aikido-zen 1.0.1.beta.2-x86_64-linux-musl

data/lib/aikido/zen/runtime_settings.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Stores the firewall configuration sourced from the Aikido dashboard. This
+  # object is updated by the Agent regularly.
+  #
+  # Because the RuntimeSettings object can be modified in runtime, it implements
+  # the {Observable} API, allowing you to subscribe to updates. These are
+  # triggered whenever #update_from_json makes a change (i.e. if the settings
+  # don't change, no update is triggered).
+  #
+  # You can subscribe to changes with +#add_observer(object, func_name)+, which
+  # will call the function passing the settings as an argument.
+  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :skip_protection_for_ips, :received_any_stats) do
+    def initialize(*)
+      super
+      self.endpoints ||= RuntimeSettings::Endpoints.new
+      self.skip_protection_for_ips ||= RuntimeSettings::IPSet.new
+    end
+
+    # @!attribute [rw] updated_at
+    #   @return [Time] when these settings were updated in the Aikido dashboard.
+
+    # @!attribute [rw] heartbeat_interval
+    #   @return [Integer] duration in seconds between heartbeat requests to the
+    #     Aikido server.
+
+    # @!attribute [rw] received_any_stats
+    #   @return [Boolean] whether the Aikido server has received any data from
+    #     this application.
+
+    # @!attribute [rw] endpoints
+    #   @return [Aikido::Zen::RuntimeSettings::Endpoints]
+
+    # @!attribute [rw] blocked_user_ids
+    #   @return [Array]
+
+    # @!attribute [rw] skip_protection_for_ips
+    #   @return [Aikido::Zen::RuntimeSettings::IPSet]
+
+    # Parse and interpret the JSON response from the core API with updated
+    # settings, and apply the changes. This will also notify any subscriber
+    # to updates
+    #
+    # @param data [Hash] the decoded JSON payload from the /api/runtime/config
+    #   API endpoint.
+    #
+    # @return [bool]
+    def update_from_json(data)
+      last_updated_at = updated_at
+
+      self.updated_at = Time.at(data["configUpdatedAt"].to_i / 1000)
+      self.heartbeat_interval = (data["heartbeatIntervalInMS"].to_i / 1000)
+      self.endpoints = RuntimeSettings::Endpoints.from_json(data["endpoints"])
+      self.blocked_user_ids = data["blockedUserIds"]
+      self.skip_protection_for_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
+      self.received_any_stats = data["receivedAnyStats"]
+
+      updated_at != last_updated_at
+    end
+  end
+end
+
+require_relative "runtime_settings/ip_set"
+require_relative "runtime_settings/endpoints"

data/lib/aikido/zen/scan.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Scans track information about a single call made by one of our Sinks
+  # including whether it was detected as an attack or how long it took.
+  class Scan
+    # @return [Aikido::Zen::Sink] the originating Sink.
+    attr_reader :sink
+
+    # @return [Aikido::Zen::Context] the current Context, wrapping the HTTP
+    #   request during which this scan was performed.
+    attr_reader :context
+
+    # @return [Aikido::Zen::Attack, nil] a detected Attack, or
+    #   +nil+ if the scan was considered safe.
+    attr_reader :attack
+
+    # @return [Float, nil] duration in (fractional) seconds of the scan.
+    attr_reader :duration
+
+    # @return [Array<Hash>] list of captured exceptions while scanning.
+    attr_reader :errors
+
+    # @param sink [Aikido::Zen::Sink]
+    # @param context [Aikido::Zen::Context]
+    def initialize(sink:, context:)
+      @sink = sink
+      @context = context
+      @errors = []
+      @performed = false
+    end
+
+    def performed?
+      @performed
+    end
+
+    # @return [Boolean] whether this scan detected an Attack.
+    def attack?
+      @attack != nil
+    end
+
+    # @return [Boolean] whether any errors were caught by this Scan.
+    def errors?
+      @errors.any?
+    end
+
+    # Runs a block of code, capturing its return value as the potential
+    # Attack object (or nil, if safe), and how long it took to run.
+    #
+    # @yieldreturn [Aikido::Zen::Attack, nil]
+    # @return [void]
+    def perform
+      @performed = true
+      started_at = monotonic_time
+      @attack = yield
+    ensure
+      @duration = monotonic_time - started_at
+    end
+
+    # Keep track of exceptions encountered during scanning.
+    #
+    # @param error [Exception]
+    # @param scanner [#call]
+    #
+    # @return [nil]
+    def track_error(error, scanner)
+      @errors << {error: error, scanner: scanner}
+      nil
+    end
+
+    private def monotonic_time
+      Process.clock_gettime(Process::CLOCK_MONOTONIC)
+    end
+  end
+end

data/lib/aikido/zen/scanners/path_traversal/helpers.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Scanners
+    module PathTraversal
+      DANGEROUS_PATH_PARTS = ["../", "..\\"]
+      LINUX_ROOT_FOLDERS = [
+        "/bin/",
+        "/boot/",
+        "/dev/",
+        "/etc/",
+        "/home/",
+        "/init/",
+        "/lib/",
+        "/media/",
+        "/mnt/",
+        "/opt/",
+        "/proc/",
+        "/root/",
+        "/run/",
+        "/sbin/",
+        "/srv/",
+        "/sys/",
+        "/tmp/",
+        "/usr/",
+        "/var/"
+      ]
+
+      DANGEROUS_PATH_STARTS = LINUX_ROOT_FOLDERS + ["c:/", "c:\\"]
+
+      module Helpers
+        def self.contains_unsafe_path_parts(filepath)
+          DANGEROUS_PATH_PARTS.each do |dangerous_part|
+            return true if filepath.include?(dangerous_part)
+          end
+
+          false
+        end
+
+        def self.starts_with_unsafe_path(filepath, user_input)
+          # Check if path is relative (not absolute or drive letter path)
+          # Required because `expand_path` will build absolute paths from relative paths
+          return false if Pathname.new(filepath).relative? || Pathname.new(user_input).relative?
+
+          normalized_path = File.expand_path__internal_for_aikido_zen(filepath).downcase
+          normalized_user_input = File.expand_path__internal_for_aikido_zen(user_input).downcase
+
+          DANGEROUS_PATH_STARTS.each do |dangerous_start|
+            if normalized_path.start_with?(dangerous_start) && normalized_path.start_with?(normalized_user_input)
+              # If the user input is the same as the dangerous start, we don't want to flag it
+              # to prevent false positives.
+              # e.g., if user input is /etc/ and the path is /etc/passwd, we don't want to flag it,
+              # as long as the user input does not contain a subdirectory or filename
+              if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
+                return false
+              end
+              return true
+            end
+          end
+          false
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require_relative "path_traversal/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class PathTraversalScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # Checks if the user introduced input is trying to access other path using
+      # Path Traversal kind of attacks.
+      #
+      # @param filepath [String] the expanded path that is tried to be read
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #
+      # @return [Aikido::Zen::Attacks::PathTraversalAttack, nil] an Attack if any
+      # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
+      def self.call(filepath:, sink:, context:, operation:)
+        context.payloads.each do |payload|
+          next unless new(filepath, payload.value).attack?
+
+          return Attacks::PathTraversalAttack.new(
+            sink: sink,
+            input: payload,
+            filepath: filepath,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      def initialize(filepath, input)
+        @filepath = filepath.downcase
+        @input = input.downcase
+      end
+
+      def attack?
+        # Single character are ignored because they don't pose a big threat
+        return false if @input.length <= 1
+
+        # We ignore cases where the user input is longer than the file path.
+        # Because the user input can't be part of the file path.
+        return false if @input.length > @filepath.length
+
+        # We ignore cases where the user input is not part of the file path.
+        return false unless @filepath.include?(@input)
+
+        if PathTraversal::Helpers.contains_unsafe_path_parts(@filepath) && PathTraversal::Helpers.contains_unsafe_path_parts(@input)
+          return true
+        end
+
+        # Check for absolute path traversal
+        PathTraversal::Helpers.starts_with_unsafe_path(@filepath, @input)
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/shell_injection/helpers.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module Aikido::Zen::Scanners::ShellInjection
+  module Helpers
+    ESCAPE_CHARS = %W[' "]
+    DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES = %W[$ ` \\ !]
+    DANGEROUS_CHARS = [
+      "#", "!", '"', "$", "&", "'", "(", ")", "*", ";", "<", "=", ">", "?",
+      "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~"
+    ]
+
+    COMMANDS = %w[sleep shutdown reboot poweroff halt ifconfig chmod chown ping
+      ssh scp curl wget telnet kill killall rm mv cp touch echo cat head
+      tail grep find awk sed sort uniq wc ls env ps who whoami id w df du
+      pwd uname hostname netstat passwd arch printenv logname pstree hostnamectl
+      set lsattr killall5 dmesg history free uptime finger top shopt :]
+
+    PATH_PREFIXES = %w[/bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/]
+
+    SEPARATORS = [" ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">"]
+
+    # @param command [string]
+    # @param user_input [string]
+    def self.is_safely_encapsulated(command, user_input)
+      segments = command.split(user_input)
+
+      # The next condition is merely here to be compliant with what javascript does when splitting strings:
+      # From js doc https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/split
+      #   > If separator appears at the beginning (or end) of the string, it still has the effect of splitting,
+      #   > resulting in an empty (i.e. zero length) string appearing at the first (or last) position of
+      #   > the returned array.
+      # This is necessary because this code is ported form the firewall-node code.
+      if user_input.length > 1
+        if command.start_with? user_input
+          segments.unshift ""
+        end
+
+        if command.end_with? user_input
+          segments << ""
+        end
+      end
+
+      # Call the helper function to get current and next segments
+      get_current_and_next_segments(segments).all? do |segments_pair|
+        char_before_user_input = segments_pair[:current_segment][-1]
+        char_after_user_input = segments_pair[:next_segment][0]
+
+        # Check if the character before is an escape character
+        is_escape_char = ESCAPE_CHARS.include?(char_before_user_input)
+
+        unless is_escape_char
+          next false
+        end
+
+        # If characters before and after the user input do not match, return false
+        next false if char_before_user_input != char_after_user_input
+
+        # If user input contains the escape character, return false
+        next false if user_input.include?(char_before_user_input)
+
+        # Handle dangerous characters inside double quotes
+        if char_before_user_input == '"' && DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES.any? { |char| user_input.include?(char) }
+          next false
+        end
+
+        next true
+      end
+    end
+
+    def self.get_current_and_next_segments(segments)
+      segments.each_cons(2).map { |current_segment, next_segment| {current_segment: current_segment, next_segment: next_segment} }
+    end
+
+    # Helper function for sorting commands by length (longer commands first)
+    def self.by_length(a, b)
+      b.length - a.length
+    end
+
+    # Escape characters with special meaning either inside or outside character sets.
+    # Use a simple backslash escape when it’s always valid, and a `\xnn` escape when the simpler
+    # form would be disallowed by Unicode patterns’ stricter grammar.
+    #
+    # Inspired by https://github.com/sindresorhus/escape-string-regexp/
+    def self.escape_string_regexp(string)
+      string.gsub(/[|\\{}()\[\]^$+*?.]/) { "\\#{$&}" }.gsub("-", '\\x2d')
+    end
+
+    # Construct the regex for commands
+    COMMANDS_REGEX = Regexp.new(
+      "([/.]*((#{PATH_PREFIXES.map { |p| Helpers.escape_string_regexp(p) }.join("|")})?((#{COMMANDS.sort(&method(:by_length)).join("|")}))))",
+      Regexp::IGNORECASE
+    )
+
+    def self.contains_shell_syntax(command, user_input)
+      # Check if input is only whitespace
+      return false if user_input.strip.empty?
+
+      # Check if the user input contains any dangerous characters
+      if DANGEROUS_CHARS.any? { |c| user_input.include?(c) }
+        return true
+      end
+
+      # If the command is exactly the same as the user input, check if it matches the regex
+      if command == user_input
+        return match_all(command, COMMANDS_REGEX).any? do |match|
+          match[:match].length == command.length && match[:match] == command
+        end
+      end
+
+      # Check if the command contains a commonly used command
+      match_all(command, COMMANDS_REGEX).each do |match|
+        # We found a command like `rm` or `/sbin/shutdown` in the command
+        # Check if the command is the same as the user input
+        # If it's not the same, continue searching
+        next if user_input != match[:match]
+
+        # Otherwise, we'll check if the command is surrounded by separators
+        # These separators are used to separate commands and arguments
+        # e.g. `rm<space>-rf`
+        # e.g. `ls<newline>whoami`
+        # e.g. `echo<tab>hello` Check if the command is surrounded by separators
+        char_before = if match[:index] - 1 < 0
+          nil
+        else
+          command[match[:index] - 1]
+        end
+
+        char_after = if match[:index] + match[:match].length >= command.length
+          nil
+        else
+          command[match[:index] + match[:match].length]
+        end
+
+        # e.g. `<separator>rm<separator>`
+        if SEPARATORS.include?(char_before) && SEPARATORS.include?(char_after)
+          return true
+        end
+
+        # e.g. `<separator>rm`
+        if SEPARATORS.include?(char_before) && char_after.nil?
+          return true
+        end
+
+        # e.g. `rm<separator>`
+        if char_before.nil? && SEPARATORS.include?(char_after)
+          return true
+        end
+      end
+
+      false
+    end
+
+    def self.match_all(string, regex)
+      string.enum_for(:scan, regex).map do |match|
+        {match: match[0], index: $~.begin(0)}
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require_relative "shell_injection/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class ShellInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # @param command [String]
+      # @param sink [Aikido::Zen::Sink]
+      # @param context [Aikido::Zen::Context]
+      # @param operation [Symbol, String]
+      #
+      def self.call(command:, sink:, context:, operation:)
+        context.payloads.each do |payload|
+          next unless new(command, payload.value).attack?
+
+          return Attacks::ShellInjectionAttack.new(
+            sink: sink,
+            input: payload,
+            command: command,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      # @param command [String]
+      # @param input [String]
+      def initialize(command, input)
+        @command = command
+        @input = input
+      end
+
+      def attack?
+        # Block single ~ character. For example `echo ~`
+        if @input == "~"
+          if @command.size > 1 && @command.include?("~")
+            return true
+          end
+        end
+
+        # we ignore single character since they don't pose a big threat.
+        # They are only able to crash the shell, not execute arbitraty commands.
+        return false if @input.size <= 1
+
+        # We ignore cases where the user input is longer than the command because
+        # the user input can't be part of the command
+        return false if @input.size > @command.size
+
+        return false unless @command.include?(@input)
+
+        return false if ShellInjection::Helpers.is_safely_encapsulated @command, @input
+
+        ShellInjection::Helpers.contains_shell_syntax @command, @input
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require_relative "../attack"
+require_relative "../internals"
+
+module Aikido::Zen
+  module Scanners
+    class SQLInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # Checks if the given SQL query may have dangerous user input injected,
+      # and returns an Attack if so, based on the current request.
+      #
+      # @param query [String]
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param dialect [Symbol] one of +:mysql+, +:postgesql+, or +:sqlite+.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #   Expects +sink.operation+ being set to get the full module/name combo.
+      #
+      # @return [Aikido::Zen::Attack, nil] an Attack if any user input is
+      #   detected to be attempting a SQL injection, or nil if this is safe.
+      #
+      # @raise [Aikido::Zen::InternalsError] if an error occurs when loading or
+      #   calling zenlib. See Sink#scan.
+      def self.call(query:, dialect:, sink:, context:, operation:)
+        dialect = DIALECTS.fetch(dialect) do
+          Aikido::Zen.config.logger.warn "Unknown SQL dialect #{dialect.inspect}"
+          DIALECTS[:common]
+        end
+
+        context.payloads.each do |payload|
+          next unless new(query, payload.value, dialect).attack?
+
+          return Attacks::SQLInjectionAttack.new(
+            sink: sink,
+            query: query,
+            input: payload,
+            dialect: dialect,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      def initialize(query, input, dialect)
+        @query = query.downcase
+        @input = input.downcase
+        @dialect = dialect
+      end
+
+      def attack?
+        # Ignore single char inputs since they shouldn't be able to do much harm
+        return false if @input.length <= 1
+
+        # If the input is longer than the query, then it is not part of it
+        return false if @input.length > @query.length
+
+        # If the input is not included in the query at all, then we are safe
+        return false unless @query.include?(@input)
+
+        # If the input is solely alphanumeric, we can ignore it
+        return false if /\A[[:alnum:]_]+\z/i.match?(@input)
+
+        # If the input is a comma-separated list of numbers, ignore it.
+        return false if /\A(?:\d+(?:,\s*)?)+\z/i.match?(@input)
+
+        Internals.detect_sql_injection(@query, @input, @dialect)
+      end
+
+      # @api private
+      Dialect = Struct.new(:name, :internals_key, keyword_init: true) do
+        alias_method :to_s, :name
+        alias_method :to_int, :internals_key
+      end
+
+      # Maps easy-to-use Symbols to a struct that keeps both the name and the
+      # internal identifier used by libzen.
+      #
+      # @see https://github.com/AikidoSec/zen-internals/blob/main/src/sql_injection/helpers/select_dialect_based_on_enum.rs
+      DIALECTS = {
+        common: Dialect.new(name: "SQL", internals_key: 0),
+        mysql: Dialect.new(name: "MySQL", internals_key: 8),
+        postgresql: Dialect.new(name: "PostgreSQL", internals_key: 9),
+        sqlite: Dialect.new(name: "SQLite", internals_key: 12)
+      }
+    end
+  end
+end

data/lib/aikido/zen/scanners/ssrf/dns_lookups.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "delegate"
+
+module Aikido::Zen
+  module Scanners
+    module SSRF
+      # Simple per-request cache of all DNS lookups performed for a given host.
+      # We can store this in the context after performing a lookup, and have the
+      # SSRF scanner make sure the hostname being inspected doesn't actually
+      # resolve to an internal/dangerous IP.
+      class DNSLookups < SimpleDelegator
+        def initialize
+          super(Hash.new { |h, k| h[k] = [] })
+        end
+
+        def add(hostname, addresses)
+          self[hostname].concat(Array(addresses))
+        end
+
+        def ===(hostname)
+          key?(hostname)
+        end
+      end
+    end
+  end
+end