aikido-zen 1.0.1.beta.4-arm64-darwin → 1.0.2-arm64-darwin

data/lib/aikido/zen/middleware/fork_detector.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Aikido
+  module Zen
+    module Middleware
+      # This middleware is responsible for detecting when a process has forked
+      # (e.g., in a Puma or Unicorn worker) and resetting the state of the
+      # Aikido Zen agent. It should be inserted early in the middleware stack.
+      class ForkDetector
+        def initialize(app)
+          @app = app
+        end
+
+        def call(env)
+          # This is the single, reliable trigger point for the fork check.
+          Aikido::Zen.check_and_handle_fork
+
+          @app.call(env)
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/rack_throttler.rb

@@ -33,8 +33,10 @@ module Aikido::Zen
       private
 
       def should_throttle?(request)
+        # Bypass rate limiting for allowed IPs
+        return false if @settings.allowed_ips.include?(request.ip)
+
         return false unless @settings.endpoints[request.route].rate_limiting.enabled?
-        return false if @settings.skip_protection_for_ips.include?(request.ip)
 
         result = @detached_agent.calculate_rate_limits(request)
 

data/lib/aikido/zen/middleware/request_tracker.rb

@@ -5,8 +5,9 @@ module Aikido::Zen
     # Rack middleware used to track request
     # It implements the logic under that which is considered worthy of being tracked.
     class RequestTracker
-      def initialize(app)
+      def initialize(app, settings: Aikido::Zen.runtime_settings)
         @app = app
+        @settings = settings
       end
 
       def call(env)
@@ -16,9 +17,10 @@ module Aikido::Zen
         if request.route && track?(
           status_code: response[0],
           route: request.route.path,
-          http_method: request.request_method
+          http_method: request.request_method,
+          ip: request.ip
         )
-          Aikido::Zen.track_request request
+          Aikido::Zen.track_request(request)
 
           if Aikido::Zen.config.collect_api_schema?
             Aikido::Zen.track_discovered_route(request)
@@ -126,7 +128,10 @@ module Aikido::Zen
       # @param status_code [Integer]
       # @param route [String]
       # @param http_method [String]
-      def track?(status_code:, route:, http_method:)
+      def track?(status_code:, route:, http_method:, ip: nil)
+        # Bypass request and route tracking for allowed IPs
+        return false if @settings.allowed_ips.include?(ip)
+
         # In the UI we want to show only successful (2xx) or redirect (3xx) responses
         # anything else is discarded.
         return false unless status_code >= 200 && status_code <= 399

data/lib/aikido/zen/outbound_connection.rb

@@ -3,6 +3,13 @@
 module Aikido::Zen
   # Simple data object to identify connections performed to outbound servers.
   class OutboundConnection
+    def self.from_json(data)
+      new(
+        host: data[:hostname],
+        port: data[:port]
+      )
+    end
+
     # Convenience factory to create connection descriptions out of URI objects.
     #
     # @param uri [URI]
@@ -18,13 +25,23 @@ module Aikido::Zen
     # @return [Integer] the port number to which the connection was attempted.
     attr_reader :port
 
+    # @return [Integer] the number of times that this connection was seen by
+    #   the hosts collector.
+    attr_reader :hits
+
     def initialize(host:, port:)
       @host = host
       @port = port
     end
 
+    def hit
+      # Lazy initialize @hits, so it stays nil until the connection is tracked.
+      @hits ||= 0
+      @hits += 1
+    end
+
     def as_json
-      {hostname: host, port: port}
+      {hostname: host, port: port, hits: hits}.compact
     end
 
     def ==(other)

data/lib/aikido/zen/payload.rb

@@ -27,7 +27,7 @@ module Aikido::Zen
       {
         payload: value.to_s,
         source: SOURCE_SERIALIZATIONS[source],
-        pathToPayload: path.to_s
+        path: path.to_s
       }
     end
 

data/lib/aikido/zen/rails_engine.rb

@@ -10,8 +10,11 @@ module Aikido::Zen
     end
 
     initializer "aikido.add_middleware" do |app|
-      app.middleware.use Aikido::Zen::Middleware::SetContext
-      app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
+      app.middleware.insert_before 0, Aikido::Zen::Middleware::ForkDetector
+
+      app.middleware.use Aikido::Zen::Middleware::ContextSetter
+      app.middleware.use Aikido::Zen::Middleware::AllowedAddressChecker
+      app.middleware.use Aikido::Zen::Middleware::AttackWaveProtector
       # Request Tracker stats do not consider failed request or 40x, so the middleware
       # must be the last one wrapping the request.
       app.middleware.use Aikido::Zen::Middleware::RequestTracker
@@ -29,12 +32,6 @@ module Aikido::Zen
     end
 
     initializer "aikido.configuration" do |app|
-      # Allow the logger to be configured before checking if disabled? so we can
-      # let the user know that the agent is disabled.
-      logger = ::Rails.logger
-      logger = logger.tagged("aikido") if logger.respond_to?(:tagged)
-      app.config.zen.logger = logger
-
       app.config.zen.request_builder = Aikido::Zen::Context::RAILS_REQUEST_BUILDER
 
       # Plug Rails' JSON encoder/decoder, but only if the user hasn't changed

data/lib/aikido/zen/request/rails_router.rb

@@ -62,16 +62,31 @@ module Aikido::Zen
       nil
     end
 
-    private def build_route(route, request, prefix: request.script_name)
+    private
+
+    def build_route(route, request, prefix: request.script_name)
       route_wrapper = ActionDispatch::Routing::RouteWrapper.new(route)
 
       path = if prefix.present?
-        File.join(prefix.to_s, route_wrapper.path).chomp("/")
+        prefix_route_path(prefix.to_s, route_wrapper.path)
       else
         route_wrapper.path
       end
 
       Aikido::Zen::Route.new(verb: request.request_method, path: path)
     end
+
+    def prefix_route_path(string1, string2)
+      # The strings appear to start with "/", allowing them to be concatenated
+      # directly after removing trailing "/". However, as it is not currently
+      # known whether this is guaranteed, we insert a separator when necessary.
+
+      separator = string2.start_with?("/") ? "" : "/"
+
+      string1 = string1.chomp("/")
+      string2 = string2.chomp("/")
+
+      "#{string1}#{separator}#{string2}"
+    end
   end
 end

data/lib/aikido/zen/request.rb

@@ -17,17 +17,16 @@ module Aikido::Zen
     # @see Aikido::Zen.track_user
     attr_accessor :actor
 
-    def initialize(delegate, framework:, router:)
+    def initialize(delegate, config = Aikido::Zen.config, framework:, router:)
       super(delegate)
+      @config = config
       @framework = framework
       @router = router
-      @body_read = false
     end
 
     def __setobj__(delegate) # :nodoc:
       super
-      @body_read = false
-      @route = @normalized_header = @truncated_body = nil
+      @route = @normalized_header = nil
     end
 
     # @return [Aikido::Zen::Route] the framework route being requested.
@@ -40,6 +39,22 @@ module Aikido::Zen
       @schema ||= Aikido::Zen::Request::Schema.build
     end
 
+    # @return [String] the IP address of the client making the request.
+    def client_ip
+      return @client_ip if @client_ip
+
+      if @config.client_ip_header
+        value = env[@config.client_ip_header]
+        if Resolv::AddressRegex.match?(value)
+          @client_ip = value
+        else
+          @config.logger.warn("Invalid IP address in custom client IP header `#{@config.client_ip_header}`: `#{value}`")
+        end
+      end
+
+      @client_ip ||= respond_to?(:remote_ip) ? remote_ip : ip
+    end
+
     # Map the CGI-style env Hash into "pretty-looking" headers, preserving the
     # values as-is. For example, HTTP_ACCEPT turns into "Accept", CONTENT_TYPE
     # turns into "Content-Type", and HTTP_X_FORWARDED_FOR turns into
@@ -55,42 +70,12 @@ module Aikido::Zen
         }
     end
 
-    # @api private
-    #
-    # Reads the first 16KiB of the request body, to include in attack reports
-    # back to the Aikido server. This method should only be called if an attack
-    # is detected during the current request.
-    #
-    # If the underlying IO object has been partially (or fully) read before,
-    # this will attempt to restore the previous cursor position after reading it
-    # if possible, or leave if rewund if not.
-    #
-    # @param max_size [Integer] number of bytes to read at most.
-    #
-    # @return [String]
-    def truncated_body(max_size: 16384)
-      return @truncated_body if @body_read
-      return nil if body.nil?
-
-      begin
-        initial_pos = body.pos if body.respond_to?(:pos)
-        body.rewind
-        @truncated_body = body.read(max_size)
-      ensure
-        @body_read = true
-        body.rewind
-        body.seek(initial_pos) if initial_pos && body.respond_to?(:seek)
-      end
-    end
-
     def as_json
       {
-        method: request_method.downcase,
+        method: request_method.upcase,
         url: url,
-        ipAddress: ip,
+        ipAddress: client_ip,
         userAgent: user_agent,
-        headers: normalized_headers.reject { |_, val| val.to_s.empty? },
-        body: truncated_body,
         source: framework,
         route: route&.path
       }

data/lib/aikido/zen/route.rb

@@ -5,6 +5,13 @@ module Aikido::Zen
   # framework to go from a given HTTP request to the code that handles said
   # request.
   class Route
+    def self.from_json(data)
+      new(
+        verb: data[:method],
+        path: data[:path]
+      )
+    end
+
     # @return [String] the HTTP verb used to request this route.
     attr_reader :verb
 
@@ -32,8 +39,58 @@ module Aikido::Zen
       [verb, path].hash
     end
 
+    # Sort routes by wildcard matching order deterministically:
+    #
+    #   1. Exact path before wildcard path
+    #   2. Fewer wildcards in path relative to path length
+    #   3. Earliest wildcard position in path
+    #   4. Exact verb before wildcard verb
+    #   5. Lexicographic path (tie-break)
+    #   6. Lexicographic verb (tie-break)
+    #
+    # @return [Array] the sort key
+    def sort_key
+      @sort_key ||= begin
+        stars = []
+        i = -1
+        while (i = path.index("*", i + 1))
+          stars << i
+        end
+
+        [
+          stars.empty? ? 0 : 1,
+          stars.length - path.length,
+          stars,
+          (verb == "*") ? 1 : 0,
+          path,
+          verb
+        ].freeze
+      end
+    end
+
+    def match?(other)
+      other.is_a?(Route) &&
+        pattern(verb).match?(other.verb) &&
+        pattern(path).match?(other.path)
+    end
+
     def inspect
       "#<#{self.class.name} #{verb} #{path.inspect}>"
     end
+
+    # Construct a regular expression equivalent to the wildcard string,
+    # where '*' is the wildcard operator.
+    #
+    # The resulting pattern matches the entire input, allows an optional
+    # trailing slash, and is case-insensitive.
+    #
+    # All other special characters in the regular expression are escaped
+    # so that they are treated literally.
+    #
+    # @param string [String] wildcard string
+    # @return [Regexp] regular expression matching the wildcard string
+    private def pattern(string)
+      /^#{Regexp.escape(string).gsub("\\*", ".*")}\/?$/i
+    end
   end
 end

data/lib/aikido/zen/runtime_settings/endpoints.rb

@@ -16,24 +16,53 @@ module Aikido::Zen
     # @param data [Array<Hash>]
     # @return [Aikido::Zen::RuntimeSettings::Endpoints]
     def self.from_json(data)
-      data = Array(data).map { |item|
-        route = Route.new(verb: item["method"], path: item["route"])
-        settings = RuntimeSettings::ProtectionSettings.from_json(item)
+      endpoint_pairs = Array(data).map do |value|
+        route = Route.new(verb: value["method"], path: value["route"])
+        settings = RuntimeSettings::ProtectionSettings.from_json(value)
         [route, settings]
-      }.to_h
+      end
 
-      new(data)
+      # Sort endpoints by wildcard matching order
+      endpoint_pairs.sort_by! do |route, settings|
+        route.sort_key
+      end
+
+      new(endpoint_pairs.to_h)
     end
 
-    def initialize(data = {})
-      @endpoints = data
+    # @param endpoints [Hash] the endpoints in wildcard matching order
+    # @return [Aikido::Zen::RuntimeSettings::Endpoints]
+    def initialize(endpoints = {})
+      @endpoints = endpoints
       @endpoints.default = RuntimeSettings::ProtectionSettings.none
     end
 
     # @param route [Aikido::Zen::Route]
     # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings]
     def [](route)
-      @endpoints[route]
+      return @endpoints[route] if @endpoints.key?(route)
+
+      # Wildcard endpoint matching
+
+      @endpoints.each do |pattern, settings|
+        return settings if pattern.match?(route)
+      end
+
+      @endpoints.default
+    end
+
+    # @param route [Aikido::Zen::Route]
+    # @return [Array<Aikido::Zen::RuntimeSettings::ProtectionSettings>]
+    def match(route)
+      matches = []
+
+      @endpoints.each do |pattern, settings|
+        matches << settings if pattern.match?(route)
+      end
+
+      matches << @endpoints.default if matches.empty?
+
+      matches
     end
 
     # @!visibility private

data/lib/aikido/zen/runtime_settings.rb

@@ -11,11 +11,11 @@ module Aikido::Zen
   #
   # You can subscribe to changes with +#add_observer(object, func_name)+, which
   # will call the function passing the settings as an argument.
-  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :skip_protection_for_ips, :received_any_stats) do
+  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :allowed_ips, :received_any_stats, :blocking_mode) do
     def initialize(*)
       super
       self.endpoints ||= RuntimeSettings::Endpoints.new
-      self.skip_protection_for_ips ||= RuntimeSettings::IPSet.new
+      self.allowed_ips ||= RuntimeSettings::IPSet.new
     end
 
     # @!attribute [rw] updated_at
@@ -35,7 +35,7 @@ module Aikido::Zen
     # @!attribute [rw] blocked_user_ids
     #   @return [Array]
 
-    # @!attribute [rw] skip_protection_for_ips
+    # @!attribute [rw] allowed_ips
     #   @return [Aikido::Zen::RuntimeSettings::IPSet]
 
     # Parse and interpret the JSON response from the core API with updated
@@ -50,11 +50,12 @@ module Aikido::Zen
       last_updated_at = updated_at
 
       self.updated_at = Time.at(data["configUpdatedAt"].to_i / 1000)
-      self.heartbeat_interval = (data["heartbeatIntervalInMS"].to_i / 1000)
+      self.heartbeat_interval = data["heartbeatIntervalInMS"].to_i / 1000
       self.endpoints = RuntimeSettings::Endpoints.from_json(data["endpoints"])
       self.blocked_user_ids = data["blockedUserIds"]
-      self.skip_protection_for_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
+      self.allowed_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
       self.received_any_stats = data["receivedAnyStats"]
+      self.blocking_mode = data["block"]
 
       updated_at != last_updated_at
     end

data/lib/aikido/zen/scanners/path_traversal/helpers.rb

@@ -4,7 +4,8 @@ module Aikido::Zen
   module Scanners
     module PathTraversal
       DANGEROUS_PATH_PARTS = ["../", "..\\"]
-      LINUX_ROOT_FOLDERS = [
+
+      LINUX_PATH_STARTS = [
         "/bin/",
         "/boot/",
         "/dev/",
@@ -26,10 +27,12 @@ module Aikido::Zen
         "/var/"
       ]
 
-      DANGEROUS_PATH_STARTS = LINUX_ROOT_FOLDERS + ["c:/", "c:\\"]
+      WINDOWS_PATH_STARTS = ["c:/", "c:\\"]
+
+      DANGEROUS_PATH_STARTS = LINUX_PATH_STARTS + WINDOWS_PATH_STARTS
 
       module Helpers
-        def self.contains_unsafe_path_parts(filepath)
+        def self.include_unsafe_path_parts?(filepath)
           DANGEROUS_PATH_PARTS.each do |dangerous_part|
             return true if filepath.include?(dangerous_part)
           end
@@ -37,7 +40,7 @@ module Aikido::Zen
           false
         end
 
-        def self.starts_with_unsafe_path(filepath, user_input)
+        def self.start_with_unsafe_path?(filepath, user_input)
           # Check if path is relative (not absolute or drive letter path)
           # Required because `expand_path` will build absolute paths from relative paths
           return false if Pathname.new(filepath).relative? || Pathname.new(user_input).relative?
@@ -51,12 +54,12 @@ module Aikido::Zen
               # to prevent false positives.
               # e.g., if user input is /etc/ and the path is /etc/passwd, we don't want to flag it,
               # as long as the user input does not contain a subdirectory or filename
-              if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
-                return false
-              end
+              return false if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
+
               return true
             end
           end
+
           false
         end
       end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -21,14 +21,15 @@ module Aikido::Zen
       # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
       def self.call(filepath:, sink:, context:, operation:)
         context.payloads.each do |payload|
-          next unless new(filepath, payload.value).attack?
+          next unless new(filepath, payload.value.to_s).attack?
 
           return Attacks::PathTraversalAttack.new(
             sink: sink,
             input: payload,
             filepath: filepath,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
         end
 
@@ -51,12 +52,12 @@ module Aikido::Zen
         # We ignore cases where the user input is not part of the file path.
         return false unless @filepath.include?(@input)
 
-        if PathTraversal::Helpers.contains_unsafe_path_parts(@filepath) && PathTraversal::Helpers.contains_unsafe_path_parts(@input)
+        if PathTraversal::Helpers.include_unsafe_path_parts?(@filepath) && PathTraversal::Helpers.include_unsafe_path_parts?(@input)
           return true
         end
 
         # Check for absolute path traversal
-        PathTraversal::Helpers.starts_with_unsafe_path(@filepath, @input)
+        PathTraversal::Helpers.start_with_unsafe_path?(@filepath, @input)
       end
     end
   end

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -16,14 +16,15 @@ module Aikido::Zen
       #
       def self.call(command:, sink:, context:, operation:)
         context.payloads.each do |payload|
-          next unless new(command, payload.value).attack?
+          next unless new(command, payload.value.to_s).attack?
 
           return Attacks::ShellInjectionAttack.new(
             sink: sink,
             input: payload,
             command: command,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
         end
 

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -32,7 +32,7 @@ module Aikido::Zen
         end
 
         context.payloads.each do |payload|
-          next unless new(query, payload.value, dialect).attack?
+          next unless new(query, payload.value.to_s, dialect).attack?
 
           return Attacks::SQLInjectionAttack.new(
             sink: sink,
@@ -40,7 +40,8 @@ module Aikido::Zen
             input: payload,
             dialect: dialect,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
         end
 

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -51,7 +51,8 @@ module Aikido::Zen
             request: request,
             input: payload,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
 
           return attack

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb

@@ -20,7 +20,8 @@ module Aikido::Zen
           address: offending_address,
           sink: sink,
           context: context,
-          operation: "#{sink.operation}.#{operation}"
+          operation: "#{sink.operation}.#{operation}",
+          stack: Aikido::Zen.clean_stack_trace
         )
       end
 
@@ -33,7 +34,9 @@ module Aikido::Zen
       # @return [String, nil] either the offending address, or +nil+ if no
       #   address is deemed dangerous.
       def attack?
-        return false if @config.imds_allowed_hosts.include?(@hostname)
+        return unless @config.stored_ssrf? # Feature flag
+
+        return if @config.imds_allowed_hosts.include?(@hostname)
 
         @addresses.find do |candidate|
           DANGEROUS_ADDRESSES.any? { |address| address === candidate }
@@ -42,6 +45,9 @@ module Aikido::Zen
 
       DANGEROUS_ADDRESSES = [
         IPAddr.new("169.254.169.254"),
+        IPAddr.new("100.100.100.200"),
+        IPAddr.new("::ffff:169.254.169.254"),
+        IPAddr.new("::ffff:100.100.100.200"),
         IPAddr.new("fd00:ec2::254")
       ]
     end

data/lib/aikido/zen/sink.rb

@@ -4,7 +4,7 @@ require_relative "scan"
 
 module Aikido::Zen
   module Sinks
-    # @api internal
+    # @api private
     # @return [Hash<String, Sink>]
     def self.registry
       @registry ||= {}

data/lib/aikido/zen/sinks/action_controller.rb

@@ -43,8 +43,10 @@ module Aikido::Zen
         end
 
         private def should_throttle?(request)
+          # Bypass rate limiting for allowed IPs
+          return false if @settings.allowed_ips.include?(request.ip)
+
           return false unless @settings.endpoints[request.route].rate_limiting.enabled?
-          return false if @settings.skip_protection_for_ips.include?(request.ip)
 
           result = @detached_agent.calculate_rate_limits(request)
           return false unless result