aikido-zen 1.0.1.beta.4-arm64-linux → 1.0.1.beta.5-arm64-linux

data/lib/aikido/zen/sinks/http.rb

@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
 module Aikido::Zen
   module Sinks
     module HTTP
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "http", ">= 1.0"
-          require "http"
-
-          ::HTTP::Client.prepend(ClientExtensions)
-        end
-      end
-
       SINK = Sinks.add("http", scanners: [
         Scanners::SSRFScanner,
         OutboundConnectionMonitor
@@ -59,33 +51,39 @@ module Aikido::Zen
         end
       end
 
-      module ClientExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "http", ">= 1.0"
+          require "http"
 
-        sink_around :perform do |super_call, req|
-          wrapped_request = Helpers.wrap_request(req)
+          ::HTTP::Client.class_eval do
+            extend Sinks::DSL
 
-          # Store the request information so the DNS sinks can pick it up.
-          context = Aikido::Zen.current_context
-          if context
-            prev_request = context["ssrf.request"]
-            context["ssrf.request"] = wrapped_request
-          end
+            sink_around :perform do |original_call, req|
+              wrapped_request = Helpers.wrap_request(req)
 
-          connection = Helpers.build_outbound(req)
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
 
-          Helpers.scan(wrapped_request, connection, "request")
+              connection = Helpers.build_outbound(req)
 
-          response = super_call.call
+              Helpers.scan(wrapped_request, connection, "request")
 
-          Scanners::SSRFScanner.track_redirects(
-            request: wrapped_request,
-            response: Helpers.wrap_response(response)
-          )
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(response)
+              )
 
-          response
-        ensure
-          context["ssrf.request"] = prev_request if context
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/httpclient.rb

@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
 module Aikido::Zen
   module Sinks
     module HTTPClient
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "httpclient", ">= 2.0"
-          require "httpclient"
-
-          ::HTTPClient.prepend(HTTPClient::HTTPClientExtensions)
-        end
-      end
-
       SINK = Sinks.add("httpclient", scanners: [
         Scanners::SSRFScanner,
         OutboundConnectionMonitor
@@ -66,28 +58,34 @@ module Aikido::Zen
         end
       end
 
-      module HTTPClientExtensions
-        extend Sinks::DSL
-
-        private
-
-        sink_around :do_get_block do |super_call, req|
-          Helpers.sink(req, &super_call)
-        end
-
-        sink_around :do_get_stream do |super_call, req|
-          Helpers.sink(req, &super_call)
-        end
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "httpclient", ">= 2.0"
+          require "httpclient"
 
-        sink_after :do_get_header do |_result, req, res, _sess|
-          # Code coverage is disabled here because `do_get_header` is not called,
-          # because WebMock does not mock it.
-          # :nocov:
-          Scanners::SSRFScanner.track_redirects(
-            request: Helpers.wrap_request(req),
-            response: Helpers.wrap_response(res)
-          )
-          # :nocov:
+          ::HTTPClient.class_eval do
+            extend Sinks::DSL
+
+            private
+
+            sink_around :do_get_block do |original_call, req|
+              Helpers.sink(req, &original_call)
+            end
+
+            sink_around :do_get_stream do |original_call, req|
+              Helpers.sink(req, &original_call)
+            end
+
+            sink_after :do_get_header do |_result, req, res, _sess|
+              # Code coverage is disabled here because `do_get_header` is not called,
+              # because WebMock does not mock it.
+              # :nocov:
+              Scanners::SSRFScanner.track_redirects(
+                request: Helpers.wrap_request(req),
+                response: Helpers.wrap_response(res)
+              )
+              # :nocov:
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/httpx.rb

@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
 module Aikido::Zen
   module Sinks
     module HTTPX
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "httpx", ">= 1.1.3"
-          require "httpx"
-
-          ::HTTPX::Session.prepend(HTTPX::SessionExtensions)
-        end
-      end
-
       SINK = Sinks.add("httpx", scanners: [
         Scanners::SSRFScanner,
         OutboundConnectionMonitor
@@ -44,33 +36,39 @@ module Aikido::Zen
         end
       end
 
-      module SessionExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "httpx", ">= 1.1.3"
+          require "httpx"
 
-        sink_around :send_request do |super_call, request|
-          wrapped_request = Helpers.wrap_request(request)
+          ::HTTPX::Session.class_eval do
+            extend Sinks::DSL
 
-          # Store the request information so the DNS sinks can pick it up.
-          context = Aikido::Zen.current_context
-          if context
-            prev_request = context["ssrf.request"]
-            context["ssrf.request"] = wrapped_request
-          end
+            sink_around :send_request do |original_call, request|
+              wrapped_request = Helpers.wrap_request(request)
 
-          connection = OutboundConnection.from_uri(request.uri)
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
 
-          Helpers.scan(wrapped_request, connection, "request")
+              connection = OutboundConnection.from_uri(request.uri)
 
-          request.on(:response) do |response|
-            Scanners::SSRFScanner.track_redirects(
-              request: wrapped_request,
-              response: Helpers.wrap_response(response)
-            )
-          end
+              Helpers.scan(wrapped_request, connection, "request")
+
+              request.on(:response) do |response|
+                Scanners::SSRFScanner.track_redirects(
+                  request: wrapped_request,
+                  response: Helpers.wrap_response(response)
+                )
+              end
 
-          super_call.call
-        ensure
-          context["ssrf.request"] = prev_request if context
+              original_call.call
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/kernel.rb

@@ -3,11 +3,6 @@
 module Aikido::Zen
   module Sinks
     module Kernel
-      def self.load_sinks!
-        ::Kernel.singleton_class.prepend(KernelExtensions)
-        ::Kernel.prepend(KernelExtensions)
-      end
-
       SINK = Sinks.add("Kernel", scanners: [Scanners::ShellInjectionScanner])
 
       module Helpers
@@ -16,14 +11,18 @@ module Aikido::Zen
         end
       end
 
-      module KernelExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        [::Kernel.singleton_class, ::Kernel].each do |klass|
+          klass.class_eval do
+            extend Sinks::DSL
 
-        %i[system spawn].each do |method_name|
-          sink_before method_name do |*args|
-            # Remove the optional environment argument before the command-line.
-            args.shift if args.first.is_a?(Hash)
-            Helpers.scan(args.first, method_name)
+            %i[system spawn].each do |method_name|
+              sink_before method_name do |*args|
+                # Remove the optional environment argument before the command-line.
+                args.shift if args.first.is_a?(Hash)
+                Helpers.scan(args.first, method_name)
+              end
+            end
           end
         end
       end

data/lib/aikido/zen/sinks/mysql2.rb

@@ -3,14 +3,6 @@
 module Aikido::Zen
   module Sinks
     module Mysql2
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "mysql2"
-          require "mysql2"
-
-          ::Mysql2::Client.prepend(ClientExtensions)
-        end
-      end
-
       SINK = Sinks.add("mysql2", scanners: [Scanners::SQLInjectionScanner])
 
       module Helpers
@@ -19,11 +11,17 @@ module Aikido::Zen
         end
       end
 
-      module ClientExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "mysql2"
+          require "mysql2"
+
+          ::Mysql2::Client.class_eval do
+            extend Sinks::DSL
 
-        sink_before :query do |sql|
-          Helpers.scan(sql, "query")
+            sink_before :query do |sql|
+              Helpers.scan(sql, "query")
+            end
+          end
         end
       end
     end

data/lib/aikido/zen/sinks/net_http.rb

@@ -7,13 +7,6 @@ module Aikido::Zen
   module Sinks
     module Net
       module HTTP
-        def self.load_sinks!
-          # In stdlib but not always required
-          require "net/http"
-
-          ::Net::HTTP.prepend(Net::HTTP::HTTPExtensions)
-        end
-
         SINK = Sinks.add("net-http", scanners: [
           Scanners::SSRFScanner,
           OutboundConnectionMonitor
@@ -66,33 +59,38 @@ module Aikido::Zen
           end
         end
 
-        module HTTPExtensions
-          extend Sinks::DSL
+        def self.load_sinks!
+          # In stdlib but not always required
+          require "net/http"
 
-          sink_around :request do |super_call, req|
-            wrapped_request = Helpers.wrap_request(req, self)
+          ::Net::HTTP.class_eval do
+            extend Sinks::DSL
 
-            # Store the request information so the DNS sinks can pick it up.
-            context = Aikido::Zen.current_context
-            if context
-              prev_request = context["ssrf.request"]
-              context["ssrf.request"] = wrapped_request
-            end
+            sink_around :request do |original_call, req|
+              wrapped_request = Helpers.wrap_request(req, self)
 
-            connection = Helpers.build_outbound(self)
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
 
-            Helpers.scan(wrapped_request, connection, "request")
+              connection = Helpers.build_outbound(self)
 
-            response = super_call.call
+              Helpers.scan(wrapped_request, connection, "request")
 
-            Scanners::SSRFScanner.track_redirects(
-              request: wrapped_request,
-              response: Helpers.wrap_response(response)
-            )
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(response)
+              )
 
-            response
-          ensure
-            context["ssrf.request"] = prev_request if context
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
           end
         end
       end

data/lib/aikido/zen/sinks/patron.rb

@@ -6,14 +6,6 @@ require_relative "../outbound_connection_monitor"
 module Aikido::Zen
   module Sinks
     module Patron
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "patron", ">= 0.6.4"
-          require "patron"
-
-          ::Patron::Session.prepend(SessionExtensions)
-        end
-      end
-
       SINK = Sinks.add("patron", scanners: [
         Scanners::SSRFScanner,
         OutboundConnectionMonitor
@@ -44,58 +36,64 @@ module Aikido::Zen
         end
       end
 
-      module SessionExtensions
-        extend Sinks::DSL
-
-        sink_around :handle_request do |super_call, request|
-          wrapped_request = Scanners::SSRFScanner::Request.new(
-            verb: request.action,
-            uri: URI(request.url),
-            headers: request.headers
-          )
-
-          # Store the request information so the DNS sinks can pick it up.
-          context = Aikido::Zen.current_context
-          if context
-            prev_request = context["ssrf.request"]
-            context["ssrf.request"] = wrapped_request
-          end
-
-          connection = OutboundConnection.from_uri(URI(request.url))
-
-          Helpers.scan(wrapped_request, connection, "request")
-
-          response = super_call.call
-
-          Scanners::SSRFScanner.track_redirects(
-            request: wrapped_request,
-            response: Helpers.wrap_response(request, response)
-          )
-
-          # When libcurl has follow_location set, it will handle redirections
-          # internally, and expose the response.url as the URI that was last
-          # requested in the redirect chain.
-          #
-          # In this case, we can't actually stop the request from happening, but
-          # we can scan again (now that we know another request happened), to
-          # stop the response from being exposed to the user. This downgrades
-          # the SSRF into a blind SSRF, which is better than doing nothing.
-          if request.url != response.url && !response.url.to_s.empty?
-            last_effective_request = Scanners::SSRFScanner::Request.new(
-              verb: request.action,
-              uri: URI(response.url),
-              headers: request.headers
-            )
-            context["ssrf.request"] = last_effective_request if context
-
-            connection = OutboundConnection.from_uri(URI(response.url))
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "patron", ">= 0.6.4"
+          require "patron"
 
-            Helpers.scan(last_effective_request, connection, "request")
+          ::Patron::Session.class_eval do
+            extend Sinks::DSL
+
+            sink_around :handle_request do |original_call, request|
+              wrapped_request = Scanners::SSRFScanner::Request.new(
+                verb: request.action,
+                uri: URI(request.url),
+                headers: request.headers
+              )
+
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+
+              connection = OutboundConnection.from_uri(URI(request.url))
+
+              Helpers.scan(wrapped_request, connection, "request")
+
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(request, response)
+              )
+
+              # When libcurl has follow_location set, it will handle redirections
+              # internally, and expose the response.url as the URI that was last
+              # requested in the redirect chain.
+              #
+              # In this case, we can't actually stop the request from happening, but
+              # we can scan again (now that we know another request happened), to
+              # stop the response from being exposed to the user. This downgrades
+              # the SSRF into a blind SSRF, which is better than doing nothing.
+              if request.url != response.url && !response.url.to_s.empty?
+                last_effective_request = Scanners::SSRFScanner::Request.new(
+                  verb: request.action,
+                  uri: URI(response.url),
+                  headers: request.headers
+                )
+                context["ssrf.request"] = last_effective_request if context
+
+                connection = OutboundConnection.from_uri(URI(response.url))
+
+                Helpers.scan(last_effective_request, connection, "request")
+              end
+
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
           end
-
-          response
-        ensure
-          context["ssrf.request"] = prev_request if context
         end
       end
     end

data/lib/aikido/zen/sinks/pg.rb

@@ -3,14 +3,6 @@
 module Aikido::Zen
   module Sinks
     module PG
-      def self.load_sinks!
-        if Aikido::Zen.satisfy "pg", ">= 1.0"
-          require "pg"
-
-          ::PG::Connection.prepend(PG::ConnectionExtensions)
-        end
-      end
-
       SINK = Sinks.add("pg", scanners: [Scanners::SQLInjectionScanner])
 
       module Helpers
@@ -43,26 +35,32 @@ module Aikido::Zen
         end
       end
 
-      module ConnectionExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "pg", ">= 1.0"
+          require "pg"
 
-        %i[
-          send_query exec sync_exec async_exec
-          send_query_params exec_params sync_exec_params async_exec_params
-        ].each do |method_name|
-          presafe_sink_before method_name do |query|
-            Helpers.safe do
-              Helpers.scan(query, method_name)
+          ::PG::Connection.class_eval do
+            extend Sinks::DSL
+
+            %i[
+              send_query exec sync_exec async_exec
+              send_query_params exec_params sync_exec_params async_exec_params
+            ].each do |method_name|
+              presafe_sink_before method_name do |query|
+                Helpers.safe do
+                  Helpers.scan(query, method_name)
+                end
+              end
             end
-          end
-        end
 
-        %i[
-          send_prepare prepare async_prepare sync_prepare
-        ].each do |method_name|
-          presafe_sink_before method_name do |_, query|
-            Helpers.safe do
-              Helpers.scan(query, method_name)
+            %i[
+              send_prepare prepare async_prepare sync_prepare
+            ].each do |method_name|
+              presafe_sink_before method_name do |_, query|
+                Helpers.safe do
+                  Helpers.scan(query, method_name)
+                end
+              end
             end
           end
         end

data/lib/aikido/zen/sinks/resolv.rb

@@ -6,13 +6,6 @@ require_relative "../scanners/ssrf_scanner"
 module Aikido::Zen
   module Sinks
     module Resolv
-      def self.load_sinks!
-        # In stdlib but not always required
-        require "resolv"
-
-        ::Resolv.prepend(ResolvExtensions)
-      end
-
       SINK = Sinks.add("resolv", scanners: [
         Scanners::StoredSSRFScanner,
         Scanners::SSRFScanner
@@ -35,23 +28,30 @@ module Aikido::Zen
         end
       end
 
-      module ResolvExtensions
-        def each_address(*args, **kwargs, &blk)
-          # each_address is defined "manually" because no sink method pattern
-          # is applicable.
+      def self.load_sinks!
+        # In stdlib but not always required
+        require "resolv"
 
-          name, = args
+        ::Resolv.class_eval do
+          alias_method :each_address__internal_for_aikido_zen, :each_address
 
-          addresses = []
-          super(*args, **kwargs) do |address| # rubocop:disable Style/SuperArguments
-            addresses << address
-            blk.call(address)
-          end
-        ensure
-          # Ensure partial results are scanned.
+          def each_address(*args, **kwargs, &blk)
+            # each_address is defined "manually" because no sink method pattern
+            # is applicable.
+
+            name, = args
+
+            addresses = []
+            each_address__internal_for_aikido_zen(*args, **kwargs) do |address|
+              addresses << address
+              blk.call(address)
+            end
+          ensure
+            # Ensure partial results are scanned.
 
-          Sinks::DSL.safe do
-            Helpers.scan(name, addresses, "lookup")
+            Sinks::DSL.safe do
+              Helpers.scan(name, addresses, "lookup")
+            end
           end
         end
       end

data/lib/aikido/zen/sinks/socket.rb

@@ -10,10 +10,6 @@ module Aikido::Zen
     # there's no way to access the internal DNS resolution that happens in C
     # when using the socket primitives.
     module Socket
-      def self.load_sinks!
-        ::IPSocket.singleton_class.prepend(Socket::IPSocketExtensions)
-      end
-
       SINK = Sinks.add("socket", scanners: [
         Scanners::StoredSSRFScanner,
         Scanners::SSRFScanner
@@ -62,15 +58,17 @@ module Aikido::Zen
         end
       end
 
-      module IPSocketExtensions
-        extend Sinks::DSL
+      def self.load_sinks!
+        ::IPSocket.singleton_class.class_eval do
+          extend Sinks::DSL
 
-        sink_after :open do |socket, remote_host|
-          # Code coverage is disabled here because the tests are contrived and
-          # intentionally do not call open.
-          # :nocov:
-          Helpers.scan(remote_host, socket, "open")
-          # :nocov:
+          sink_after :open do |socket, remote_host|
+            # Code coverage is disabled here because the tests are contrived and
+            # intentionally do not call open.
+            # :nocov:
+            Helpers.scan(remote_host, socket, "open")
+            # :nocov:
+          end
         end
       end
     end