aikido-zen 1.0.1.beta.3-x86_64-darwin → 1.0.1.beta.5-x86_64-darwin

data/lib/aikido/zen/sinks/file.rb

@@ -3,18 +3,6 @@
 module Aikido::Zen
   module Sinks
     module File
-      def self.load_sinks!
-        # Create a copy of the original method for internal use only to prevent
-        # recursion in PathTraversalScanner.
-        #
-        # IMPORTANT: The alias must be created before the method is overridden,
-        # when the extensions are prepended.
-        ::File.singleton_class.alias_method(:expand_path__internal_for_aikido_zen, :expand_path)
-
-        ::File.singleton_class.prepend(FileClassExtensions)
-        ::File.prepend(FileExtensions)
-      end
-
       SINK = Sinks.add("File", scanners: [Scanners::PathTraversalScanner])
 
       module Helpers
@@ -26,87 +14,95 @@ module Aikido::Zen
         end
       end
 
-      module FileClassExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        ::File.singleton_class.class_eval do
+          extend Sinks::DSL
 
-        sink_before :open do |path|
-          Helpers.scan(path, "open")
-        end
+          # Create a copy of the original method for internal use only to prevent
+          # recursion in PathTraversalScanner.
+          #
+          # IMPORTANT: The alias must be created before the method is overridden.
+          alias_method :expand_path__internal_for_aikido_zen, :expand_path
 
-        sink_before :read do |path|
-          Helpers.scan(path, "read")
-        end
+          sink_before :open do |path|
+            Helpers.scan(path, "open")
+          end
 
-        sink_before :write do |path|
-          Helpers.scan(path, "write")
-        end
+          sink_before :read do |path|
+            Helpers.scan(path, "read")
+          end
 
-        sink_before :truncate do |file_name|
-          Helpers.scan(file_name, "truncate")
-        end
+          sink_before :write do |path|
+            Helpers.scan(path, "write")
+          end
 
-        sink_before :rename do |old_name, new_name|
-          Helpers.scan(old_name, "rename")
-          Helpers.scan(new_name, "rename")
-        end
+          sink_before :truncate do |file_name|
+            Helpers.scan(file_name, "truncate")
+          end
 
-        sink_before :unlink do |*file_names|
-          file_names.each do |file_name|
-            Helpers.scan(file_name, "unlink")
+          sink_before :rename do |old_name, new_name|
+            Helpers.scan(old_name, "rename")
+            Helpers.scan(new_name, "rename")
           end
-        end
 
-        sink_before :delete do |*file_names|
-          file_names.each do |file_name|
-            Helpers.scan(file_name, "delete")
+          sink_before :unlink do |*file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "unlink")
+            end
           end
-        end
 
-        sink_before :symlink do |old_name, new_name|
-          Helpers.scan(old_name, "symlink")
-          Helpers.scan(new_name, "symlink")
-        end
+          sink_before :delete do |*file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "delete")
+            end
+          end
 
-        sink_before :chmod do |_mode_int, *file_names|
-          file_names.each do |file_name|
-            Helpers.scan(file_name, "chmod")
+          sink_before :symlink do |old_name, new_name|
+            Helpers.scan(old_name, "symlink")
+            Helpers.scan(new_name, "symlink")
           end
-        end
 
-        sink_before :chown do |_owner_int, group_int, *file_names|
-          file_names.each do |file_name|
-            Helpers.scan(file_name, "chown")
+          sink_before :chmod do |_mode_int, *file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "chmod")
+            end
           end
-        end
 
-        sink_before :utime do |_atime, _mtime, *file_names|
-          file_names.each do |file_name|
-            Helpers.scan(file_name, "utime")
+          sink_before :chown do |_owner_int, group_int, *file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "chown")
+            end
           end
-        end
 
-        sink_after :join do |result|
-          Helpers.scan(result, "join")
-        end
+          sink_before :utime do |_atime, _mtime, *file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "utime")
+            end
+          end
 
-        sink_before :expand_path do |file_name|
-          Helpers.scan(file_name, "expand_path")
-        end
+          sink_after :join do |result|
+            Helpers.scan(result, "join")
+          end
 
-        sink_before :realpath do |file_name|
-          Helpers.scan(file_name, "realpath")
-        end
+          sink_before :expand_path do |file_name|
+            Helpers.scan(file_name, "expand_path")
+          end
+
+          sink_before :realpath do |file_name|
+            Helpers.scan(file_name, "realpath")
+          end
 
-        sink_before :realdirpath do |file_name|
-          Helpers.scan(file_name, "realdirpath")
+          sink_before :realdirpath do |file_name|
+            Helpers.scan(file_name, "realdirpath")
+          end
         end
-      end
 
-      module FileExtensions
-        extend Sinks::DSL
+        ::File.class_eval do
+          extend Sinks::DSL
 
-        sink_before :initialize do |path|
-          Helpers.scan(path, "new")
+          sink_before :initialize do |path|
+            Helpers.scan(path, "new")
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/http.rb

@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
 module Aikido::Zen
   module Sinks
     module HTTP
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "http", ">= 1.0"
-          require "http"
-
-          ::HTTP::Client.prepend(ClientExtensions)
-        end
-      end
-
       SINK = Sinks.add("http", scanners: [
         Scanners::SSRFScanner,
         OutboundConnectionMonitor
@@ -59,33 +51,39 @@ module Aikido::Zen
         end
       end
 
-      module ClientExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "http", ">= 1.0"
+          require "http"
 
-        sink_around :perform do |super_call, req|
-          wrapped_request = Helpers.wrap_request(req)
+          ::HTTP::Client.class_eval do
+            extend Sinks::DSL
 
-          # Store the request information so the DNS sinks can pick it up.
-          context = Aikido::Zen.current_context
-          if context
-            prev_request = context["ssrf.request"]
-            context["ssrf.request"] = wrapped_request
-          end
+            sink_around :perform do |original_call, req|
+              wrapped_request = Helpers.wrap_request(req)
 
-          connection = Helpers.build_outbound(req)
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
 
-          Helpers.scan(wrapped_request, connection, "request")
+              connection = Helpers.build_outbound(req)
 
-          response = super_call.call
+              Helpers.scan(wrapped_request, connection, "request")
 
-          Scanners::SSRFScanner.track_redirects(
-            request: wrapped_request,
-            response: Helpers.wrap_response(response)
-          )
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(response)
+              )
 
-          response
-        ensure
-          context["ssrf.request"] = prev_request if context
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/httpclient.rb

@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
 module Aikido::Zen
   module Sinks
     module HTTPClient
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "httpclient", ">= 2.0"
-          require "httpclient"
-
-          ::HTTPClient.prepend(HTTPClient::HTTPClientExtensions)
-        end
-      end
-
       SINK = Sinks.add("httpclient", scanners: [
         Scanners::SSRFScanner,
         OutboundConnectionMonitor
@@ -66,28 +58,34 @@ module Aikido::Zen
         end
       end
 
-      module HTTPClientExtensions
-        extend Sinks::DSL
-
-        private
-
-        sink_around :do_get_block do |super_call, req|
-          Helpers.sink(req, &super_call)
-        end
-
-        sink_around :do_get_stream do |super_call, req|
-          Helpers.sink(req, &super_call)
-        end
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "httpclient", ">= 2.0"
+          require "httpclient"
 
-        sink_after :do_get_header do |_result, req, res, _sess|
-          # Code coverage is disabled here because `do_get_header` is not called,
-          # because WebMock does not mock it.
-          # :nocov:
-          Scanners::SSRFScanner.track_redirects(
-            request: Helpers.wrap_request(req),
-            response: Helpers.wrap_response(res)
-          )
-          # :nocov:
+          ::HTTPClient.class_eval do
+            extend Sinks::DSL
+
+            private
+
+            sink_around :do_get_block do |original_call, req|
+              Helpers.sink(req, &original_call)
+            end
+
+            sink_around :do_get_stream do |original_call, req|
+              Helpers.sink(req, &original_call)
+            end
+
+            sink_after :do_get_header do |_result, req, res, _sess|
+              # Code coverage is disabled here because `do_get_header` is not called,
+              # because WebMock does not mock it.
+              # :nocov:
+              Scanners::SSRFScanner.track_redirects(
+                request: Helpers.wrap_request(req),
+                response: Helpers.wrap_response(res)
+              )
+              # :nocov:
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/httpx.rb

@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
 module Aikido::Zen
   module Sinks
     module HTTPX
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "httpx", ">= 1.1.3"
-          require "httpx"
-
-          ::HTTPX::Session.prepend(HTTPX::SessionExtensions)
-        end
-      end
-
       SINK = Sinks.add("httpx", scanners: [
         Scanners::SSRFScanner,
         OutboundConnectionMonitor
@@ -44,33 +36,39 @@ module Aikido::Zen
         end
       end
 
-      module SessionExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "httpx", ">= 1.1.3"
+          require "httpx"
 
-        sink_around :send_request do |super_call, request|
-          wrapped_request = Helpers.wrap_request(request)
+          ::HTTPX::Session.class_eval do
+            extend Sinks::DSL
 
-          # Store the request information so the DNS sinks can pick it up.
-          context = Aikido::Zen.current_context
-          if context
-            prev_request = context["ssrf.request"]
-            context["ssrf.request"] = wrapped_request
-          end
+            sink_around :send_request do |original_call, request|
+              wrapped_request = Helpers.wrap_request(request)
 
-          connection = OutboundConnection.from_uri(request.uri)
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
 
-          Helpers.scan(wrapped_request, connection, "request")
+              connection = OutboundConnection.from_uri(request.uri)
 
-          request.on(:response) do |response|
-            Scanners::SSRFScanner.track_redirects(
-              request: wrapped_request,
-              response: Helpers.wrap_response(response)
-            )
-          end
+              Helpers.scan(wrapped_request, connection, "request")
+
+              request.on(:response) do |response|
+                Scanners::SSRFScanner.track_redirects(
+                  request: wrapped_request,
+                  response: Helpers.wrap_response(response)
+                )
+              end
 
-          super_call.call
-        ensure
-          context["ssrf.request"] = prev_request if context
+              original_call.call
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/kernel.rb

@@ -3,11 +3,6 @@
 module Aikido::Zen
   module Sinks
     module Kernel
-      def self.load_sinks!
-        ::Kernel.singleton_class.prepend(KernelExtensions)
-        ::Kernel.prepend(KernelExtensions)
-      end
-
       SINK = Sinks.add("Kernel", scanners: [Scanners::ShellInjectionScanner])
 
       module Helpers
@@ -16,14 +11,18 @@ module Aikido::Zen
         end
       end
 
-      module KernelExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        [::Kernel.singleton_class, ::Kernel].each do |klass|
+          klass.class_eval do
+            extend Sinks::DSL
 
-        %i[system spawn].each do |method_name|
-          sink_before method_name do |*args|
-            # Remove the optional environment argument before the command-line.
-            args.shift if args.first.is_a?(Hash)
-            Helpers.scan(args.first, method_name)
+            %i[system spawn].each do |method_name|
+              sink_before method_name do |*args|
+                # Remove the optional environment argument before the command-line.
+                args.shift if args.first.is_a?(Hash)
+                Helpers.scan(args.first, method_name)
+              end
+            end
           end
         end
       end

data/lib/aikido/zen/sinks/mysql2.rb

@@ -3,14 +3,6 @@
 module Aikido::Zen
   module Sinks
     module Mysql2
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "mysql2"
-          require "mysql2"
-
-          ::Mysql2::Client.prepend(ClientExtensions)
-        end
-      end
-
       SINK = Sinks.add("mysql2", scanners: [Scanners::SQLInjectionScanner])
 
       module Helpers
@@ -19,11 +11,17 @@ module Aikido::Zen
         end
       end
 
-      module ClientExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "mysql2"
+          require "mysql2"
+
+          ::Mysql2::Client.class_eval do
+            extend Sinks::DSL
 
-        sink_before :query do |sql|
-          Helpers.scan(sql, "query")
+            sink_before :query do |sql|
+              Helpers.scan(sql, "query")
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/net_http.rb

@@ -7,13 +7,6 @@ module Aikido::Zen
   module Sinks
     module Net
       module HTTP
-        def self.load_sinks!
-          # In stdlib but not always required
-          require "net/http"
-
-          ::Net::HTTP.prepend(Net::HTTP::HTTPExtensions)
-        end
-
         SINK = Sinks.add("net-http", scanners: [
           Scanners::SSRFScanner,
           OutboundConnectionMonitor
@@ -66,33 +59,38 @@ module Aikido::Zen
           end
         end
 
-        module HTTPExtensions
-          extend Sinks::DSL
+        def self.load_sinks!
+          # In stdlib but not always required
+          require "net/http"
 
-          sink_around :request do |super_call, req|
-            wrapped_request = Helpers.wrap_request(req, self)
+          ::Net::HTTP.class_eval do
+            extend Sinks::DSL
 
-            # Store the request information so the DNS sinks can pick it up.
-            context = Aikido::Zen.current_context
-            if context
-              prev_request = context["ssrf.request"]
-              context["ssrf.request"] = wrapped_request
-            end
+            sink_around :request do |original_call, req|
+              wrapped_request = Helpers.wrap_request(req, self)
 
-            connection = Helpers.build_outbound(self)
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
 
-            Helpers.scan(wrapped_request, connection, "request")
+              connection = Helpers.build_outbound(self)
 
-            response = super_call.call
+              Helpers.scan(wrapped_request, connection, "request")
 
-            Scanners::SSRFScanner.track_redirects(
-              request: wrapped_request,
-              response: Helpers.wrap_response(response)
-            )
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(response)
+              )
 
-            response
-          ensure
-            context["ssrf.request"] = prev_request if context
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
           end
         end
       end

data/lib/aikido/zen/sinks/patron.rb

@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
 module Aikido::Zen
   module Sinks
     module Patron
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "patron", ">= 0.6.4"
-          require "patron"
-
-          ::Patron::Session.prepend(SessionExtensions)
-        end
-      end
-
       SINK = Sinks.add("patron", scanners: [
         Scanners::SSRFScanner,
         OutboundConnectionMonitor
@@ -44,58 +36,64 @@ module Aikido::Zen
         end
       end
 
-      module SessionExtensions
-        extend Sinks::DSL
-
-        sink_around :handle_request do |super_call, request|
-          wrapped_request = Scanners::SSRFScanner::Request.new(
-            verb: request.action,
-            uri: URI(request.url),
-            headers: request.headers
-          )
-
-          # Store the request information so the DNS sinks can pick it up.
-          context = Aikido::Zen.current_context
-          if context
-            prev_request = context["ssrf.request"]
-            context["ssrf.request"] = wrapped_request
-          end
-
-          connection = OutboundConnection.from_uri(URI(request.url))
-
-          Helpers.scan(wrapped_request, connection, "request")
-
-          response = super_call.call
-
-          Scanners::SSRFScanner.track_redirects(
-            request: wrapped_request,
-            response: Helpers.wrap_response(request, response)
-          )
-
-          # When libcurl has follow_location set, it will handle redirections
-          # internally, and expose the response.url as the URI that was last
-          # requested in the redirect chain.
-          #
-          # In this case, we can't actually stop the request from happening, but
-          # we can scan again (now that we know another request happened), to
-          # stop the response from being exposed to the user. This downgrades
-          # the SSRF into a blind SSRF, which is better than doing nothing.
-          if request.url != response.url && !response.url.to_s.empty?
-            last_effective_request = Scanners::SSRFScanner::Request.new(
-              verb: request.action,
-              uri: URI(response.url),
-              headers: request.headers
-            )
-            context["ssrf.request"] = last_effective_request if context
-
-            connection = OutboundConnection.from_uri(URI(response.url))
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "patron", ">= 0.6.4"
+          require "patron"
 
-            Helpers.scan(last_effective_request, connection, "request")
+          ::Patron::Session.class_eval do
+            extend Sinks::DSL
+
+            sink_around :handle_request do |original_call, request|
+              wrapped_request = Scanners::SSRFScanner::Request.new(
+                verb: request.action,
+                uri: URI(request.url),
+                headers: request.headers
+              )
+
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+
+              connection = OutboundConnection.from_uri(URI(request.url))
+
+              Helpers.scan(wrapped_request, connection, "request")
+
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(request, response)
+              )
+
+              # When libcurl has follow_location set, it will handle redirections
+              # internally, and expose the response.url as the URI that was last
+              # requested in the redirect chain.
+              #
+              # In this case, we can't actually stop the request from happening, but
+              # we can scan again (now that we know another request happened), to
+              # stop the response from being exposed to the user. This downgrades
+              # the SSRF into a blind SSRF, which is better than doing nothing.
+              if request.url != response.url && !response.url.to_s.empty?
+                last_effective_request = Scanners::SSRFScanner::Request.new(
+                  verb: request.action,
+                  uri: URI(response.url),
+                  headers: request.headers
+                )
+                context["ssrf.request"] = last_effective_request if context
+
+                connection = OutboundConnection.from_uri(URI(response.url))
+
+                Helpers.scan(last_effective_request, connection, "request")
+              end
+
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
           end
-
-          response
-        ensure
-          context["ssrf.request"] = prev_request if context
         end
       end
     end