aikido-zen 1.0.1.beta.4-arm64-darwin → 1.0.2-arm64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c66564923e176dbd2c62b0eae1b21dfac39664f8e73167b224c20c856641e8f
-  data.tar.gz: 4d460e0ed84ae6b538b710cdec96934029e4d72bd51bb38744b98644725c5702
+  metadata.gz: 2927d99621ac205f92581d394233fa16eaf35370e982c2ec2b989e9ba5fd6412
+  data.tar.gz: b1fb31ad7000c89ef61c4ac4b17d2b6b8a2c5e274c7526151b628afdf2d40a3a
 SHA512:
-  metadata.gz: fd1cb12814b75f0722d19c1bc36c1145b8f0ee2579a61a393bb272439dc5d7a8b67b7703f9bb21bb5586b3f903821456360e38414fa6bf24a1ce7906133f3699
-  data.tar.gz: 41b999f0f3f787266f8e5903dad52d8591399fdd3c7d7bffb60a7035b64eff4bb1c76ebbe80a0a6a6fe54d64d2c6aceefe653c3dbea6d5f83e087712d8232c33
+  metadata.gz: dd3eef94aa681bd522ebce53d10b10f16c7f0b001dc92271d43afd2e01a8280f71c48dbe01508d9aa2d5e7e54b6849403f41de1fdc780535a7be27db3027fb12
+  data.tar.gz: 66423f1af39166e55a8607dd27a5575de13c8caf89906e0bcb5372e9e4e448e3f7de34dc72ae4a7be1b69ad923562c6ccd4fb071fa1574a2ecf5ef42eca338f5

data/.simplecov

@@ -6,6 +6,12 @@
 return if RUBY_VERSION < "3.0"
 return if ENV["DISABLE_COVERAGE"] == "true"
 
+# Output coverage as LCOV to support CodeCov
+if ENV["COVERAGE_OUTPUT_LCOV"] == "true"
+  SimpleCov::Formatter::LcovFormatter.config.report_with_single_file = true
+  SimpleCov.formatter = SimpleCov::Formatter::LcovFormatter
+end
+
 SimpleCov.start do
   # Make sure SimpleCov waits until after the tests
   # are finished to generate the coverage reports.

data/README.md

@@ -6,6 +6,7 @@
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
 [![Unit tests](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml)
 [![Release](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml)
+[![codecov](https://codecov.io/gh/AikidoSec/firewall-ruby/graph/badge.svg?token=X0MLST7S15)](https://codecov.io/gh/AikidoSec/firewall-ruby)
 
 Zen, your in-app firewall for peace of mind - at runtime.
 
@@ -22,6 +23,7 @@ Zen will autonomously protect your Ruby applications against:
 * 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
 * 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked)
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
+* 🛡️ [Attack waves](https://help.aikido.dev/zen-firewall/zen-features/attack-wave-protection)
 
 Zen operates autonomously on the same server as your Ruby app to:
 

data/benchmarks/README.md

@@ -1,6 +1,5 @@
 # Benchmarking Zen for Ruby
 
-
 We use [WRK](https://github.com/wg/wrk) & [Grafana K6](https://k6.io) for these.
 
 WRK benchmarks are only requesting a URL (`/benchmark`). In case you want to add more 

data/benchmarks/rails7.1_benchmark.js

@@ -0,0 +1 @@
+rails7.1_sql_injection.js

data/benchmarks/rails7.1_sql_injection.js

@@ -1,5 +1,5 @@
-import http from 'k6/http';
-import {Trend} from 'k6/metrics';
+import http from "k6/http";
+import {Trend} from "k6/metrics";
 
 const HTTP = {
   withZen: {
@@ -10,7 +10,7 @@ const HTTP = {
     get: (path, ...args) => http.get("http://localhost:3002" + path, ...args),
     post: (path, ...args) => http.post("http://localhost:3002" + path, ...args)
   }
-}
+};
 
 function test(name, fn) {
   const withZen = fn(HTTP.withZen);
@@ -36,35 +36,67 @@ function buildTestTrends(prefix) {
 
 const tests = {
   test_post_page_with_json_body: buildTestTrends("test_post_page_with_json_body"),
-  test_get_page_without_attack: buildTestTrends("test_get_page_without_attack"),
-  test_get_page_with_sql_injection: buildTestTrends("test_get_page_with_sql_injection")
-}
+  test_get_page_without_attack: buildTestTrends("test_get_page_without_attack")
+};
+
 export const options = {
   vus: 1, // Number of virtual users
-  iterations: 200,
+  duration: "60s",
   thresholds: {
-    http_req_failed: ['rate==0'], // we are marking the attacks as expected, so we should have no errors
+    http_req_failed: ["rate==0"], // We are marking the attacks as expected, so we should have no errors.
     test_post_page_with_json_body_delta: ["med<10"],
-    test_get_page_without_attack_delta: ["med<10"],
-    test_get_page_with_sql_injection_delta: ["med<10"],
+    test_get_page_without_attack_delta: ["med<10"]
   }
 };
 
+const headers = {
+  Authorization:
+    "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.Bw8sSk3kdnT9d803kqqE_LZJzY1PzMl5cbmuanQKxrI",
+  Accept:
+    "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+  "Accept-Language": "en-US,en;q=0.9",
+  Dnt: "1",
+  Priority: "u=0, i",
+  "Sec-Ch-Ua":
+    '"Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"',
+  "Sec-Ch-Ua-Arch": '"arm"',
+  "Sec-Ch-Ua-Bitness": '"64"',
+  "Sec-Ch-Ua-Full-Version-List":
+    '"Not)A;Brand";v="99.0.0.0", "Google Chrome";v="127.0.6533.72", "Chromium";v="127.0.6533.72"',
+  "Sec-Ch-Ua-Mobile": "?0",
+  "Sec-Ch-Ua-Model": '""',
+  "Sec-Ch-Ua-Platform": '"macOS"',
+  "Sec-Ch-Ua-Platform-Version": '"14.5.0"',
+  "Sec-Ch-Ua-Wow64": "?0",
+  "Sec-Fetch-Dest": "document",
+  "Sec-Fetch-Mode": "navigate",
+  "Sec-Fetch-Site": "cross-site",
+  "Sec-Fetch-User": "?1",
+  "Sec-Gpc": "1",
+  "Upgrade-Insecure-Requests": "1",
+  "User-Agent":
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36",
+};
+
 const expectAttack = http.expectedStatuses(200, 500);
 
 export default function () {
   test("test_post_page_with_json_body",
-    (http) => http.post("/cats", JSON.stringify({cat: {name: "Féline Dion"}}), {
-      headers: {
-        "Content-Type": "application/json",
-        "Accept": "application/json"
-      }
-    })
+    (http) => http.post("/cats",
+      JSON.stringify({cat: {name: "Féline Dion"}}),
+      {
+        headers: {
+          ...headers,
+          "Content-Type": "application/json",
+          "Accept": "application/json"
+        }
+      })
   )
 
-  test("test_get_page_without_attack", (http) => http.get("/cats"))
-
-  test("test_get_page_with_sql_injection", (http) =>
-    http.get("/cats/1'%20OR%20''='", { responseCallback: expectAttack })
+  test("test_get_page_without_attack",
+    (http) => http.get("/cats/count",
+    {
+        headers: headers
+    })
   )
 }

data/docs/config.md

@@ -8,7 +8,7 @@ other Rack-based apps).
 ## Disable Zen
 
 In order to fully turn off Zen and prevent it from intercepting any requests or
-reporting back to the Aikido servers, set `AIKIDO_DISABLED=true` in your
+reporting back to the Aikido servers, set `AIKIDO_DISABLE=true` in your
 environment, or set `Aikido::Zen.config.disabled = true`.
 
 (We recommend the ENV variable as you can normally change this easily without
@@ -34,6 +34,14 @@ set it via `Aikido::Zen.config.token = <token>`.
 
 **NOTE**: Never commit your token to the source code repository in plain text.
 
+## Hardened mode
+
+Zen hardens methods, restricting dangerous undocumented behavior to improve
+security and performance.
+
+To disable method hardening, set `AIKIDO_HARDEN=false` in your environment,
+or set `Aikido::Zen.config.harden = false`.
+
 ## Logger
 
 Zen logs to standard output by default. You can change this by changing the

data/docs/proxy.md

@@ -0,0 +1,10 @@
+# Proxy settings
+
+We'll automatically use the `HTTP_X_FORWARDED_FOR` header to determine the client's IP address when behind a trusted proxy.
+
+If you need to use a different header to determine the client's IP address, you can set the `AIKIDO_CLIENT_IP_HEADER` environment variable to the name of that header. This will override the default `HTTP_X_FORWARDED_FOR` header.
+
+```bash
+# For Fly.io Platform
+AIKIDO_CLIENT_IP_HEADER=HTTP_FLY_CLIENT_IP bin/rails server
+```

data/docs/rails.md

@@ -2,27 +2,71 @@
 
 To install Zen, add the gem:
 
-```
+```sh
 bundle add aikido-zen
 ```
 
+And require it before `Bundler.require` in `config/application.rb`:
+
+```ruby
+# config/application.rb
+require_relative "boot"
+
+require "rails/all"
+
+require "aikido-zen"
+Aikido::Zen.protect!
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+...
+```
+
 That's it! Zen will start to run inside your app when it starts getting
 requests.
 
+## Rate limiting and user blocking
+
+If you want to add the rate limiting feature to your app, modify your code like this:
+
+```ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  private
+
+  def current_user
+    return unless session[:user_id]
+    User.find(session[:user_id])
+  end
+
+  def authenticate_user!
+    # Your authentication logic here
+    # ...
+    # Optional, if you want to use user based rate limiting or block specific users
+    Aikido::Zen.set_user(
+      id: current_user.id,
+      name: current_user.name
+    )
+  end
+end
+```
+
 ## Configuration
 
 Zen exposes its configuration object to the Rails configuration, which you can
 modify in an initializer if desired:
 
-``` ruby
+```ruby
 # config/initializers/zen.rb
-Rails.application.config.zen.api_timeouts = 20
+Rails.application.config.zen.option = value
 ```
 
 You can access the configuration object both as `Aikido::Zen.config` or
 `Rails.configuration.zen`.
 
-See our [configuration guide](docs/config.md) for more details.
+See our [configuration guide](./config.md) for more details.
 
 ## Using Rails encrypted credentials
 
@@ -30,15 +74,15 @@ If you're using Rails' [encrypted credentials][creds], and prefer not storing
 sensitive values in your env vars, you can easily configure Zen for it. For
 example, assuming the following credentials structure:
 
-``` yaml
+```yaml
 # config/credentials.yml.enc
 zen:
   token: "AIKIDO_RUNTIME_..."
 ```
 
-You can just tell Zen to use it like so:
+You can tell Zen to use it like so:
 
-``` ruby
+```ruby
 # config/initializers/zen.rb
 Rails.application.config.zen.token = Rails.application.credentials.zen.token
 ```
@@ -58,13 +102,11 @@ way.
 
 ## Logging
 
-By default, Zen will use the Rails logger, prefixing messages with `[aikido]`.
-You can redirect the log to a separate stream by overriding the logger:
+You can override the logger to integrate with your application logging strategy:
 
-```
+```ruby
 # config/initializers/zen.rb
-Rails.application.config.zen.logger = Logger.new(...)
+Rails.application.config.zen.logger = ::Rails.logger
 ```
 
-You should supply an instance of ruby's [Logger](https://github.com/ruby/logger)
-class.
+Zen expects an instance of Ruby's [Logger](https://github.com/ruby/logger) class.

data/docs/troubleshooting.md

@@ -0,0 +1,62 @@
+# Troubleshooting
+
+If the Zen Firewall isn't working as expected, follow these steps in order to diagnose common issues.
+
+## Review installation steps
+
+Double-check your setup against the [installation guide](../README.md#installation).
+
+Make sure:
+- Your runtime and framework are supported (see [Supported libraries and frameworks](../README.md#supported-libraries-and-frameworks)).
+- The package installed successfully.
+- Your framework-specific integration matches the example in the docs (for Rails, see the example in [docs/rails.md](../docs/rails.md)).
+
+## Check connection to Aikido
+
+The firewall must be able to reach Aikido's API endpoints.
+
+Test connectivity from the same environment where your app runs, following the instructions on this page: https://help.aikido.dev/zen-firewall/miscellaneous/outbound-network-connections-for-zen
+
+## Check logs for errors
+
+Common places:
+- Local dev: `cat log/development.log` or `tail -f log/development.log`
+- Docker: `docker logs <your-app-container>`
+- systemd: `journalctl -u <your-app-service> --since "1 hour ago"`
+
+Tip: search logs for lines containing `Aikido` or `Zen`.
+
+For example:
+
+```sh
+grep -Ei 'aikido|zen' log/development.log
+```
+
+## Enable debug output temporarily
+
+If you use Rails, set the log level to `info` or `debug` while you investigate.
+
+```ruby
+# config/environments/development.rb or production.rb
+config.log_level = :info # use :debug if needed
+```
+
+If you have your own logger, make sure Zen logs go to stdout.
+
+You can enable Zen debugging mode as follows.
+
+```ruby
+# config/initializers/zen.rb
+Rails.application.config.zen.debugging = true
+```
+
+Or set `AIKIDO_DEBUG=true` in your environment.
+
+## Contact support
+
+If you still can't resolve the problem:
+
+- Use the in-app chat to reach our support team directly.
+- Or create an issue on [GitHub](https://github.com/AikidoSec/firewall-ruby/issues) with details about your setup, framework, and logs.
+
+Include as much context as possible; this helps us respond faster.

data/lib/aikido/zen/actor.rb

@@ -38,6 +38,16 @@ module Aikido::Zen
 
   # Represents someone connecting to the application and making requests.
   class Actor
+    def self.from_json(data)
+      new(
+        id: data[:id],
+        name: data[:name],
+        ip: data[:lastIpAddress],
+        first_seen_at: Time.at(data[:firstSeenAt] / 1000),
+        last_seen_at: Time.at(data[:lastSeenAt] / 1000)
+      )
+    end
+
     # @return [String] a unique identifier for this user.
     attr_reader :id
 
@@ -50,18 +60,20 @@ module Aikido::Zen
     # @param id [String]
     # @param name [String, nil]
     # @param ip [String, nil]
-    # @param seen_at [Time]
+    # @param first_seen_at [Time]
+    # @param last_seen_at [Time]
     def initialize(
       id:,
       name: nil,
       ip: Aikido::Zen.current_context&.request&.ip,
-      seen_at: Time.now.utc
+      first_seen_at: Time.now.utc,
+      last_seen_at: first_seen_at
     )
       @id = id
       @name = name
-      @first_seen_at = seen_at
-      @last_seen_at = Concurrent::AtomicReference.new(seen_at)
       @ip = Concurrent::AtomicReference.new(ip)
+      @first_seen_at = first_seen_at
+      @last_seen_at = Concurrent::AtomicReference.new(last_seen_at)
     end
 
     # @return [Time]
@@ -89,6 +101,24 @@ module Aikido::Zen
       @ip.try_update { |last_ip| [ip, last_ip].compact.first }
     end
 
+    # Merges the actor with another actor.
+    #
+    # @param other [Aikido::Zen::Actor]
+    # @return [Aikido::Zen::Actor]
+    def merge(other)
+      older = (first_seen_at < other.first_seen_at) ? self : other
+      newer = (last_seen_at > other.last_seen_at) ? self : other
+
+      self.class.new(
+        id: @id,
+        name: newer.name,
+        ip: newer.ip,
+        first_seen_at: older.first_seen_at,
+        last_seen_at: newer.last_seen_at
+      )
+    end
+    alias_method :|, :merge
+
     # @return [self]
     def to_aikido_actor
       self

data/lib/aikido/zen/agent/heartbeats_manager.rb

@@ -20,7 +20,7 @@ module Aikido::Zen
     # @return [Boolean] whether the currently running heartbeat matches the
     #   expected interval in the runtime settings.
     def stale_settings?
-      running? && @timer.execution_interval != @settings.heartbeat_interval
+      running? && @timer.execution_interval != interval
     end
 
     # Sets up the the timer to run the given block at the appropriate interval.
@@ -30,11 +30,11 @@ module Aikido::Zen
     def start(&task)
       return if running?
 
-      if @settings.heartbeat_interval&.nonzero?
-        @config.logger.debug "Scheduling heartbeats every #{@settings.heartbeat_interval} seconds"
-        @timer = @worker.every(@settings.heartbeat_interval, run_now: false, &task)
+      if interval&.nonzero?
+        @config.logger.debug "Scheduling heartbeats every #{interval} seconds"
+        @timer = @worker.every(interval, run_now: false, &task)
       else
-        @config.logger.warn(format("Heartbeat could not be set up (interval: %p)", @settings.heartbeat_interval))
+        @config.logger.warn(format("Heartbeat could not be set up (interval: %p)", interval))
       end
     end
 

data/lib/aikido/zen/agent.rb

@@ -37,22 +37,22 @@ module Aikido::Zen
     end
 
     def start!
-      @config.logger.info "Starting Aikido agent v#{Aikido::Zen::VERSION}"
+      @config.logger.info("Starting Aikido agent v#{Aikido::Zen::VERSION}")
 
       raise Aikido::ZenError, "Aikido Agent already started!" if started?
       @started_at = Time.now.utc
       @collector.start(at: @started_at)
 
-      if @config.blocking_mode?
-        @config.logger.info "Requests identified as attacks will be blocked"
+      if Aikido::Zen.blocking_mode?
+        @config.logger.info("Requests identified as attacks will be blocked")
       else
-        @config.logger.warn "Non-blocking mode enabled! No requests will be blocked."
+        @config.logger.warn("Non-blocking mode enabled! No requests will be blocked.")
       end
 
       if @api_client.can_make_requests?
-        @config.logger.info "API Token set! Reporting has been enabled."
+        @config.logger.info("API Token set! Reporting has been enabled.")
       else
-        @config.logger.warn "No API Token set! Reporting has been disabled."
+        @config.logger.warn("No API Token set! Reporting has been disabled.")
         return
       end
 
@@ -60,15 +60,18 @@ module Aikido::Zen
 
       report(Events::Started.new(time: @started_at)) do |response|
         updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
-        @config.logger.info "Updated runtime settings."
+        @config.logger.info("Updated runtime settings.")
       rescue => err
         @config.logger.error(err.message)
       end
 
       poll_for_setting_updates
 
-      @worker.delay(@config.initial_heartbeat_delay) do
-        send_heartbeat if @collector.stats.any?
+      @config.initial_heartbeat_delays.each do |heartbeat_delay|
+        @worker.delay(heartbeat_delay) do
+          send_heartbeat
+          @config.logger.info("Executed initial heartbeat after #{heartbeat_delay} seconds")
+        end
       end
     end
 
@@ -77,7 +80,7 @@ module Aikido::Zen
     #
     # @return [void]
     def stop!
-      @config.logger.info "Stopping Aikido agent"
+      @config.logger.info("Stopping Aikido agent")
       @started_at = nil
       @worker.shutdown
     end
@@ -103,7 +106,7 @@ module Aikido::Zen
     # @raise [Aikido::Zen::UnderAttackError] if the firewall is configured
     #   to block requests.
     def handle_attack(attack)
-      attack.will_be_blocked! if @config.blocking_mode?
+      attack.will_be_blocked! if Aikido::Zen.blocking_mode?
 
       @config.logger.error(
         format("Zen has %s a %s: %s", attack.blocked? ? "blocked" : "detected", attack.humanized_name, attack.as_json.to_json)
@@ -143,11 +146,10 @@ module Aikido::Zen
     def send_heartbeat(at: Time.now.utc)
       return unless @api_client.can_make_requests?
 
-      @collector.flush_heartbeats.each do |heartbeat|
-        report(heartbeat) do |response|
-          updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
-          @config.logger.info "Updated runtime settings after heartbeat"
-        end
+      heartbeat = @collector.flush
+      report(heartbeat) do |response|
+        updated_settings! if Aikido::Zen.runtime_settings.update_from_json(response)
+        @config.logger.info("Updated runtime settings after heartbeat")
       end
     end
 
@@ -162,7 +164,7 @@ module Aikido::Zen
       @worker.every(@config.polling_interval) do
         if @api_client.should_fetch_settings?
           updated_settings! if Aikido::Zen.runtime_settings.update_from_json(@api_client.fetch_settings)
-          @config.logger.info "Updated runtime settings after polling"
+          @config.logger.info("Updated runtime settings after polling")
         end
       end
     end

data/lib/aikido/zen/attack.rb

@@ -10,10 +10,11 @@ module Aikido::Zen
     attr_reader :operation
     attr_accessor :sink
 
-    def initialize(context:, sink:, operation:)
+    def initialize(context:, sink:, operation:, stack: nil)
       @context = context
       @operation = operation
       @sink = sink
+      @stack = stack
       @blocked = false
     end
 
@@ -46,8 +47,9 @@ module Aikido::Zen
         kind: kind,
         blocked: blocked?,
         metadata: metadata,
-        operation: @operation
-      }.merge(input.as_json)
+        operation: @operation,
+        stack: @stack
+      }.compact.merge(input.as_json)
     end
 
     def exception(*)
@@ -67,7 +69,9 @@ module Aikido::Zen
       end
 
       def metadata
-        {filename: filepath}
+        {
+          filename: filepath
+        }
       end
 
       def humanized_name
@@ -133,7 +137,10 @@ module Aikido::Zen
       end
 
       def metadata
-        {sql: @query}
+        {
+          sql: @query,
+          dialect: @dialect.name
+        }
       end
 
       def exception(*)
@@ -165,8 +172,8 @@ module Aikido::Zen
 
       def metadata
         {
-          host: @request.uri.hostname,
-          port: @request.uri.port
+          hostname: @request.uri.hostname,
+          port: @request.uri.port.to_s
         }
       end
     end
@@ -192,7 +199,7 @@ module Aikido::Zen
       end
 
       def kind
-        "ssrf"
+        "stored_ssrf"
       end
 
       def input
@@ -200,7 +207,10 @@ module Aikido::Zen
       end
 
       def metadata
-        {}
+        {
+          hostname: @hostname,
+          privateIP: @address
+        }
       end
     end
   end