aikido-zen 1.0.1.beta.2-x86_64-linux-musl

data/lib/aikido/zen/payload.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # An individual user input in a request, which may come from different
+  # sources (query string, body, cookies, etc).
+  class Payload
+    attr_reader :value, :source, :path
+
+    def initialize(value, source, path)
+      @value = value
+      @source = source
+      @path = path
+    end
+
+    UNKNOWN_PAYLOAD = Payload.new("unknown", "unknown", "unknown")
+
+    alias_method :to_s, :value
+
+    def ==(other)
+      other.is_a?(Payload) &&
+        other.value == value &&
+        other.source == source &&
+        other.path == path
+    end
+
+    def as_json
+      {
+        payload: value.to_s,
+        source: SOURCE_SERIALIZATIONS[source],
+        pathToPayload: path.to_s
+      }
+    end
+
+    SOURCE_SERIALIZATIONS = {
+      query: "query",
+      body: "body",
+      header: "headers",
+      cookie: "cookies",
+      route: "routeParams",
+      graphql: "graphql",
+      xml: "xml",
+      subdomain: "subdomains"
+    }
+
+    def inspect
+      val = (value.to_s.size > 128) ? value[0..125] + "..." : value
+      "#<Aikido::Zen::Payload #{source}(#{path}) #{val.inspect}>"
+    end
+  end
+end

data/lib/aikido/zen/rails_engine.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "action_dispatch"
+
+module Aikido::Zen
+  class RailsEngine < ::Rails::Engine
+    config.before_configuration do
+      # Access library configuration at `Rails.application.config.zen`.
+      config.zen = Aikido::Zen.config
+    end
+
+    initializer "aikido.add_middleware" do |app|
+      next unless config.zen.protect?
+
+      app.middleware.use Aikido::Zen::Middleware::SetContext
+      app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
+      # Request Tracker stats do not consider failed request or 40x, so the middleware
+      # must be the last one wrapping the request.
+      app.middleware.use Aikido::Zen::Middleware::RequestTracker
+
+      ActiveSupport.on_load(:action_controller) do
+        # Due to how Rails sets up its middleware chain, the routing is evaluated
+        # (and the Request object constructed) in the app that terminates the
+        # chain, so no amount of middleware will be able to access it.
+        #
+        # This way, we overwrite the Request object as early as we can in the
+        # request handling, so that by the time we start evaluating inputs, we
+        # have assigned the request correctly.
+        before_action { Aikido::Zen.current_context.update_request(request) }
+      end
+    end
+
+    initializer "aikido.configuration" do |app|
+      # Allow the logger to be configured before checking if disabled? so we can
+      # let the user know that the agent is disabled.
+      logger = ::Rails.logger
+      logger = ActiveSupport::TaggedLogging.new(logger) unless logger.respond_to?(:tagged)
+      app.config.zen.logger = logger.tagged("aikido")
+
+      app.config.zen.request_builder = Aikido::Zen::Context::RAILS_REQUEST_BUILDER
+
+      # Plug Rails' JSON encoder/decoder, but only if the user hasn't changed
+      # them for something else.
+      if app.config.zen.json_encoder == Aikido::Zen::Config::DEFAULT_JSON_ENCODER
+        app.config.zen.json_encoder = ActiveSupport::JSON.method(:encode)
+      end
+
+      if app.config.zen.json_decoder == Aikido::Zen::Config::DEFAULT_JSON_DECODER
+        app.config.zen.json_decoder = ActiveSupport::JSON.method(:decode)
+      end
+    end
+
+    config.after_initialize do
+      next unless config.zen.protect?
+
+      # Make sure this is run at the end of the initialization process, so
+      # that any gems required after aikido-zen are detected and patched
+      # accordingly.
+      Aikido::Zen.load_sinks!
+
+      # It's important we start after loading sinks, so we can report the installed packages
+      Aikido::Zen.start!
+
+      # Agent's bootstrap process has finished —Controllers are patched to block
+      # unwanted requests, sinks are loaded, scanners are running—, so we mark
+      # the agent as installed.
+      Aikido::Zen.middleware_installed!
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/breaker.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "bucket"
+
+module Aikido::Zen
+  # @api private
+  #
+  # Circuit breaker that rate limits internal API requests in two ways: By using
+  # a sliding window, to allow only a certain number of events over that window,
+  # and with the ability of manually being tripped open when the API responds to
+  # a request with a 429.
+  class RateLimiter::Breaker
+    def initialize(config: Aikido::Zen.config, clock: RateLimiter::Bucket::DEFAULT_CLOCK)
+      @config = config
+      @clock = clock
+
+      @bucket = RateLimiter::Bucket.new(
+        ttl: config.client_rate_limit_period,
+        max_size: config.client_rate_limit_max_events,
+        clock: clock
+      )
+      @opened_at = nil
+    end
+
+    # Trip the circuit open to force all events to be throttled until the
+    # deadline passes.
+    #
+    # @see Aikido::Zen::Config#server_rate_limit_deadline
+    # @return [void]
+    def open!
+      @opened_at = @clock.call
+    end
+
+    # @param event_type [String] an event type which we'll use to decide
+    #   if we should throttle it.
+    # @return [Boolean]
+    def throttle?(event_type)
+      return true if open? && !try_close
+
+      result = @bucket.increment(event_type)
+      result.throttled?
+    end
+
+    # @!visibility private
+    # @return [Boolean]
+    def open?
+      @opened_at
+    end
+
+    private
+
+    def past_deadline?
+      @opened_at < @clock.call - @config.server_rate_limit_deadline
+    end
+
+    def try_close
+      @opened_at = nil if past_deadline?
+      @opened_at.nil?
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/bucket.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require_relative "../synchronizable"
+require_relative "result"
+
+module Aikido::Zen
+  # This models a "sliding window" rate limiting bucket (where we keep a bucket
+  # per endpoint). The timestamps of requests are kept grouped by client, and
+  # when a new request is made, we check if the number of requests falls within
+  # the configured limit.
+  #
+  # @example
+  #   bucket = Aikido::Zen::RateLimiter::Bucket.new(ttl: 60, max_size: 3)
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 1)
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 2)
+  #
+  #   # 30 seconds go by
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 3)
+  #
+  #   # 20 more seconds go by
+  #   bucket.increment("1.2.3.4") #=> false (count for this key: 3)
+  #
+  #   # 20 more seconds go by
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 2)
+  #
+  class RateLimiter::Bucket
+    prepend Synchronizable
+
+    # @!visibility private
+    #
+    # Use the monotonic clock to ensure time differences are consistent
+    # and not affected by timezones.or daylight savings changes.
+    DEFAULT_CLOCK = -> { Process.clock_gettime(Process::CLOCK_MONOTONIC).round }
+
+    def initialize(ttl:, max_size:, clock: DEFAULT_CLOCK)
+      @ttl = ttl
+      @max_size = max_size
+      @data = Hash.new { |h, k| h[k] = [] }
+      @clock = clock
+    end
+
+    # Increments the key if the number of entries within the current TTL window
+    # is below the configured threshold.
+    #
+    # @param key [String] discriminating key to identify a client.
+    #   See {Aikido::Zen::Config#rate_limiting_discriminator}.
+    #
+    # @return [Aikido::Zen::RateLimiter::Result] the result of the operation and
+    #   statistics on this bucket for the given key.
+    def increment(key)
+      synchronize do
+        time = @clock.call
+        evict(key, at: time)
+
+        entries = @data[key]
+        throttled = entries.size >= @max_size
+
+        entries << time unless throttled
+
+        RateLimiter::Result.new(
+          throttled: throttled,
+          discriminator: key,
+          current_requests: entries.size,
+          max_requests: @max_size,
+          time_remaining: @ttl - (time - entries.min)
+        )
+      end
+    end
+
+    private
+
+    def evict(key, at: @clock.call)
+      synchronize { @data[key].delete_if { |time| time < (at - @ttl) } }
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/result.rb

@@ -0,0 +1,31 @@
+module Aikido::Zen
+  # Holds the stats after checking if a request should be rate limited, which
+  # will be added to the Rack env.
+  class RateLimiter::Result
+    # @return [String] the output of the configured discriminator block, used to
+    #   uniquely identify a client (e.g. the remote IP).
+    attr_reader :discriminator
+
+    # @return [Integer] number of requests for the client in the current window.
+    attr_reader :current_requests
+
+    # @return [Integer] configured max number of requests per client.
+    attr_reader :max_requests
+
+    # @return [Integer] number of seconds remaining until the window resets.
+    attr_reader :time_remaining
+
+    def initialize(throttled:, discriminator:, current_requests:, max_requests:, time_remaining:)
+      @throttled = throttled
+      @discriminator = discriminator
+      @current_requests = current_requests
+      @max_requests = max_requests
+      @time_remaining = time_remaining
+    end
+
+    # @return [Boolean] whether the current request was throttled or not.
+    def throttled?
+      @throttled
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require_relative "synchronizable"
+require_relative "middleware/rack_throttler"
+
+module Aikido::Zen
+  # Keeps track of all requests in this process, broken up by Route and further
+  # discriminated by client. Provides a single method that checks if a certain
+  # Request needs to be throttled or not.
+  class RateLimiter
+    prepend Synchronizable
+
+    def initialize(
+      config: Aikido::Zen.config,
+      settings: Aikido::Zen.runtime_settings
+    )
+      @config = config
+      @settings = settings
+      @buckets = Hash.new { |store, route|
+        synchronize {
+          settings = settings_for(route)
+          store[route] = Bucket.new(ttl: settings.period, max_size: settings.max_requests)
+        }
+      }
+    end
+
+    # Calculate based on the configuration whether a request will be
+    # rate-limited or not.
+    #
+    # @param request [Aikido::Zen::Request]
+    # @return [Aikido::Zen::RateLimiter::Result, nil]
+    def calculate_rate_limits(request)
+      settings = settings_for(request.route)
+      return nil unless settings.enabled?
+
+      bucket = @buckets[request.route]
+      key = @config.rate_limiting_discriminator.call(request)
+      bucket.increment(key)
+    end
+
+    private
+
+    def settings_for(route)
+      @settings.endpoints[route].rate_limiting
+    end
+  end
+end
+
+require_relative "rate_limiter/bucket"
+require_relative "rate_limiter/breaker"

data/lib/aikido/zen/request/heuristic_router.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+require_relative "../route"
+require_relative "../request"
+
+module Aikido::Zen
+  # Simple router implementation that just identifies the currently requested
+  # URL as a route, attempting to heuristically substitute any path segments
+  # that may look like a parameterized value by something descriptive.
+  #
+  # For example, "/categories/123/events/2024-10-01" would be matched as
+  # "/categories/:number/events/:date"
+  class Request::HeuristicRouter
+    # @param request [Aikido::Zen::Request]
+    # @return [Aikido::Zen::Route, nil]
+    def recognize(request)
+      path = parameterize(request.path)
+      Route.new(verb: request.request_method, path: path)
+    end
+
+    private def parameterize(path)
+      return if path.nil?
+
+      path = path.split("/").map { |part| parameterize_segment(part) }.join("/")
+      path.prepend("/") unless path.start_with?("/")
+      path.chomp!("/") if path.size > 1
+      path
+    end
+
+    private def parameterize_segment(segment)
+      case segment
+      when ULID
+        ":ulid"
+      when OBJECT_ID
+        ":objectId"
+      when NUMBER
+        ":number"
+      when UUID
+        ":uuid"
+      when DATE
+        ":date"
+      when EMAIL
+        ":email"
+      when IP
+        ":ip"
+      when HASH
+        ":hash"
+      when SecretMatcher
+        ":secret"
+      else
+        segment
+      end
+    end
+
+    NUMBER = /\A\d+\z/
+    HEX = /\A[a-f0-9]+\z/i
+    DATE = /\A\d{4}-\d{2}-\d{2}|\d{2}-\d{2}-\d{4}\z/
+    UUID = /\A
+            (?:[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}
+            | 00000000-0000-0000-0000-000000000000
+            | ffffffff-ffff-ffff-ffff-ffffffffffff
+            )\z/ix
+    ULID = /\A[0-9A-HJKMNP-TV-Z]{26}\z/i
+    OBJECT_ID = /\A[0-9a-f]{24}\z/i
+    EMAIL = /\A
+              [a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+
+              @
+              [a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?
+              (?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*
+            \z/x
+    IP = ->(segment) {
+      IPAddr::RE_IPV4ADDRLIKE.match?(segment) ||
+        IPAddr::RE_IPV6ADDRLIKE_COMPRESSED.match?(segment) ||
+        IPAddr::RE_IPV6ADDRLIKE_FULL.match?(segment)
+    }
+    HASH = ->(segment) { [32, 40, 64, 128].include?(segment.size) && HEX === segment }
+
+    class SecretMatcher
+      # Decides if a given string looks random enough to be a "secret".
+      #
+      # @param candidate [String]
+      # @return [Boolean]
+      def self.===(candidate)
+        new(candidate).matches?
+      end
+
+      private def initialize(string)
+        @string = string
+      end
+
+      def matches?
+        return false if @string.size <= MIN_LENGTH
+        return false if SEPARATORS === @string
+        return false unless DIGIT === @string
+        return false if [LOWER, UPPER, SPECIAL].none? { |pattern| pattern === @string }
+
+        ratios = @string.chars.each_cons(MIN_LENGTH).map do |window|
+          window.to_set.size / MIN_LENGTH.to_f
+        end
+
+        ratios.sum / ratios.size > SECRET_THRESHOLD
+      end
+
+      MIN_LENGTH = 10
+      SECRET_THRESHOLD = 0.75
+
+      LOWER = /[[:lower:]]/
+      UPPER = /[[:upper:]]/
+      DIGIT = /[[:digit:]]/
+      SPECIAL = /[!#\$%^&*|;:<>]/
+      SEPARATORS = /[[:space:]]|-/
+    end
+  end
+end

data/lib/aikido/zen/request/rails_router.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require_relative "../route"
+require_relative "../request"
+
+module Aikido::Zen
+  # The Rails router relies on introspecting the routes defined in the Rails
+  # app to match the current request to the correct route, building Route
+  # objects that have the exact pattern defined by the developer, rather than
+  # a heuristic approximation.
+  #
+  # For example, given the following route definitions:
+  #
+  #   resources :posts do
+  #     resources :comments
+  #   end
+  #
+  # The router will map a request to "/posts/123/comments/234" to
+  # "/posts/:post_id/comments/:id(.:format)".
+  #
+  # @see Aikido::Zen::Router::HeuristicRouter
+  class Request::RailsRouter
+    def initialize(route_set)
+      @route_set = route_set
+    end
+
+    def recognize(request)
+      recognize_in_route_set(request, @route_set)
+    end
+
+    private def recognize_in_route_set(request, route_set, prefix: nil)
+      route_set.router.recognize(request) do |route, _|
+        app = route.app
+        next unless app.matches?(request)
+
+        if app.dispatcher?
+          return build_route(route, request, prefix: prefix)
+        end
+
+        if app.engine?
+          # If the SCRIPT_NAME has any path parameters, we want those to be
+          # captured by the router. (eg `mount API => "/api/:version/`)
+          prefix = ActionDispatch::Routing::RouteWrapper.new(route).path
+          return recognize_in_route_set(request, app.rack_app.routes, prefix: prefix)
+        end
+
+        if app.rack_app.respond_to?(:redirect?) && app.rack_app.redirect?
+          return build_route(route, request, prefix: prefix)
+        end
+
+        # At this point we're matching plain Rack apps, where Rails does not
+        # remove the SCRIPT_NAME from PATH_INFO, so we should avoid adding
+        # SCRIPT_NAME twice.
+        return build_route(route, request, prefix: nil)
+      end
+
+      nil
+    end
+
+    private def build_route(route, request, prefix: request.script_name)
+      route_wrapper = ActionDispatch::Routing::RouteWrapper.new(route)
+
+      path = if prefix.present?
+        File.join(prefix.to_s, route_wrapper.path).chomp("/")
+      else
+        route_wrapper.path
+      end
+
+      Aikido::Zen::Route.new(verb: request.request_method, path: path)
+    end
+  end
+end

data/lib/aikido/zen/request/schema/auth_discovery.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require_relative "auth_schemas"
+
+module Aikido::Zen
+  class Request::Schema
+    class AuthDiscovery
+      def initialize(context)
+        @context = context
+      end
+
+      def schemas
+        schemas = []
+        schemas << extract_from_authorization_header if headers["Authorization"]
+        schemas.concat(extract_from_headers)
+        schemas.concat(extract_from_cookies)
+
+        AuthSchemas.new(schemas)
+      end
+
+      private
+
+      def extract_from_authorization_header
+        type, _ = headers["Authorization"].to_s.split(/\s+/, 2)
+
+        if AUTHORIZATION_SCHEMES.include?(type.to_s.downcase)
+          AuthSchemas::Authorization.new(type)
+        else
+          AuthSchemas::ApiKey.new(:header, "Authorization")
+        end
+      end
+
+      def extract_from_headers
+        (headers.keys & COMMON_API_KEY_HEADERS)
+          .map { |header| AuthSchemas::ApiKey.new(:header, header) }
+      end
+
+      def extract_from_cookies
+        cookie_names = @context.payload_sources[:cookie].keys.map(&:downcase)
+
+        (cookie_names & COMMON_COOKIE_NAMES)
+          .map { |cookie| AuthSchemas::ApiKey.new(:cookie, cookie) }
+      end
+
+      def headers
+        @context.request.normalized_headers
+      end
+
+      AUTHORIZATION_SCHEMES = %w[
+        basic
+        bearer
+        digest
+        dpop
+        gnap
+        hoba
+        mutal
+        negotiate
+        privatetoken
+        scram-sha-1
+        scram-sha-256
+        vapid
+      ].freeze
+
+      COMMON_API_KEY_HEADERS = %w[
+        Apikey
+        Api-Key
+        Token
+        X-Api-Key
+        X-Token
+      ]
+
+      COMMON_COOKIE_NAMES = %w[
+        user_id
+        auth
+        session
+        jwt
+        token
+        sid
+        connect.sid
+        auth_token
+        access_token
+        refresh_token
+      ]
+    end
+  end
+end

data/lib/aikido/zen/request/schema/auth_schemas.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  class Request::Schema
+    class AuthSchemas
+      attr_reader :schemas
+
+      def initialize(schemas)
+        @schemas = schemas
+      end
+
+      def merge(other)
+        self.class.new((schemas + other.schemas).uniq)
+      end
+      alias_method :|, :merge
+
+      def as_json
+        @schemas.map(&:as_json) unless @schemas.empty?
+      end
+
+      def self.from_json(schemas_array)
+        return NONE if !schemas_array || schemas_array.empty?
+
+        AuthSchemas.new(schemas_array.map do |schema|
+          if schema[:type] == "http"
+            Authorization.new(schema[:scheme])
+          elsif schema[:type] == "apiKey"
+            ApiKey.new(schema[:in], schema[:name])
+          else
+            raise "Invalid schema type: #{schema[:type]}"
+          end
+        end)
+      end
+
+      def ==(other)
+        other.is_a?(self.class) && schemas == other.schemas
+      end
+
+      NONE = new([])
+
+      Authorization = Struct.new(:scheme) do
+        def as_json
+          {type: "http", scheme: scheme.downcase}
+        end
+      end
+
+      ApiKey = Struct.new(:location, :name) do
+        def as_json
+          {type: "apiKey", in: location, name: name}.compact
+        end
+      end
+    end
+  end
+end