.code.to_i,
+              headers: response.to_hash,
+              header_normalizer: ->(val) { Array(val).join(", ") }
+            )
+          end
+          def self.scan(request, connection, operation)
+            SINK.scan(
+              request: request,
+              connection: connection,
+              operation: operation
+            )
+          end
+        end
+        module HTTPExtensions
+          extend Sinks::DSL
+          sink_around :request do |super_call, req|
+            wrapped_request = Helpers.wrap_request(req, self)
+            # Store the request information so the DNS sinks can pick it up.
+            context = Aikido::Zen.current_context
+            if context
+              prev_request = context["ssrf.request"]
+              context["ssrf.request"] = wrapped_request
+            end
+            connection = Helpers.build_outbound(self)
+            Helpers.scan(wrapped_request, connection, "request")
+            response = super_call.call
+            Scanners::SSRFScanner.track_redirects(
+              request: wrapped_request,
+              response: Helpers.wrap_response(response)
+            )
+            response
+          ensure
+            context["ssrf.request"] = prev_request if context
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Net::HTTP.load_sinks!

data/lib/aikido/zen/sinks/patron.rb ADDED Viewed

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module Patron
+      def self.load_sinks!
+        if Gem.loaded_specs["patron"]
+          require "patron"
+          ::Patron::Session.prepend(SessionExtensions)
+        end
+      end
+      SINK = Sinks.add("patron", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+      module Helpers
+        def self.wrap_response(request, response)
+          # In this case, automatic redirection happened inside libcurl.
+          if response.url != request.url && !response.url.to_s.empty?
+            Scanners::SSRFScanner::Response.new(
+              status: 302, # We can't know what the actual status was, but we just need a 3XX
+              headers: response.headers.merge("Location" => response.url)
+            )
+          else
+            Scanners::SSRFScanner::Response.new(
+              status: response.status,
+              headers: response.headers
+            )
+          end
+        end
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+      module SessionExtensions
+        extend Sinks::DSL
+        sink_around :handle_request do |super_call, request|
+          wrapped_request = Scanners::SSRFScanner::Request.new(
+            verb: request.action,
+            uri: URI(request.url),
+            headers: request.headers
+          )
+          # Store the request information so the DNS sinks can pick it up.
+          context = Aikido::Zen.current_context
+          if context
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+          connection = OutboundConnection.from_uri(URI(request.url))
+          Helpers.scan(wrapped_request, connection, "request")
+          response = super_call.call
+          Scanners::SSRFScanner.track_redirects(
+            request: wrapped_request,
+            response: Helpers.wrap_response(request, response)
+          )
+          # When libcurl has follow_location set, it will handle redirections
+          # internally, and expose the response.url as the URI that was last
+          # requested in the redirect chain.
+          #
+          # In this case, we can't actually stop the request from happening, but
+          # we can scan again (now that we know another request happened), to
+          # stop the response from being exposed to the user. This downgrades
+          # the SSRF into a blind SSRF, which is better than doing nothing.
+          if request.url != response.url && !response.url.to_s.empty?
+            last_effective_request = Scanners::SSRFScanner::Request.new(
+              verb: request.action,
+              uri: URI(response.url),
+              headers: request.headers
+            )
+            context["ssrf.request"] = last_effective_request if context
+            connection = OutboundConnection.from_uri(URI(response.url))
+            Helpers.scan(last_effective_request, connection, "request")
+          end
+          response
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Patron.load_sinks!

data/lib/aikido/zen/sinks/pg.rb ADDED Viewed

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module PG
+      def self.load_sinks!
+        if Gem.loaded_specs["pg"]
+          require "pg"
+          ::PG::Connection.prepend(PG::ConnectionExtensions)
+        end
+      end
+      SINK = Sinks.add("pg", scanners: [Scanners::SQLInjectionScanner])
+      module Helpers
+        # For some reason, the ActiveRecord pg adaptor does not wrap exceptions
+        # in ActiveRecord::StatementInvalid, leading to inconsistent handling.
+        # This guarantees that Aikido::Zen::SQLInjectionErrors are wrapped in
+        # an ActiveRecord::StatementInvalid.
+        def self.safe(&block)
+          # Code coverage is disabled here because this ActiveRecord behavior is
+          # exercised in end-to-end tests, which are not covered by SimpleCov.
+          # :nocov:
+          if !defined?(ActiveRecord::StatementInvalid)
+            Sinks::DSL.safe(&block)
+          else
+            begin
+              Sinks::DSL.safe(&block)
+            rescue Aikido::Zen::SQLInjectionError => err
+              raise ActiveRecord::StatementInvalid, cause: err
+            end
+          end
+          # :nocov:
+        end
+        def self.scan(query, operation)
+          SINK.scan(
+            query: query,
+            dialect: :postgresql,
+            operation: operation
+          )
+        end
+      end
+      module ConnectionExtensions
+        extend Sinks::DSL
+        %i[
+          send_query exec sync_exec async_exec
+          send_query_params exec_params sync_exec_params async_exec_params
+        ].each do |method_name|
+          presafe_sink_before method_name do |query|
+            Helpers.safe do
+              Helpers.scan(query, method_name)
+            end
+          end
+        end
+        %i[
+          send_prepare prepare async_prepare sync_prepare
+        ].each do |method_name|
+          presafe_sink_before method_name do |_, query|
+            Helpers.safe do
+              Helpers.scan(query, method_name)
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::PG.load_sinks!

data/lib/aikido/zen/sinks/resolv.rb ADDED Viewed

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+require_relative "../scanners/stored_ssrf_scanner"
+require_relative "../scanners/ssrf_scanner"
+module Aikido::Zen
+  module Sinks
+    module Resolv
+      def self.load_sinks!
+        # In stdlib but not always required
+        require "resolv"
+        ::Resolv.prepend(ResolvExtensions)
+      end
+      SINK = Sinks.add("resolv", scanners: [
+        Scanners::StoredSSRFScanner,
+        Scanners::SSRFScanner
+      ])
+      module Helpers
+        def self.scan(name, addresses, operation)
+          context = Aikido::Zen.current_context
+          if context
+            context["dns.lookups"] ||= Scanners::SSRF::DNSLookups.new
+            context["dns.lookups"].add(name, addresses)
+          end
+          SINK.scan(
+            hostname: name,
+            addresses: addresses,
+            request: context && context["ssrf.request"],
+            operation: operation
+          )
+        end
+      end
+      module ResolvExtensions
+        def each_address(*args, **kwargs, &blk)
+          # each_address is defined "manually" because no sink method pattern
+          # is applicable.
+          name, = args
+          addresses = []
+          super(*args, **kwargs) do |address| # rubocop:disable Style/SuperArguments
+            addresses << address
+            blk.call(address)
+          end
+        ensure
+          # Ensure partial results are scanned.
+          Sinks::DSL.safe do
+            Helpers.scan(name, addresses, "lookup")
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Resolv.load_sinks!

data/lib/aikido/zen/sinks/socket.rb ADDED Viewed

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+require "socket"
+require_relative "../scanners/stored_ssrf_scanner"
+require_relative "../scanners/ssrf_scanner"
+module Aikido::Zen
+  module Sinks
+    # We intercept IPSocket.open to hook our DNS checks around it, since
+    # there's no way to access the internal DNS resolution that happens in C
+    # when using the socket primitives.
+    module Socket
+      def self.load_sinks!
+        ::IPSocket.singleton_class.prepend(Socket::IPSocketExtensions)
+      end
+      SINK = Sinks.add("socket", scanners: [
+        Scanners::StoredSSRFScanner,
+        Scanners::SSRFScanner
+      ])
+      module Helpers
+        def self.scan(hostname, socket, operation)
+          # We're patching IPSocket.open(..) method.
+          # The IPSocket class hierarchy is:
+          #             IPSocket
+          #            /        \
+          #       TCPSocket    UDPSocket
+          #       /       \
+          # TCPServer     SOCKSSocket
+          #
+          # Because we want to scan only HTTP requests, we skip in case the
+          # socket is not *exactly* an instance of TCPSocket — it's any
+          # of it subclasses
+          return unless socket.instance_of?(TCPSocket)
+          # ["AF_INET", 80, "10.0.0.1", "10.0.0.1"]
+          address_family, _port, _hostname, numeric_address = socket.peeraddr(:numeric)
+          # We only care about IPv4 (AF_INET) or IPv6 (AF_INET6) sockets
+          # This might be overcautious, since this is _IP_Socket, so you
+          # would expect it's only used for IP connections?
+          # Code coverage is disabled here because the then clause is a no-op,
+          # so there is nothing to cover.
+          # :nocov:
+          return unless address_family.start_with?("AF_INET")
+          # :nocov:
+          context = Aikido::Zen.current_context
+          if context
+            context["dns.lookups"] ||= Scanners::SSRF::DNSLookups.new
+            context["dns.lookups"].add(hostname, numeric_address)
+          end
+          SINK.scan(
+            hostname: hostname,
+            addresses: [numeric_address],
+            request: context && context["ssrf.request"],
+            operation: operation
+          )
+        end
+      end
+      module IPSocketExtensions
+        extend Sinks::DSL
+        sink_after :open do |socket, remote_host|
+          # Code coverage is disabled here because the tests are contrived and
+          # intentionally do not call open.
+          # :nocov:
+          Helpers.scan(remote_host, socket, "open")
+          # :nocov:
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Socket.load_sinks!

data/lib/aikido/zen/sinks/sqlite3.rb ADDED Viewed

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module SQLite3
+      def self.load_sinks!
+        if Gem.loaded_specs["sqlite3"]
+          require "sqlite3"
+          ::SQLite3::Database.prepend(DatabaseExtensions)
+          ::SQLite3::Statement.prepend(StatementExtensions)
+        end
+      end
+      SINK = Sinks.add("sqlite3", scanners: [Scanners::SQLInjectionScanner])
+      module Helpers
+        def self.scan(query, operation)
+          SINK.scan(
+            query: query,
+            dialect: :sqlite,
+            operation: operation
+          )
+        end
+      end
+      module DatabaseExtensions
+        extend Sinks::DSL
+        private
+        # SQLite3::Database#exec_batch is an internal native private method.
+        sink_before :exec_batch do |sql|
+          Helpers.scan(sql, "exec_batch")
+        end
+      end
+      module StatementExtensions
+        extend Sinks::DSL
+        sink_before :initialize do |_db, sql|
+          Helpers.scan(sql, "statement.execute")
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::SQLite3.load_sinks!

data/lib/aikido/zen/sinks/trilogy.rb ADDED Viewed

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module Trilogy
+      def self.load_sinks!
+        if Gem.loaded_specs["trilogy"]
+          require "trilogy"
+          ::Trilogy.prepend(TrilogyExtensions)
+        end
+      end
+      SINK = Sinks.add("trilogy", scanners: [Scanners::SQLInjectionScanner])
+      module Helpers
+        def self.scan(query, operation)
+          SINK.scan(query: query, dialect: :mysql, operation: operation)
+        end
+      end
+      module TrilogyExtensions
+        extend Sinks::DSL
+        sink_before :query do |query|
+          Helpers.scan(query, "query")
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Trilogy.load_sinks!