aikido-zen 1.0.1.beta.3 → 1.0.1.beta.5

data/lib/aikido/zen/sinks/pg.rb

@@ -3,14 +3,6 @@
 module Aikido::Zen
   module Sinks
     module PG
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "pg", ">= 1.0"
-          require "pg"
-
-          ::PG::Connection.prepend(PG::ConnectionExtensions)
-        end
-      end
-
       SINK = Sinks.add("pg", scanners: [Scanners::SQLInjectionScanner])
 
       module Helpers
@@ -43,26 +35,32 @@ module Aikido::Zen
         end
       end
 
-      module ConnectionExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "pg", ">= 1.0"
+          require "pg"
 
-        %i[
-          send_query exec sync_exec async_exec
-          send_query_params exec_params sync_exec_params async_exec_params
-        ].each do |method_name|
-          presafe_sink_before method_name do |query|
-            Helpers.safe do
-              Helpers.scan(query, method_name)
+          ::PG::Connection.class_eval do
+            extend Sinks::DSL
+
+            %i[
+              send_query exec sync_exec async_exec
+              send_query_params exec_params sync_exec_params async_exec_params
+            ].each do |method_name|
+              presafe_sink_before method_name do |query|
+                Helpers.safe do
+                  Helpers.scan(query, method_name)
+                end
+              end
             end
-          end
-        end
 
-        %i[
-          send_prepare prepare async_prepare sync_prepare
-        ].each do |method_name|
-          presafe_sink_before method_name do |_, query|
-            Helpers.safe do
-              Helpers.scan(query, method_name)
+            %i[
+              send_prepare prepare async_prepare sync_prepare
+            ].each do |method_name|
+              presafe_sink_before method_name do |_, query|
+                Helpers.safe do
+                  Helpers.scan(query, method_name)
+                end
+              end
             end
           end
         end

data/lib/aikido/zen/sinks/resolv.rb

@@ -6,13 +6,6 @@ require_relative "../scanners/ssrf_scanner"
 module Aikido::Zen
   module Sinks
     module Resolv
-      def self.load_sinks!
-        # In stdlib but not always required
-        require "resolv"
-
-        ::Resolv.prepend(ResolvExtensions)
-      end
-
       SINK = Sinks.add("resolv", scanners: [
         Scanners::StoredSSRFScanner,
         Scanners::SSRFScanner
@@ -35,23 +28,30 @@ module Aikido::Zen
         end
       end
 
-      module ResolvExtensions
-        def each_address(*args, **kwargs, &blk)
-          # each_address is defined "manually" because no sink method pattern
-          # is applicable.
+      def self.load_sinks!
+        # In stdlib but not always required
+        require "resolv"
 
-          name, = args
+        ::Resolv.class_eval do
+          alias_method :each_address__internal_for_aikido_zen, :each_address
 
-          addresses = []
-          super(*args, **kwargs) do |address| # rubocop:disable Style/SuperArguments
-            addresses << address
-            blk.call(address)
-          end
-        ensure
-          # Ensure partial results are scanned.
+          def each_address(*args, **kwargs, &blk)
+            # each_address is defined "manually" because no sink method pattern
+            # is applicable.
+
+            name, = args
+
+            addresses = []
+            each_address__internal_for_aikido_zen(*args, **kwargs) do |address|
+              addresses << address
+              blk.call(address)
+            end
+          ensure
+            # Ensure partial results are scanned.
 
-          Sinks::DSL.safe do
-            Helpers.scan(name, addresses, "lookup")
+            Sinks::DSL.safe do
+              Helpers.scan(name, addresses, "lookup")
+            end
           end
         end
       end

data/lib/aikido/zen/sinks/socket.rb

@@ -10,10 +10,6 @@ module Aikido::Zen
     # there's no way to access the internal DNS resolution that happens in C
     # when using the socket primitives.
     module Socket
-      def self.load_sinks!
-        ::IPSocket.singleton_class.prepend(Socket::IPSocketExtensions)
-      end
-
       SINK = Sinks.add("socket", scanners: [
         Scanners::StoredSSRFScanner,
         Scanners::SSRFScanner
@@ -62,15 +58,17 @@ module Aikido::Zen
         end
       end
 
-      module IPSocketExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        ::IPSocket.singleton_class.class_eval do
+          extend Sinks::DSL
 
-        sink_after :open do |socket, remote_host|
-          # Code coverage is disabled here because the tests are contrived and
-          # intentionally do not call open.
-          # :nocov:
-          Helpers.scan(remote_host, socket, "open")
-          # :nocov:
+          sink_after :open do |socket, remote_host|
+            # Code coverage is disabled here because the tests are contrived and
+            # intentionally do not call open.
+            # :nocov:
+            Helpers.scan(remote_host, socket, "open")
+            # :nocov:
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/sqlite3.rb

@@ -3,15 +3,6 @@
 module Aikido::Zen
   module Sinks
     module SQLite3
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "sqlite3", ">= 1.0"
-          require "sqlite3"
-
-          ::SQLite3::Database.prepend(DatabaseExtensions)
-          ::SQLite3::Statement.prepend(StatementExtensions)
-        end
-      end
-
       SINK = Sinks.add("sqlite3", scanners: [Scanners::SQLInjectionScanner])
 
       module Helpers
@@ -24,22 +15,28 @@ module Aikido::Zen
         end
       end
 
-      module DatabaseExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "sqlite3", ">= 1.0"
+          require "sqlite3"
 
-        private
+          ::SQLite3::Database.class_eval do
+            extend Sinks::DSL
 
-        # SQLite3::Database#exec_batch is an internal native private method.
-        sink_before :exec_batch do |sql|
-          Helpers.scan(sql, "exec_batch")
-        end
-      end
+            private
+
+            # SQLite3::Database#exec_batch is an internal native private method.
+            sink_before :exec_batch do |sql|
+              Helpers.scan(sql, "exec_batch")
+            end
+          end
 
-      module StatementExtensions
-        extend Sinks::DSL
+          ::SQLite3::Statement.class_eval do
+            extend Sinks::DSL
 
-        sink_before :initialize do |_db, sql|
-          Helpers.scan(sql, "statement.execute")
+            sink_before :initialize do |_db, sql|
+              Helpers.scan(sql, "statement.execute")
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/trilogy.rb

@@ -3,14 +3,6 @@
 module Aikido::Zen
   module Sinks
     module Trilogy
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "trilogy", ">= 2.0"
-          require "trilogy"
-
-          ::Trilogy.prepend(TrilogyExtensions)
-        end
-      end
-
       SINK = Sinks.add("trilogy", scanners: [Scanners::SQLInjectionScanner])
 
       module Helpers
@@ -19,11 +11,17 @@ module Aikido::Zen
         end
       end
 
-      module TrilogyExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "trilogy", ">= 2.0"
+          require "trilogy"
+
+          ::Trilogy.class_eval do
+            extend Sinks::DSL
 
-        sink_before :query do |query|
-          Helpers.scan(query, "query")
+            sink_before :query do |query|
+              Helpers.scan(query, "query")
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks.rb

@@ -9,10 +9,7 @@ require_relative "sinks_dsl"
 
 require_relative "sinks/action_controller" if defined?(::ActionController)
 
-# Sadly, in ruby versions lower than 3.0, it's not possible to patch the
-# Kernel module because how the `prepend` method is applied
-# (https://stackoverflow.com/questions/78110397/prepend-kernel-module-function-globally#comment137713906_78112924)
-require_relative "sinks/kernel" if RUBY_VERSION >= "3.0"
+require_relative "sinks/kernel"
 
 require_relative "sinks/file"
 require_relative "sinks/socket"

data/lib/aikido/zen/sinks_dsl.rb

@@ -109,10 +109,14 @@ module Aikido::Zen
       #
       # @return [void]
       def presafe_sink_before(method_name, &block)
+        original = instance_method(method_name)
+
         define_method(method_name) do |*args, **kwargs, &blk|
           instance_exec(*args, **kwargs, &block)
-          super(*args, **kwargs, &blk)
+          original.bind_call(self, *args, **kwargs, &blk)
         end
+      rescue NameError
+        Aikido::Zen.config.logger.warn("cannot wrap method `#{method_name}' for class `#{self}'")
       end
 
       # Define a method `method_name` that safely executes the given block before
@@ -145,11 +149,15 @@ module Aikido::Zen
       #
       # @return [void]
       def presafe_sink_after(method_name, &block)
+        original = instance_method(method_name)
+
         define_method(method_name) do |*args, **kwargs, &blk|
-          result = super(*args, **kwargs, &blk)
+          result = original.bind_call(self, *args, **kwargs, &blk)
           instance_exec(result, *args, **kwargs, &block)
           result
         end
+      rescue NameError
+        Aikido::Zen.config.logger.warn("cannot wrap method `#{method_name}' for class `#{self}'")
       end
 
       # Define a method `method_name` that safely executes the given block after
@@ -177,20 +185,24 @@ module Aikido::Zen
       #
       # @param method_name [Symbol, String] the name of the method to define
       # @yield the block to execute around the original method
-      # @yieldparam super_call [Proc] the proc that calls the original method
+      # @yieldparam original_call [Proc] the proc that calls the original method
       # @yieldparam args [Array] the positional arguments passed to the original method
       # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
       #
       # @return [void]
       def presafe_sink_around(method_name, &block)
+        original = instance_method(method_name)
+
         define_method(method_name) do |*args, **kwargs, &blk|
           result = nil
-          super_call = proc do
-            result = super(*args, **kwargs, &blk)
+          original_call = proc do
+            result = original.bind_call(self, *args, **kwargs, &blk)
           end
-          instance_exec(super_call, *args, **kwargs, &block)
+          instance_exec(original_call, *args, **kwargs, &block)
           result
         end
+      rescue NameError
+        Aikido::Zen.config.logger.warn("cannot wrap method `#{method_name}' for class `#{self}'")
       end
 
       # Define a method `method_name` that safely executes the given block around
@@ -198,27 +210,27 @@ module Aikido::Zen
       #
       # @param method_name [Symbol, String] the name of the method to define
       # @yield the block to execute around the original method
-      # @yieldparam super_call [Proc] the proc that calls the original method
+      # @yieldparam original_call [Proc] the proc that calls the original method
       # @yieldparam args [Array] the positional arguments passed to the original method
       # @yieldparam kwargs [Hash] the keyword arguments passed to the original method
       #
       # @return [void]
       #
       # @note the block is executed within `safe` to handle errors safely; the original method is executed within `presafe` to preserve the original behavior
-      # @note if the block does not call `super_call`, the original method is called automatically after the block is executed
+      # @note if the block does not call `original_call`, the original method is called automatically after the block is executed
       def sink_around(method_name, &block)
-        presafe_sink_around(method_name) do |presafe_super_call, *args, **kwargs|
-          super_called = false
-          super_call = proc do
-            super_called = true
+        presafe_sink_around(method_name) do |presafe_original_call, *args, **kwargs|
+          original_called = false
+          original_call = proc do
+            original_called = true
             DSL.presafe do
-              presafe_super_call.call
+              presafe_original_call.call
             end
           end
           DSL.safe do
-            instance_exec(super_call, *args, **kwargs, &block)
+            instance_exec(original_call, *args, **kwargs, &block)
           end
-          presafe_super_call.call unless super_called
+          presafe_original_call.call unless original_called
         end
       end
     end

data/lib/aikido/zen/version.rb

@@ -2,7 +2,7 @@
 
 module Aikido
   module Zen
-    VERSION = "1.0.1.beta.3"
+    VERSION = "1.0.1.beta.5"
 
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.39"

data/lib/aikido/zen.rb

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 
-# IMPORTANT: Any files that load sinks or start the Aikido Agent should
-# be required in `Aikido::Zen.protect!`.
-
 require_relative "zen/version"
 require_relative "zen/errors"
 require_relative "zen/actor"
@@ -29,6 +26,9 @@ module Aikido
     # Enable protection. Until this method is called no sinks are loaded
     # and the Aikido Agent does not start.
     #
+    # This method should be called only once, in the application after the
+    # initialization process is complete.
+    #
     # @return [void]
     def self.protect!
       if config.disabled?
@@ -36,16 +36,14 @@ module Aikido
         return
       end
 
-      # IMPORTANT: Any files that load sinks or start the Aikido Agent
-      # should be required here only.
+      return unless config.protect?
 
-      if Aikido::Zen.satisfy "rails", ">= 7.0"
-        require_relative "zen/rails_engine"
+      unless load_sources! && load_sinks!
+        config.logger.warn("Zen could not find any supported libraries or frameworks. Visit https://github.com/AikidoSec/firewall-ruby for more information.")
+        return
       end
 
-      if Aikido::Zen::Sinks.registry.empty?
-        warn "Zen could not find any supported libraries or frameworks. Visit https://github.com/AikidoSec/firewall-ruby for more information."
-      end
+      middleware_installed!
     end
 
     # @!visibility private
@@ -173,15 +171,28 @@ module Aikido
       collector.middleware_installed!
     end
 
-    # Load all sinks matching libraries loaded into memory. This method should
-    # be called after all other dependencies have been loaded into memory (i.e.
-    # at the end of the initialization process).
+    # @!visibility private
+    # Load all sources.
     #
-    # If a new gem is required, this method can be called again safely.
+    # @return [Boolean] true if any sources were loaded
+    def self.load_sources!
+      if Aikido::Zen.satisfy("rails", ">= 7.0")
+        require_relative "zen/rails_engine"
+
+        return true
+      end
+
+      false
+    end
+
+    # @!visibility private
+    # Load all sinks.
     #
-    # @return [void]
+    # @return [Boolean] true if any sinks were loaded
     def self.load_sinks!
       require_relative "zen/sinks"
+
+      !Aikido::Zen::Sinks.registry.empty?
     end
 
     # @!visibility private

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.0.1.beta.3
+  version: 1.0.1.beta.5
 platform: ruby
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-08-06 00:00:00.000000000 Z
+date: 2025-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby