aikido-zen 1.0.1.beta.4-arm64-linux-musl → 1.0.2-arm64-linux-musl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.simplecov +6 -0
- data/README.md +2 -0
- data/benchmarks/README.md +0 -1
- data/benchmarks/rails7.1_benchmark.js +1 -0
- data/benchmarks/rails7.1_sql_injection.js +52 -20
- data/docs/config.md +9 -1
- data/docs/proxy.md +10 -0
- data/docs/rails.md +55 -13
- data/docs/troubleshooting.md +62 -0
- data/lib/aikido/zen/actor.rb +34 -4
- data/lib/aikido/zen/agent/heartbeats_manager.rb +5 -5
- data/lib/aikido/zen/agent.rb +19 -17
- data/lib/aikido/zen/attack.rb +19 -9
- data/lib/aikido/zen/attack_wave/helpers.rb +457 -0
- data/lib/aikido/zen/attack_wave.rb +88 -0
- data/lib/aikido/zen/cache.rb +91 -0
- data/lib/aikido/zen/capped_collections.rb +22 -4
- data/lib/aikido/zen/collector/event.rb +238 -0
- data/lib/aikido/zen/collector/hosts.rb +16 -1
- data/lib/aikido/zen/collector/routes.rb +13 -8
- data/lib/aikido/zen/collector/stats.rb +33 -22
- data/lib/aikido/zen/collector/users.rb +5 -3
- data/lib/aikido/zen/collector.rb +107 -28
- data/lib/aikido/zen/config.rb +54 -21
- data/lib/aikido/zen/context/rack_request.rb +3 -0
- data/lib/aikido/zen/context/rails_request.rb +3 -0
- data/lib/aikido/zen/context.rb +42 -9
- data/lib/aikido/zen/detached_agent/agent.rb +28 -27
- data/lib/aikido/zen/detached_agent/front_object.rb +10 -6
- data/lib/aikido/zen/detached_agent/server.rb +63 -26
- data/lib/aikido/zen/event.rb +47 -2
- data/lib/aikido/zen/helpers.rb +24 -0
- data/lib/aikido/zen/internals.rb +23 -3
- data/lib/aikido/zen/libzen-v0.1.48-arm64-linux-musl.so +0 -0
- data/lib/aikido/zen/middleware/{check_allowed_addresses.rb → allowed_address_checker.rb} +1 -1
- data/lib/aikido/zen/middleware/attack_wave_protector.rb +46 -0
- data/lib/aikido/zen/middleware/{set_context.rb → context_setter.rb} +1 -1
- data/lib/aikido/zen/middleware/fork_detector.rb +23 -0
- data/lib/aikido/zen/middleware/rack_throttler.rb +3 -1
- data/lib/aikido/zen/middleware/request_tracker.rb +9 -4
- data/lib/aikido/zen/outbound_connection.rb +18 -1
- data/lib/aikido/zen/payload.rb +1 -1
- data/lib/aikido/zen/rails_engine.rb +5 -8
- data/lib/aikido/zen/request/rails_router.rb +17 -2
- data/lib/aikido/zen/request.rb +21 -36
- data/lib/aikido/zen/route.rb +57 -0
- data/lib/aikido/zen/runtime_settings/endpoints.rb +37 -8
- data/lib/aikido/zen/runtime_settings.rb +6 -5
- data/lib/aikido/zen/scanners/path_traversal/helpers.rb +10 -7
- data/lib/aikido/zen/scanners/path_traversal_scanner.rb +5 -4
- data/lib/aikido/zen/scanners/shell_injection_scanner.rb +3 -2
- data/lib/aikido/zen/scanners/sql_injection_scanner.rb +3 -2
- data/lib/aikido/zen/scanners/ssrf_scanner.rb +2 -1
- data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb +8 -2
- data/lib/aikido/zen/sink.rb +1 -1
- data/lib/aikido/zen/sinks/action_controller.rb +3 -1
- data/lib/aikido/zen/sinks/async_http.rb +40 -42
- data/lib/aikido/zen/sinks/curb.rb +56 -58
- data/lib/aikido/zen/sinks/em_http.rb +27 -29
- data/lib/aikido/zen/sinks/excon.rb +62 -65
- data/lib/aikido/zen/sinks/file.rb +108 -71
- data/lib/aikido/zen/sinks/http.rb +26 -28
- data/lib/aikido/zen/sinks/httpclient.rb +27 -29
- data/lib/aikido/zen/sinks/httpx.rb +27 -29
- data/lib/aikido/zen/sinks/kernel.rb +11 -12
- data/lib/aikido/zen/sinks/mysql2.rb +10 -12
- data/lib/aikido/zen/sinks/net_http.rb +25 -27
- data/lib/aikido/zen/sinks/patron.rb +56 -58
- data/lib/aikido/zen/sinks/pg.rb +23 -25
- data/lib/aikido/zen/sinks/resolv.rb +21 -21
- data/lib/aikido/zen/sinks/socket.rb +17 -12
- data/lib/aikido/zen/sinks/sqlite3.rb +18 -21
- data/lib/aikido/zen/sinks/trilogy.rb +10 -12
- data/lib/aikido/zen/sinks.rb +1 -4
- data/lib/aikido/zen/sinks_dsl.rb +39 -15
- data/lib/aikido/zen/system_info.rb +1 -5
- data/lib/aikido/zen/version.rb +2 -2
- data/lib/aikido/zen.rb +78 -16
- data/tasklib/bench.rake +1 -1
- data/tasklib/libzen.rake +1 -0
- metadata +15 -5
- data/lib/aikido/zen/libzen-v0.1.39-arm64-linux-musl.so +0 -0
|
@@ -3,18 +3,6 @@
|
|
|
3
3
|
module Aikido::Zen
|
|
4
4
|
module Sinks
|
|
5
5
|
module File
|
|
6
|
-
def self.load_sinks!
|
|
7
|
-
# Create a copy of the original method for internal use only to prevent
|
|
8
|
-
# recursion in PathTraversalScanner.
|
|
9
|
-
#
|
|
10
|
-
# IMPORTANT: The alias must be created before the method is overridden,
|
|
11
|
-
# when the extensions are prepended.
|
|
12
|
-
::File.singleton_class.alias_method(:expand_path__internal_for_aikido_zen, :expand_path)
|
|
13
|
-
|
|
14
|
-
::File.singleton_class.prepend(FileClassExtensions)
|
|
15
|
-
::File.prepend(FileExtensions)
|
|
16
|
-
end
|
|
17
|
-
|
|
18
6
|
SINK = Sinks.add("File", scanners: [Scanners::PathTraversalScanner])
|
|
19
7
|
|
|
20
8
|
module Helpers
|
|
@@ -26,87 +14,136 @@ module Aikido::Zen
|
|
|
26
14
|
end
|
|
27
15
|
end
|
|
28
16
|
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
17
|
+
def self.load_sinks!
|
|
18
|
+
::File.singleton_class.class_eval do
|
|
19
|
+
extend Sinks::DSL
|
|
20
|
+
|
|
21
|
+
# Create a copy of the original methods for internal use only to prevent
|
|
22
|
+
# recursion in PathTraversalScanner.
|
|
23
|
+
#
|
|
24
|
+
# IMPORTANT: The aliases must be created before the method is overridden.
|
|
25
|
+
alias_method :expand_path__internal_for_aikido_zen, :expand_path
|
|
26
|
+
alias_method :join__internal_for_aikido_zen, :join
|
|
27
|
+
|
|
28
|
+
sink_before :open do |path|
|
|
29
|
+
Helpers.scan(path, "open")
|
|
30
|
+
end
|
|
35
31
|
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
32
|
+
sink_before :read do |path|
|
|
33
|
+
Helpers.scan(path, "read")
|
|
34
|
+
end
|
|
39
35
|
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
36
|
+
sink_before :write do |path|
|
|
37
|
+
Helpers.scan(path, "write")
|
|
38
|
+
end
|
|
43
39
|
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
40
|
+
sink_before :truncate do |file_name|
|
|
41
|
+
Helpers.scan(file_name, "truncate")
|
|
42
|
+
end
|
|
47
43
|
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
44
|
+
sink_before :rename do |old_name, new_name|
|
|
45
|
+
Helpers.scan(old_name, "rename")
|
|
46
|
+
Helpers.scan(new_name, "rename")
|
|
47
|
+
end
|
|
52
48
|
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
49
|
+
sink_before :unlink do |*file_names|
|
|
50
|
+
file_names.each do |file_name|
|
|
51
|
+
Helpers.scan(file_name, "unlink")
|
|
52
|
+
end
|
|
56
53
|
end
|
|
57
|
-
end
|
|
58
54
|
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
55
|
+
sink_before :delete do |*file_names|
|
|
56
|
+
file_names.each do |file_name|
|
|
57
|
+
Helpers.scan(file_name, "delete")
|
|
58
|
+
end
|
|
62
59
|
end
|
|
63
|
-
end
|
|
64
60
|
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
61
|
+
sink_before :symlink do |old_name, new_name|
|
|
62
|
+
Helpers.scan(old_name, "symlink")
|
|
63
|
+
Helpers.scan(new_name, "symlink")
|
|
64
|
+
end
|
|
69
65
|
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
66
|
+
sink_before :chmod do |_mode_int, *file_names|
|
|
67
|
+
file_names.each do |file_name|
|
|
68
|
+
Helpers.scan(file_name, "chmod")
|
|
69
|
+
end
|
|
73
70
|
end
|
|
74
|
-
end
|
|
75
71
|
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
72
|
+
sink_before :chown do |_owner_int, group_int, *file_names|
|
|
73
|
+
file_names.each do |file_name|
|
|
74
|
+
Helpers.scan(file_name, "chown")
|
|
75
|
+
end
|
|
79
76
|
end
|
|
80
|
-
end
|
|
81
77
|
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
78
|
+
sink_before :utime do |_atime, _mtime, *file_names|
|
|
79
|
+
file_names.each do |file_name|
|
|
80
|
+
Helpers.scan(file_name, "utime")
|
|
81
|
+
end
|
|
85
82
|
end
|
|
86
|
-
end
|
|
87
83
|
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
84
|
+
def join(*args, **kwargs, &blk)
|
|
85
|
+
if Aikido::Zen.config.harden?
|
|
86
|
+
# IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
|
|
87
|
+
#
|
|
88
|
+
# File.join has undocumented behavior:
|
|
89
|
+
#
|
|
90
|
+
# File.join recursively joins nested string arrays.
|
|
91
|
+
#
|
|
92
|
+
# This prevents path traversal detection when an array originates
|
|
93
|
+
# from user input that was assumed to be a string.
|
|
94
|
+
#
|
|
95
|
+
# This undocumented behavior has been restricted to support path
|
|
96
|
+
# traversal detection.
|
|
97
|
+
#
|
|
98
|
+
# File.join no longer joins nested string arrays, but still accepts
|
|
99
|
+
# a single string array argument.
|
|
100
|
+
|
|
101
|
+
# File.join is often incorrectly called with a single array argument.
|
|
102
|
+
#
|
|
103
|
+
# i.e.
|
|
104
|
+
#
|
|
105
|
+
# File.join(["prefix", "filename"])
|
|
106
|
+
#
|
|
107
|
+
# This is considered acceptable.
|
|
108
|
+
#
|
|
109
|
+
# Calling File.join with a single string argument returns the string
|
|
110
|
+
# argument itself, having no practical effect. Therefore, it can be
|
|
111
|
+
# presumed that if File.join is called with a single array argument
|
|
112
|
+
# then this was its intended usage, and the array did not originate
|
|
113
|
+
# from user input that was assumed to be a string.
|
|
114
|
+
strings = args
|
|
115
|
+
strings = args.first if args.size == 1 && args.first.is_a?(Array)
|
|
116
|
+
strings.each do |string|
|
|
117
|
+
raise TypeError.new("Zen prevented implicit conversion of Array to String in hardened method. Visit https://github.com/AikidoSec/firewall-ruby for more information.") if string.is_a?(Array)
|
|
118
|
+
end
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
result = join__internal_for_aikido_zen(*args, **kwargs, &blk)
|
|
122
|
+
Sinks::DSL.safe do
|
|
123
|
+
Helpers.scan(result, "join")
|
|
124
|
+
end
|
|
125
|
+
result
|
|
126
|
+
end
|
|
91
127
|
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
128
|
+
sink_before :expand_path do |file_name|
|
|
129
|
+
Helpers.scan(file_name, "expand_path")
|
|
130
|
+
end
|
|
95
131
|
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
132
|
+
sink_before :realpath do |file_name|
|
|
133
|
+
Helpers.scan(file_name, "realpath")
|
|
134
|
+
end
|
|
99
135
|
|
|
100
|
-
|
|
101
|
-
|
|
136
|
+
sink_before :realdirpath do |file_name|
|
|
137
|
+
Helpers.scan(file_name, "realdirpath")
|
|
138
|
+
end
|
|
102
139
|
end
|
|
103
|
-
end
|
|
104
140
|
|
|
105
|
-
|
|
106
|
-
|
|
141
|
+
::File.class_eval do
|
|
142
|
+
extend Sinks::DSL
|
|
107
143
|
|
|
108
|
-
|
|
109
|
-
|
|
144
|
+
sink_before :initialize do |path|
|
|
145
|
+
Helpers.scan(path, "new")
|
|
146
|
+
end
|
|
110
147
|
end
|
|
111
148
|
end
|
|
112
149
|
end
|
|
@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
|
|
|
6
6
|
module Aikido::Zen
|
|
7
7
|
module Sinks
|
|
8
8
|
module HTTP
|
|
9
|
-
def self.load_sinks!
|
|
10
|
-
if Aikido::Zen.satisfy "http", ">= 1.0"
|
|
11
|
-
require "http"
|
|
12
|
-
|
|
13
|
-
::HTTP::Client.prepend(ClientExtensions)
|
|
14
|
-
end
|
|
15
|
-
end
|
|
16
|
-
|
|
17
9
|
SINK = Sinks.add("http", scanners: [
|
|
18
10
|
Scanners::SSRFScanner,
|
|
19
11
|
OutboundConnectionMonitor
|
|
@@ -59,33 +51,39 @@ module Aikido::Zen
|
|
|
59
51
|
end
|
|
60
52
|
end
|
|
61
53
|
|
|
62
|
-
|
|
63
|
-
|
|
54
|
+
def self.load_sinks!
|
|
55
|
+
if Aikido::Zen.satisfy "http", ">= 1.0"
|
|
56
|
+
require "http"
|
|
64
57
|
|
|
65
|
-
|
|
66
|
-
|
|
58
|
+
::HTTP::Client.class_eval do
|
|
59
|
+
extend Sinks::DSL
|
|
67
60
|
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
if context
|
|
71
|
-
prev_request = context["ssrf.request"]
|
|
72
|
-
context["ssrf.request"] = wrapped_request
|
|
73
|
-
end
|
|
61
|
+
sink_around :perform do |original_call, req|
|
|
62
|
+
wrapped_request = Helpers.wrap_request(req)
|
|
74
63
|
|
|
75
|
-
|
|
64
|
+
# Store the request information so the DNS sinks can pick it up.
|
|
65
|
+
context = Aikido::Zen.current_context
|
|
66
|
+
if context
|
|
67
|
+
prev_request = context["ssrf.request"]
|
|
68
|
+
context["ssrf.request"] = wrapped_request
|
|
69
|
+
end
|
|
76
70
|
|
|
77
|
-
|
|
71
|
+
connection = Helpers.build_outbound(req)
|
|
78
72
|
|
|
79
|
-
|
|
73
|
+
Helpers.scan(wrapped_request, connection, "request")
|
|
80
74
|
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
75
|
+
response = original_call.call
|
|
76
|
+
|
|
77
|
+
Scanners::SSRFScanner.track_redirects(
|
|
78
|
+
request: wrapped_request,
|
|
79
|
+
response: Helpers.wrap_response(response)
|
|
80
|
+
)
|
|
85
81
|
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
82
|
+
response
|
|
83
|
+
ensure
|
|
84
|
+
context["ssrf.request"] = prev_request if context
|
|
85
|
+
end
|
|
86
|
+
end
|
|
89
87
|
end
|
|
90
88
|
end
|
|
91
89
|
end
|
|
@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
|
|
|
6
6
|
module Aikido::Zen
|
|
7
7
|
module Sinks
|
|
8
8
|
module HTTPClient
|
|
9
|
-
def self.load_sinks!
|
|
10
|
-
if Aikido::Zen.satisfy "httpclient", ">= 2.0"
|
|
11
|
-
require "httpclient"
|
|
12
|
-
|
|
13
|
-
::HTTPClient.prepend(HTTPClient::HTTPClientExtensions)
|
|
14
|
-
end
|
|
15
|
-
end
|
|
16
|
-
|
|
17
9
|
SINK = Sinks.add("httpclient", scanners: [
|
|
18
10
|
Scanners::SSRFScanner,
|
|
19
11
|
OutboundConnectionMonitor
|
|
@@ -66,28 +58,34 @@ module Aikido::Zen
|
|
|
66
58
|
end
|
|
67
59
|
end
|
|
68
60
|
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
private
|
|
73
|
-
|
|
74
|
-
sink_around :do_get_block do |super_call, req|
|
|
75
|
-
Helpers.sink(req, &super_call)
|
|
76
|
-
end
|
|
77
|
-
|
|
78
|
-
sink_around :do_get_stream do |super_call, req|
|
|
79
|
-
Helpers.sink(req, &super_call)
|
|
80
|
-
end
|
|
61
|
+
def self.load_sinks!
|
|
62
|
+
if Aikido::Zen.satisfy "httpclient", ">= 2.0"
|
|
63
|
+
require "httpclient"
|
|
81
64
|
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
65
|
+
::HTTPClient.class_eval do
|
|
66
|
+
extend Sinks::DSL
|
|
67
|
+
|
|
68
|
+
private
|
|
69
|
+
|
|
70
|
+
sink_around :do_get_block do |original_call, req|
|
|
71
|
+
Helpers.sink(req, &original_call)
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
sink_around :do_get_stream do |original_call, req|
|
|
75
|
+
Helpers.sink(req, &original_call)
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
sink_after :do_get_header do |_result, req, res, _sess|
|
|
79
|
+
# Code coverage is disabled here because `do_get_header` is not called,
|
|
80
|
+
# because WebMock does not mock it.
|
|
81
|
+
# :nocov:
|
|
82
|
+
Scanners::SSRFScanner.track_redirects(
|
|
83
|
+
request: Helpers.wrap_request(req),
|
|
84
|
+
response: Helpers.wrap_response(res)
|
|
85
|
+
)
|
|
86
|
+
# :nocov:
|
|
87
|
+
end
|
|
88
|
+
end
|
|
91
89
|
end
|
|
92
90
|
end
|
|
93
91
|
end
|
|
@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
|
|
|
6
6
|
module Aikido::Zen
|
|
7
7
|
module Sinks
|
|
8
8
|
module HTTPX
|
|
9
|
-
def self.load_sinks!
|
|
10
|
-
if Aikido::Zen.satisfy "httpx", ">= 1.1.3"
|
|
11
|
-
require "httpx"
|
|
12
|
-
|
|
13
|
-
::HTTPX::Session.prepend(HTTPX::SessionExtensions)
|
|
14
|
-
end
|
|
15
|
-
end
|
|
16
|
-
|
|
17
9
|
SINK = Sinks.add("httpx", scanners: [
|
|
18
10
|
Scanners::SSRFScanner,
|
|
19
11
|
OutboundConnectionMonitor
|
|
@@ -44,33 +36,39 @@ module Aikido::Zen
|
|
|
44
36
|
end
|
|
45
37
|
end
|
|
46
38
|
|
|
47
|
-
|
|
48
|
-
|
|
39
|
+
def self.load_sinks!
|
|
40
|
+
if Aikido::Zen.satisfy "httpx", ">= 1.1.3"
|
|
41
|
+
require "httpx"
|
|
49
42
|
|
|
50
|
-
|
|
51
|
-
|
|
43
|
+
::HTTPX::Session.class_eval do
|
|
44
|
+
extend Sinks::DSL
|
|
52
45
|
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
if context
|
|
56
|
-
prev_request = context["ssrf.request"]
|
|
57
|
-
context["ssrf.request"] = wrapped_request
|
|
58
|
-
end
|
|
46
|
+
sink_around :send_request do |original_call, request|
|
|
47
|
+
wrapped_request = Helpers.wrap_request(request)
|
|
59
48
|
|
|
60
|
-
|
|
49
|
+
# Store the request information so the DNS sinks can pick it up.
|
|
50
|
+
context = Aikido::Zen.current_context
|
|
51
|
+
if context
|
|
52
|
+
prev_request = context["ssrf.request"]
|
|
53
|
+
context["ssrf.request"] = wrapped_request
|
|
54
|
+
end
|
|
61
55
|
|
|
62
|
-
|
|
56
|
+
connection = OutboundConnection.from_uri(request.uri)
|
|
63
57
|
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
request:
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
58
|
+
Helpers.scan(wrapped_request, connection, "request")
|
|
59
|
+
|
|
60
|
+
request.on(:response) do |response|
|
|
61
|
+
Scanners::SSRFScanner.track_redirects(
|
|
62
|
+
request: wrapped_request,
|
|
63
|
+
response: Helpers.wrap_response(response)
|
|
64
|
+
)
|
|
65
|
+
end
|
|
70
66
|
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
67
|
+
original_call.call
|
|
68
|
+
ensure
|
|
69
|
+
context["ssrf.request"] = prev_request if context
|
|
70
|
+
end
|
|
71
|
+
end
|
|
74
72
|
end
|
|
75
73
|
end
|
|
76
74
|
end
|
|
@@ -3,11 +3,6 @@
|
|
|
3
3
|
module Aikido::Zen
|
|
4
4
|
module Sinks
|
|
5
5
|
module Kernel
|
|
6
|
-
def self.load_sinks!
|
|
7
|
-
::Kernel.singleton_class.prepend(KernelExtensions)
|
|
8
|
-
::Kernel.prepend(KernelExtensions)
|
|
9
|
-
end
|
|
10
|
-
|
|
11
6
|
SINK = Sinks.add("Kernel", scanners: [Scanners::ShellInjectionScanner])
|
|
12
7
|
|
|
13
8
|
module Helpers
|
|
@@ -16,14 +11,18 @@ module Aikido::Zen
|
|
|
16
11
|
end
|
|
17
12
|
end
|
|
18
13
|
|
|
19
|
-
|
|
20
|
-
|
|
14
|
+
def self.load_sinks!
|
|
15
|
+
[::Kernel.singleton_class, ::Kernel].each do |klass|
|
|
16
|
+
klass.class_eval do
|
|
17
|
+
extend Sinks::DSL
|
|
21
18
|
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
19
|
+
%i[system spawn `].each do |method_name|
|
|
20
|
+
sink_before method_name do |*args|
|
|
21
|
+
# Remove the optional environment argument before the command-line.
|
|
22
|
+
args.shift if args.first.is_a?(Hash)
|
|
23
|
+
Helpers.scan(args.first, method_name)
|
|
24
|
+
end
|
|
25
|
+
end
|
|
27
26
|
end
|
|
28
27
|
end
|
|
29
28
|
end
|
|
@@ -3,14 +3,6 @@
|
|
|
3
3
|
module Aikido::Zen
|
|
4
4
|
module Sinks
|
|
5
5
|
module Mysql2
|
|
6
|
-
def self.load_sinks!
|
|
7
|
-
if Aikido::Zen.satisfy "mysql2"
|
|
8
|
-
require "mysql2"
|
|
9
|
-
|
|
10
|
-
::Mysql2::Client.prepend(ClientExtensions)
|
|
11
|
-
end
|
|
12
|
-
end
|
|
13
|
-
|
|
14
6
|
SINK = Sinks.add("mysql2", scanners: [Scanners::SQLInjectionScanner])
|
|
15
7
|
|
|
16
8
|
module Helpers
|
|
@@ -19,11 +11,17 @@ module Aikido::Zen
|
|
|
19
11
|
end
|
|
20
12
|
end
|
|
21
13
|
|
|
22
|
-
|
|
23
|
-
|
|
14
|
+
def self.load_sinks!
|
|
15
|
+
if Aikido::Zen.satisfy "mysql2"
|
|
16
|
+
require "mysql2"
|
|
17
|
+
|
|
18
|
+
::Mysql2::Client.class_eval do
|
|
19
|
+
extend Sinks::DSL
|
|
24
20
|
|
|
25
|
-
|
|
26
|
-
|
|
21
|
+
sink_before :query do |sql|
|
|
22
|
+
Helpers.scan(sql, "query")
|
|
23
|
+
end
|
|
24
|
+
end
|
|
27
25
|
end
|
|
28
26
|
end
|
|
29
27
|
end
|
|
@@ -7,13 +7,6 @@ module Aikido::Zen
|
|
|
7
7
|
module Sinks
|
|
8
8
|
module Net
|
|
9
9
|
module HTTP
|
|
10
|
-
def self.load_sinks!
|
|
11
|
-
# In stdlib but not always required
|
|
12
|
-
require "net/http"
|
|
13
|
-
|
|
14
|
-
::Net::HTTP.prepend(Net::HTTP::HTTPExtensions)
|
|
15
|
-
end
|
|
16
|
-
|
|
17
10
|
SINK = Sinks.add("net-http", scanners: [
|
|
18
11
|
Scanners::SSRFScanner,
|
|
19
12
|
OutboundConnectionMonitor
|
|
@@ -66,33 +59,38 @@ module Aikido::Zen
|
|
|
66
59
|
end
|
|
67
60
|
end
|
|
68
61
|
|
|
69
|
-
|
|
70
|
-
|
|
62
|
+
def self.load_sinks!
|
|
63
|
+
# In stdlib but not always required
|
|
64
|
+
require "net/http"
|
|
71
65
|
|
|
72
|
-
|
|
73
|
-
|
|
66
|
+
::Net::HTTP.class_eval do
|
|
67
|
+
extend Sinks::DSL
|
|
74
68
|
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
if context
|
|
78
|
-
prev_request = context["ssrf.request"]
|
|
79
|
-
context["ssrf.request"] = wrapped_request
|
|
80
|
-
end
|
|
69
|
+
sink_around :request do |original_call, req|
|
|
70
|
+
wrapped_request = Helpers.wrap_request(req, self)
|
|
81
71
|
|
|
82
|
-
|
|
72
|
+
# Store the request information so the DNS sinks can pick it up.
|
|
73
|
+
context = Aikido::Zen.current_context
|
|
74
|
+
if context
|
|
75
|
+
prev_request = context["ssrf.request"]
|
|
76
|
+
context["ssrf.request"] = wrapped_request
|
|
77
|
+
end
|
|
83
78
|
|
|
84
|
-
|
|
79
|
+
connection = Helpers.build_outbound(self)
|
|
85
80
|
|
|
86
|
-
|
|
81
|
+
Helpers.scan(wrapped_request, connection, "request")
|
|
87
82
|
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
83
|
+
response = original_call.call
|
|
84
|
+
|
|
85
|
+
Scanners::SSRFScanner.track_redirects(
|
|
86
|
+
request: wrapped_request,
|
|
87
|
+
response: Helpers.wrap_response(response)
|
|
88
|
+
)
|
|
92
89
|
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
90
|
+
response
|
|
91
|
+
ensure
|
|
92
|
+
context["ssrf.request"] = prev_request if context
|
|
93
|
+
end
|
|
96
94
|
end
|
|
97
95
|
end
|
|
98
96
|
end
|