aikido-zen 1.0.1.beta.2-arm64-linux-musl

data/lib/aikido/zen/errors.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+require "forwardable"
+
+module Aikido
+  # @!visibility private
+  # Support rescuing Aikido::Error without forcing a single base class to all
+  # errors (so things that should be e.g. a TypeError, can have the correct
+  # superclass).
+  module Error; end # :nodoc:
+
+  # @!visibility private
+  # Generic error for problems with the Agent.
+  class ZenError < RuntimeError
+    include Error
+  end
+
+  module Zen
+    # Wrapper for all low-level network errors communicating with the API. You
+    # can access the original error by calling #cause.
+    class NetworkError < StandardError
+      include Error
+
+      def initialize(request, cause = nil)
+        @request = request.dup
+
+        super("Error in #{request.method} #{request.path}: #{cause.message}")
+      end
+    end
+
+    # Raised whenever a request to the API results in a 4XX or 5XX response.
+    class APIError < StandardError
+      include Error
+
+      attr_reader :request
+      attr_reader :response
+
+      def initialize(request, response)
+        @request = anonimize_token(request.dup)
+        @response = response
+
+        super("Error in #{request.method} #{request.path}: #{response.code} #{response.message} (#{response.body})")
+      end
+
+      private def anonimize_token(request)
+        # Anonimize the token to `********************xxxx`,
+        # mimicking what we show in the dashbaord.
+        request["Authorization"] = request["Authorization"].to_s
+          .gsub(/\A.*(.{4})\z/, ("*" * 20) + "\\1")
+        request
+      end
+    end
+
+    # Raised whenever a response to the API results in a 429 response.
+    class RateLimitedError < APIError; end
+
+    class UnderAttackError < StandardError
+      include Error
+
+      attr_reader :attack
+
+      def initialize(attack)
+        @attack = attack
+      end
+    end
+
+    class SQLInjectionError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :query, :input, :dialect
+    end
+
+    class SSRFDetectedError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :request, :input
+    end
+
+    class PathTraversalError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :input
+    end
+
+    class ShellInjectionError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :input
+    end
+
+    # Raised when there's any problem communicating (or loading) libzen.
+    class InternalsError < ZenError
+      # @param attempt [String] description of what we were trying to do.
+      # @param problem [String] what couldn't be done.
+      # @param libname [String] the name of the file (including the arch).
+      def initialize(attempt, problem, libname)
+        super(format(<<~MSG.chomp, attempt, problem, libname))
+          Zen could not scan %s due to a problem %s the library `%s'
+        MSG
+      end
+    end
+
+    class DetachedAgentError < ZenError
+      extend Forwardable
+
+      def initialize(msg)
+        super
+      end
+    end
+  end
+end

data/lib/aikido/zen/event.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Base class for all events. You should be using one of the subclasses defined
+  # in the Events module.
+  class Event
+    attr_reader :type
+    attr_reader :time
+    attr_reader :system_info
+
+    def initialize(type:, system_info: Aikido::Zen.system_info, time: Time.now.utc)
+      @type = type
+      @time = time
+      @system_info = system_info
+    end
+
+    def as_json
+      {
+        type: type,
+        time: time.to_i * 1000,
+        agent: system_info.as_json
+      }
+    end
+  end
+
+  module Events
+    # Event sent when starting up the agent.
+    class Started < Event
+      def initialize(**opts)
+        super(type: "started", **opts)
+      end
+    end
+
+    class Attack < Event
+      attr_reader :attack
+
+      def initialize(attack:, **opts)
+        @attack = attack
+        super(type: "detected_attack", **opts)
+      end
+
+      def as_json
+        super.update(
+          attack: @attack.as_json,
+          request: @attack.context.request.as_json
+        )
+      end
+    end
+
+    class Heartbeat < Event
+      def initialize(stats:, users:, hosts:, routes:, middleware_installed:, **opts)
+        super(type: "heartbeat", **opts)
+        @stats = stats
+        @users = users
+        @hosts = hosts
+        @routes = routes
+        @middleware_installed = middleware_installed
+      end
+
+      def as_json
+        super.update(
+          stats: @stats.as_json,
+          users: @users.as_json,
+          routes: @routes.as_json,
+          hostnames: @hosts.as_json,
+          middlewareInstalled: @middleware_installed
+        )
+      end
+    end
+  end
+end

data/lib/aikido/zen/internals.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require "ffi"
+require_relative "errors"
+
+module Aikido::Zen
+  module Internals
+    extend FFI::Library
+
+    class << self
+      # @return [String] the name of the extension we're loading, which we can
+      #   use in error messages to identify the architecture.
+      attr_accessor :libzen_name
+    end
+
+    def self.libzen_names
+      lib_name = "libzen-v#{LIBZEN_VERSION}"
+      lib_ext = FFI::Platform::LIBSUFFIX
+
+      # Gem::Platform#version should be understood as an arbitrary Ruby defined
+      # OS specific string. A platform with a version string is considered more
+      # specific than a platform without a version string.
+      # https://docs.ruby-lang.org/en/3.3/Gem/Platform.html
+
+      platform = Gem::Platform.local.dup
+
+      # Library names in preferred order.
+      #
+      # If two library names are added, the specific platform library names is
+      # first and the generic platform library name is second.
+      names = []
+
+      names << "#{lib_name}-#{platform}.#{lib_ext}"
+
+      unless platform.version.nil?
+        platform.version = nil
+        names << "#{lib_name}-#{platform}.#{lib_ext}"
+      end
+
+      names
+    end
+
+    # Load the most specific library
+    def self.load_libzen
+      libzen_names.each do |libzen_name|
+        libzen_path = File.expand_path(libzen_name, __dir__)
+        begin
+          return ffi_lib(libzen_path)
+        rescue LoadError
+          # empty
+        end
+      end
+      raise LoadError, "Could not load libzen"
+    end
+
+    begin
+      load_libzen
+
+      # @!method self.detect_sql_injection_native(query, input, dialect)
+      # @param (see .detect_sql_injection)
+      # @returns [Integer] 0 if no injection detected, 1 if an injection was
+      #   detected, or 2 if there was an internal error.
+      # @raise [Aikido::Zen::InternalsError] if there's a problem loading or
+      #   calling libzen.
+      attach_function :detect_sql_injection_native, :detect_sql_injection,
+        [:string, :string, :int], :int
+    rescue LoadError, FFI::NotFoundError => err # rubocop:disable Lint/ShadowedException
+      # :nocov:
+
+      # Emit an $stderr warning at startup.
+      warn "Zen could not load its binary extension #{libzen_name}: #{err}"
+
+      def self.detect_sql_injection(query, *)
+        attempt = format("%p for SQL injection", query)
+        raise InternalsError.new(attempt, "loading", Internals.libzen_name)
+      end
+
+      # :nocov:
+    else
+      # Analyzes the SQL query to detect if the provided user input is being
+      # passed as-is without escaping.
+      #
+      # @param query [String]
+      # @param input [String]
+      # @param dialect [Integer, #to_int] the SQL Dialect identifier in libzen.
+      #   See {Aikido::Zen::Scanners::SQLInjectionScanner::DIALECTS}.
+      #
+      # @returns [Boolean]
+      # @raise [Aikido::Zen::InternalsError] if there's a problem loading or
+      #   calling libzen.
+      def self.detect_sql_injection(query, input, dialect)
+        case detect_sql_injection_native(query, input, dialect)
+        when 0 then false
+        when 1 then true
+        when 2
+          attempt = format("%s query %p with input %p", dialect, query, input)
+          raise InternalsError.new(attempt, "calling detect_sql_injection in", libzen_name)
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/check_allowed_addresses.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Middleware
+    # Middleware that rejects requests from IPs blocked in the Aikido dashboard.
+    class CheckAllowedAddresses
+      def initialize(app, config: Aikido::Zen.config, settings: Aikido::Zen.runtime_settings)
+        @app = app
+        @config = config
+        @settings = settings
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+
+        allowed_ips = @settings.endpoints[request.route].allowed_ips
+
+        if allowed_ips.empty? || allowed_ips.include?(request.ip)
+          @app.call(env)
+        else
+          @config.blocked_responder.call(request, :ip)
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/middleware.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Aikido::Zen::Middleware
+  def self.request_from(env)
+    if (current_context = Aikido::Zen.current_context)
+      current_context.request
+    else
+      Aikido::Zen::Context.from_rack_env(env).request
+    end
+  end
+end

data/lib/aikido/zen/middleware/rack_throttler.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require_relative "../context"
+
+module Aikido::Zen
+  module Middleware
+    # Rack middleware that rejects requests from clients that are making too many
+    # requests to a given endpoint, based in the runtime configuration in the
+    # Aikido dashboard.
+    class RackThrottler
+      def initialize(
+        app,
+        config: Aikido::Zen.config,
+        settings: Aikido::Zen.runtime_settings,
+        detached_agent: Aikido::Zen.detached_agent
+      )
+        @app = app
+        @config = config
+        @settings = settings
+        @detached_agent = detached_agent
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+
+        if should_throttle?(request)
+          @config.rate_limited_responder.call(request)
+        else
+          @app.call(env)
+        end
+      end
+
+      private
+
+      def should_throttle?(request)
+        return false unless @settings.endpoints[request.route].rate_limiting.enabled?
+        return false if @settings.skip_protection_for_ips.include?(request.ip)
+
+        result = @detached_agent.calculate_rate_limits(request)
+
+        return false unless result
+
+        request.env["aikido.rate_limiting"] = result
+        request.env["aikido.rate_limiting"].throttled?
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/request_tracker.rb

@@ -0,0 +1,192 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Middleware
+    # Rack middleware used to track request
+    # It implements the logic under that which is considered worthy of being tracked.
+    class RequestTracker
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+        response = @app.call(env)
+
+        if request.route && track?(
+          status_code: response[0],
+          route: request.route.path,
+          http_method: request.request_method
+        )
+          Aikido::Zen.track_request request
+
+          if Aikido::Zen.config.collect_api_schema?
+            Aikido::Zen.track_discovered_route(request)
+          end
+        end
+
+        response
+      end
+
+      IGNORED_METHODS = %w[OPTIONS HEAD]
+      IGNORED_EXTENSIONS = %w[properties config webmanifest]
+      IGNORED_SEGMENTS = ["cgi-bin"]
+      WELL_KNOWN_URIS = %w[
+        /.well-known/acme-challenge
+        /.well-known/amphtml
+        /.well-known/api-catalog
+        /.well-known/appspecific
+        /.well-known/ashrae
+        /.well-known/assetlinks.json
+        /.well-known/broadband-labels
+        /.well-known/brski
+        /.well-known/caldav
+        /.well-known/carddav
+        /.well-known/change-password
+        /.well-known/cmp
+        /.well-known/coap
+        /.well-known/coap-eap
+        /.well-known/core
+        /.well-known/csaf
+        /.well-known/csaf-aggregator
+        /.well-known/csvm
+        /.well-known/did.json
+        /.well-known/did-configuration.json
+        /.well-known/dnt
+        /.well-known/dnt-policy.txt
+        /.well-known/dots
+        /.well-known/ecips
+        /.well-known/edhoc
+        /.well-known/enterprise-network-security
+        /.well-known/enterprise-transport-security
+        /.well-known/est
+        /.well-known/genid
+        /.well-known/gnap-as-rs
+        /.well-known/gpc.json
+        /.well-known/gs1resolver
+        /.well-known/hoba
+        /.well-known/host-meta
+        /.well-known/host-meta.json
+        /.well-known/hosting-provider
+        /.well-known/http-opportunistic
+        /.well-known/idp-proxy
+        /.well-known/jmap
+        /.well-known/keybase.txt
+        /.well-known/knx
+        /.well-known/looking-glass
+        /.well-known/masque
+        /.well-known/matrix
+        /.well-known/mercure
+        /.well-known/mta-sts.txt
+        /.well-known/mud
+        /.well-known/nfv-oauth-server-configuration
+        /.well-known/ni
+        /.well-known/nodeinfo
+        /.well-known/nostr.json
+        /.well-known/oauth-authorization-server
+        /.well-known/oauth-protected-resource
+        /.well-known/ohttp-gateway
+        /.well-known/openid-federation
+        /.well-known/open-resource-discovery
+        /.well-known/openid-configuration
+        /.well-known/openorg
+        /.well-known/oslc
+        /.well-known/pki-validation
+        /.well-known/posh
+        /.well-known/privacy-sandbox-attestations.json
+        /.well-known/private-token-issuer-directory
+        /.well-known/probing.txt
+        /.well-known/pvd
+        /.well-known/rd
+        /.well-known/related-website-set.json
+        /.well-known/reload-config
+        /.well-known/repute-template
+        /.well-known/resourcesync
+        /.well-known/sbom
+        /.well-known/security.txt
+        /.well-known/ssf-configuration
+        /.well-known/sshfp
+        /.well-known/stun-key
+        /.well-known/terraform.json
+        /.well-known/thread
+        /.well-known/time
+        /.well-known/timezone
+        /.well-known/tdmrep.json
+        /.well-known/tor-relay
+        /.well-known/tpcd
+        /.well-known/traffic-advice
+        /.well-known/trust.txt
+        /.well-known/uma2-configuration
+        /.well-known/void
+        /.well-known/webfinger
+        /.well-known/webweaver.json
+        /.well-known/wot
+      ]
+
+      # @param status_code [Integer]
+      # @param route [String]
+      # @param http_method [String]
+      def track?(status_code:, route:, http_method:)
+        # In the UI we want to show only successful (2xx) or redirect (3xx) responses
+        # anything else is discarded.
+        return false unless status_code >= 200 && status_code <= 399
+
+        return false if IGNORED_METHODS.include?(http_method)
+
+        segments = route.split "/"
+
+        # Do not discover routes with dot files like `/path/to/.file` or `/.directory/file`
+        # We want to allow discovery of well-known URIs like `/.well-known/acme-challenge`
+        return false if segments.any? { |s| is_dot_file s } && !is_well_known_uri(route)
+
+        return false if segments.any? { |s| contains_ignored_string s }
+
+        # Check for every file segment if it contains a file extension and if it
+        # should be discovered or ignored
+        segments.all? { |s| should_track_extension s }
+      end
+
+      private
+
+      # Check if a path is a well-known URI
+      # e.g. /.well-known/acme-challenge
+      # https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
+      def is_well_known_uri(route)
+        WELL_KNOWN_URIS.include?(route)
+      end
+
+      def is_dot_file(segment)
+        segment.start_with?(".") && segment.size > 1
+      end
+
+      def contains_ignored_string(segment)
+        IGNORED_SEGMENTS.any? { |ignored| segment.include?(ignored) }
+      end
+
+      # Ignore routes which contain file extensions
+      def should_track_extension(segment)
+        extension = get_file_extension(segment)
+
+        return true unless extension
+
+        # Do not discover files with extensions of 1 to 5 characters,
+        # e.g. file.css, file.js, file.woff2
+        return false if extension.size > 1 && extension.size < 6
+
+        # Ignore some file extensions that are longer than 5 characters or shorter than 2 chars
+        return false if IGNORED_EXTENSIONS.include?(extension)
+
+        true
+      end
+
+      def get_file_extension(segment)
+        extension = File.extname(segment)
+        if extension&.start_with?(".")
+          # Remove the dot from the extension
+          return extension[1..]
+        end
+        extension
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/set_context.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "../context"
+
+module Aikido::Zen
+  # @!visibility private
+  ENV_KEY = "aikido.context"
+
+  module Middleware
+    # Rack middleware that keeps the current context in a Thread/Fiber-local
+    # variable so that other parts of the agent/firewall can access it.
+    class SetContext
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        Aikido::Zen.current_context = env[ENV_KEY] = Context.from_rack_env(env)
+
+        @app.call(env)
+      ensure
+        Aikido::Zen.current_context = nil
+      end
+    end
+  end
+end

data/lib/aikido/zen/outbound_connection.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Simple data object to identify connections performed to outbound servers.
+  class OutboundConnection
+    # Convenience factory to create connection descriptions out of URI objects.
+    #
+    # @param uri [URI]
+    # @return [Aikido::Zen::OutboundConnection]
+    def self.from_uri(uri)
+      new(host: uri.hostname, port: uri.port)
+    end
+
+    # @return [String] the hostname or IP address to which the connection was
+    #   attempted.
+    attr_reader :host
+
+    # @return [Integer] the port number to which the connection was attempted.
+    attr_reader :port
+
+    def initialize(host:, port:)
+      @host = host
+      @port = port
+    end
+
+    def as_json
+      {hostname: host, port: port}
+    end
+
+    def ==(other)
+      other.is_a?(OutboundConnection) &&
+        host == other.host &&
+        port == other.port
+    end
+    alias_method :eql?, :==
+
+    def hash
+      [host, port].hash
+    end
+
+    def inspect
+      "#<#{self.class.name} #{host}:#{port}>"
+    end
+  end
+end

data/lib/aikido/zen/outbound_connection_monitor.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # This simple callable follows the Scanner API so that it can be injected into
+  # any Sink that wraps an HTTP library, and lets us keep track of any hosts to
+  # which the app communicates over HTTP.
+  module OutboundConnectionMonitor
+    def self.skips_on_nil_context?
+      false
+    end
+
+    # This simply reports the connection to the Agent, and always returns +nil+
+    # as it's not scanning for any particular attack.
+    #
+    # @param connection [Aikido::Zen::OutboundConnection]
+    # @return [nil]
+    def self.call(connection:, **)
+      Aikido::Zen.track_outbound(connection)
+
+      nil
+    end
+  end
+end

data/lib/aikido/zen/package.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative "sink"
+
+module Aikido::Zen
+  Package = Struct.new(:name, :version) do
+    def initialize(name, version, sinks = Aikido::Zen::Sinks.registry)
+      super(name, version)
+      @sinks = sinks
+    end
+
+    # @return [Boolean] whether we explicitly protect against exploits in this
+    #   library.
+    def supported?
+      @sinks.include?(name)
+    end
+
+    def as_json
+      {name => version.to_s}
+    end
+  end
+end