RubyGems - aikido-zen - Versions diffs - 1.0.1.beta.5-arm64-darwin → 1.0.2-arm64-darwin - Mend

aikido-zen 1.0.1.beta.5-arm64-darwin → 1.0.2-arm64-darwin

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

checksums.yaml +4 -4
data/.simplecov +6 -0
data/README.md +2 -0
data/benchmarks/README.md +0 -1
data/benchmarks/rails7.1_benchmark.js +1 -0
data/benchmarks/rails7.1_sql_injection.js +52 -20
data/docs/config.md +9 -1
data/docs/proxy.md +10 -0
data/docs/rails.md +55 -13
data/docs/troubleshooting.md +62 -0
data/lib/aikido/zen/actor.rb +34 -4
data/lib/aikido/zen/agent/heartbeats_manager.rb +5 -5
data/lib/aikido/zen/agent.rb +19 -17
data/lib/aikido/zen/attack.rb +19 -9
data/lib/aikido/zen/attack_wave/helpers.rb +457 -0
data/lib/aikido/zen/attack_wave.rb +88 -0
data/lib/aikido/zen/cache.rb +91 -0
data/lib/aikido/zen/capped_collections.rb +22 -4
data/lib/aikido/zen/collector/event.rb +238 -0
data/lib/aikido/zen/collector/hosts.rb +16 -1
data/lib/aikido/zen/collector/routes.rb +13 -8
data/lib/aikido/zen/collector/stats.rb +33 -22
data/lib/aikido/zen/collector/users.rb +5 -3
data/lib/aikido/zen/collector.rb +107 -28
data/lib/aikido/zen/config.rb +54 -21
data/lib/aikido/zen/context/rack_request.rb +3 -0
data/lib/aikido/zen/context/rails_request.rb +3 -0
data/lib/aikido/zen/context.rb +42 -9
data/lib/aikido/zen/detached_agent/agent.rb +28 -27
data/lib/aikido/zen/detached_agent/front_object.rb +10 -6
data/lib/aikido/zen/detached_agent/server.rb +63 -26
data/lib/aikido/zen/event.rb +47 -2
data/lib/aikido/zen/helpers.rb +24 -0
data/lib/aikido/zen/internals.rb +23 -3
data/lib/aikido/zen/libzen-v0.1.48-arm64-darwin.dylib +0 -0
data/lib/aikido/zen/middleware/{check_allowed_addresses.rb → allowed_address_checker.rb} +1 -1
data/lib/aikido/zen/middleware/attack_wave_protector.rb +46 -0
data/lib/aikido/zen/middleware/{set_context.rb → context_setter.rb} +1 -1
data/lib/aikido/zen/middleware/fork_detector.rb +23 -0
data/lib/aikido/zen/middleware/rack_throttler.rb +3 -1
data/lib/aikido/zen/middleware/request_tracker.rb +9 -4
data/lib/aikido/zen/outbound_connection.rb +18 -1
data/lib/aikido/zen/payload.rb +1 -1
data/lib/aikido/zen/rails_engine.rb +5 -8
data/lib/aikido/zen/request/rails_router.rb +17 -2
data/lib/aikido/zen/request.rb +21 -36
data/lib/aikido/zen/route.rb +57 -0
data/lib/aikido/zen/runtime_settings/endpoints.rb +37 -8
data/lib/aikido/zen/runtime_settings.rb +6 -5
data/lib/aikido/zen/scanners/path_traversal/helpers.rb +10 -7
data/lib/aikido/zen/scanners/path_traversal_scanner.rb +5 -4
data/lib/aikido/zen/scanners/shell_injection_scanner.rb +3 -2
data/lib/aikido/zen/scanners/sql_injection_scanner.rb +3 -2
data/lib/aikido/zen/scanners/ssrf_scanner.rb +2 -1
data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb +8 -2
data/lib/aikido/zen/sink.rb +1 -1
data/lib/aikido/zen/sinks/action_controller.rb +3 -1
data/lib/aikido/zen/sinks/file.rb +45 -4
data/lib/aikido/zen/sinks/kernel.rb +1 -1
data/lib/aikido/zen/sinks/socket.rb +7 -0
data/lib/aikido/zen/sinks_dsl.rb +12 -0
data/lib/aikido/zen/system_info.rb +1 -5
data/lib/aikido/zen/version.rb +2 -2
data/lib/aikido/zen.rb +77 -15
data/tasklib/bench.rake +1 -1
data/tasklib/libzen.rake +1 -0
metadata +15 -5
data/lib/aikido/zen/libzen-v0.1.39-arm64-darwin.dylib +0 -0

data/lib/aikido/zen/attack_wave/helpers.rb ADDED Viewed

@@ -0,0 +1,457 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module AttackWave
+    module Helpers
+      def self.web_scanner?(context)
+        return true if suspicious_request?(context)
+        return true if include_suspicious_payload?(context)
+        false
+      end
+      def self.suspicious_request?(context)
+        request = context.request
+        suspicious_method?(request.request_method) || suspicious_path?(request.path_info)
+      end
+      def self.suspicious_method?(method)
+        SUSPICIOUS_METHODS.include?(method.downcase)
+      end
+      def self.suspicious_path?(path)
+        path_parts = path.downcase.split("/")
+        file_name = path_parts.pop if path_parts.length > 0
+        if file_name
+          return true if SUSPICIOUS_FILE_NAMES.include?(file_name)
+          file_name_parts = file_name.split(".")
+          file_extension = file_name_parts.pop if file_name_parts.length > 1
+          return true if SUSPICIOUS_FILE_EXTENSIONS.include?(file_extension)
+        end
+        path_parts.any? do |directory_name|
+          SUSPICIOUS_DIRECTORY_NAMES.include?(directory_name)
+        end
+      end
+      def self.include_suspicious_payload?(context)
+        context.payloads.each do |payload|
+          next unless payload.source == :query
+          value = payload.value.downcase
+          length = value.length
+          next if length < 5 || length > 1_000
+          return true if SUSPICIOUS_SQL_KEYWORDS.any? do |keyword|
+            value.include?(keyword)
+          end
+        end
+        false
+      end
+      SUSPICIOUS_METHODS = [
+        "BADMETHOD",
+        "BADHTTPMETHOD",
+        "BADDATA",
+        "BADMTHD",
+        "BDMTHD"
+      ].map(&:downcase).freeze
+      SUSPICIOUS_DIRECTORY_NAMES = [
+        ".",
+        "..",
+        ".anydesk",
+        ".aptitude",
+        ".aws",
+        ".azure",
+        ".cache",
+        ".circleci",
+        ".config",
+        ".dbus",
+        ".docker",
+        ".drush",
+        ".TODO: gem",
+        ".git",
+        ".github",
+        ".gnupg",
+        ".gsutil",
+        ".hg",
+        ".idea",
+        ".java",
+        ".kube",
+        ".lftp",
+        ".minikube",
+        ".npm",
+        ".nvm",
+        ".pki",
+        ".snap",
+        ".ssh",
+        ".subversion",
+        ".svn",
+        ".tconn",
+        ".thunderbird",
+        ".tor",
+        ".vagrant.d",
+        ".vidalia",
+        ".vim",
+        ".vmware",
+        ".vscode",
+        "apache",
+        "apache2",
+        "grub",
+        "System32",
+        "tmp",
+        "xampp",
+        "cgi-bin",
+        "%systemroot%"
+      ].map(&:downcase).freeze
+      SUSPICIOUS_FILE_NAMES = [
+        ".addressbook",
+        ".atom",
+        ".bashrc",
+        ".boto",
+        ".config",
+        ".config.json",
+        ".config.xml",
+        ".config.yaml",
+        ".config.yml",
+        ".envrc",
+        ".eslintignore",
+        ".fbcindex",
+        ".forward",
+        ".gitattributes",
+        ".gitconfig",
+        ".gitignore",
+        ".gitkeep",
+        ".gitlab-ci.yaml",
+        ".gitlab-ci.yml",
+        ".gitmodules",
+        ".google_authenticator",
+        ".hgignore",
+        ".htaccess",
+        ".htpasswd",
+        ".htdigest",
+        ".ksh_history",
+        ".lesshst",
+        ".lhistory",
+        ".lighttpdpassword",
+        ".lldb-history",
+        ".lynx_cookies",
+        ".my.cnf",
+        ".mysql_history",
+        ".nano_history",
+        ".netrc",
+        ".node_repl_history",
+        ".npmrc",
+        ".nsconfig",
+        ".nsr",
+        ".password-store",
+        ".pearrc",
+        ".pgpass",
+        ".php_history",
+        ".pinerc",
+        ".proclog",
+        ".procmailrc",
+        ".profile",
+        ".psql_history",
+        ".python_history",
+        ".rediscli_history",
+        ".rhosts",
+        ".selected_editor",
+        ".sh_history",
+        ".sqlite_history",
+        ".svnignore",
+        ".tcshrc",
+        ".tmux.conf",
+        ".travis.yaml",
+        ".travis.yml",
+        ".viminfo",
+        ".vimrc",
+        ".www_acl",
+        ".wwwacl",
+        ".xauthority",
+        ".yarnrc",
+        ".zhistory",
+        ".zsh_history",
+        ".zshenv",
+        ".zshrc",
+        "Dockerfile",
+        "aws-key.yaml",
+        "aws-key.yml",
+        "aws.yaml",
+        "aws.yml",
+        "docker-compose.yaml",
+        "docker-compose.yml",
+        "npm-shrinkwrap.json",
+        "package-lock.json",
+        "package.json",
+        "phpinfo.php",
+        "wp-config.php",
+        "wp-config.php3",
+        "wp-config.php4",
+        "wp-config.php5",
+        "wp-config.phtml",
+        "composer.json",
+        "composer.lock",
+        "composer.phar",
+        "yarn.lock",
+        ".env.local",
+        ".env.development",
+        ".env.test",
+        ".env.production",
+        ".env.prod",
+        ".env.dev",
+        ".env.example",
+        "php.ini",
+        "wp-settings.php",
+        "config.asp",
+        "config_dev.asp",
+        "config-dev.asp",
+        "config.dev.asp",
+        "config_prod.asp",
+        "config-prod.asp",
+        "config.prod.asp",
+        "config.sample.asp",
+        "config-sample.asp",
+        "config_sample.asp",
+        "config_test.asp",
+        "config-test.asp",
+        "config.test.asp",
+        "config.ini",
+        "config_dev.ini",
+        "config-dev.ini",
+        "config.dev.ini",
+        "config_prod.ini",
+        "config-prod.ini",
+        "config.prod.ini",
+        "config.sample.ini",
+        "config-sample.ini",
+        "config_sample.ini",
+        "config_test.ini",
+        "config-test.ini",
+        "config.test.ini",
+        "config.json",
+        "config_dev.json",
+        "config-dev.json",
+        "config.dev.json",
+        "config_prod.json",
+        "config-prod.json",
+        "config.prod.json",
+        "config.sample.json",
+        "config-sample.json",
+        "config_sample.json",
+        "config_test.json",
+        "config-test.json",
+        "config.test.json",
+        "config.php",
+        "config_dev.php",
+        "config-dev.php",
+        "config.dev.php",
+        "config_prod.php",
+        "config-prod.php",
+        "config.prod.php",
+        "config.sample.php",
+        "config-sample.php",
+        "config_sample.php",
+        "config_test.php",
+        "config-test.php",
+        "config.test.php",
+        "config.pl",
+        "config_dev.pl",
+        "config-dev.pl",
+        "config.dev.pl",
+        "config_prod.pl",
+        "config-prod.pl",
+        "config.prod.pl",
+        "config.sample.pl",
+        "config-sample.pl",
+        "config_sample.pl",
+        "config_test.pl",
+        "config-test.pl",
+        "config.test.pl",
+        "config.py",
+        "config_dev.py",
+        "config-dev.py",
+        "config.dev.py",
+        "config_prod.py",
+        "config-prod.py",
+        "config.prod.py",
+        "config.sample.py",
+        "config-sample.py",
+        "config_sample.py",
+        "config_test.py",
+        "config-test.py",
+        "config.test.py",
+        "config.rb",
+        "config_dev.rb",
+        "config-dev.rb",
+        "config.dev.rb",
+        "config_prod.rb",
+        "config-prod.rb",
+        "config.prod.rb",
+        "config.sample.rb",
+        "config-sample.rb",
+        "config_sample.rb",
+        "config_test.rb",
+        "config-test.rb",
+        "config.test.rb",
+        "config.toml",
+        "config_dev.toml",
+        "config-dev.toml",
+        "config.dev.toml",
+        "config_prod.toml",
+        "config-prod.toml",
+        "config.prod.toml",
+        "config.sample.toml",
+        "config-sample.toml",
+        "config_sample.toml",
+        "config_test.toml",
+        "config-test.toml",
+        "config.test.toml",
+        "config.txt",
+        "config_dev.txt",
+        "config-dev.txt",
+        "config.dev.txt",
+        "config_prod.txt",
+        "config-prod.txt",
+        "config.prod.txt",
+        "config.sample.txt",
+        "config-sample.txt",
+        "config_sample.txt",
+        "config_test.txt",
+        "config-test.txt",
+        "config.test.txt",
+        "config.xml",
+        "config_dev.xml",
+        "config-dev.xml",
+        "config.dev.xml",
+        "config_prod.xml",
+        "config-prod.xml",
+        "config.prod.xml",
+        "config.sample.xml",
+        "config-sample.xml",
+        "config_sample.xml",
+        "config_test.xml",
+        "config-test.xml",
+        "config.test.xml",
+        "config.yaml",
+        "config_dev.yaml",
+        "config-dev.yaml",
+        "config.dev.yaml",
+        "config_prod.yaml",
+        "config-prod.yaml",
+        "config.prod.yaml",
+        "config.sample.yaml",
+        "config-sample.yaml",
+        "config_sample.yaml",
+        "config_test.yaml",
+        "config-test.yaml",
+        "config.test.yaml",
+        "config.yml",
+        "config_dev.yml",
+        "config-dev.yml",
+        "config.dev.yml",
+        "config_prod.yml",
+        "config-prod.yml",
+        "config.prod.yml",
+        "config.sample.yml",
+        "config-sample.yml",
+        "config_sample.yml",
+        "config_test.yml",
+        "config-test.yml",
+        "config.test.yml",
+        "boot.ini",
+        "gruntfile.js",
+        "localsettings.php",
+        "my.ini",
+        "npm-debug.log",
+        "parameters.yml",
+        "parameters.yaml",
+        "services.yml",
+        "services.yaml",
+        "web.config",
+        "webpack.config.js",
+        "config.old",
+        "config.inc.php",
+        "error.log",
+        "access.log",
+        ".DS_Store",
+        "passwd",
+        "win.ini",
+        "cmd.exe",
+        "my.cnf",
+        ".bash_history",
+        "docker-compose-dev.yml",
+        "docker-compose.override.yml",
+        "docker-compose.dev.yml",
+        "Cargo.lock",
+        "secrets.yml",
+        "secrets.yaml",
+        "docker-compose.staging.yml",
+        "docker-compose.production.yml",
+        "yaws-key.pem",
+        "mysql_config.ini",
+        "firewall.log",
+        "log4j.properties",
+        "serviceAccountCredentials.json",
+        "haproxy.cfg",
+        "service-account-credentials.json",
+        "vpn.log",
+        "system.log",
+        "webuser-auth.xml",
+        "fastcgi.conf",
+        "smb.conf",
+        "iis.log",
+        "pom.xml",
+        "openapi.json",
+        "vim_settings.xml",
+        "winscp.ini",
+        "ws_ftp.ini"
+      ].map(&:downcase).freeze
+      SUSPICIOUS_FILE_EXTENSIONS = [
+        "env",
+        "bak",
+        "sql",
+        "sqlite",
+        "sqlite3",
+        "db",
+        "old",
+        "save",
+        "orig",
+        "sqlitedb",
+        "sqlite3db"
+      ].map(&:downcase).freeze
+      SUSPICIOUS_SQL_KEYWORDS = [
+        "SELECT (CASE WHEN",
+        "SELECT COUNT(",
+        "SLEEP(",
+        "WAITFOR DELAY",
+        "SELECT LIKE(CHAR(",
+        "INFORMATION_SCHEMA.COLUMNS",
+        "INFORMATION_SCHEMA.TABLES",
+        "MD5(",
+        "DBMS_PIPE.RECEIVE_MESSAGE",
+        "SYSIBM.SYSTABLES",
+        "RANDOMBLOB(",
+        "SELECT * FROM",
+        "1'='1",
+        "PG_SLEEP(",
+        "UNION ALL SELECT",
+        "../"
+      ].map(&:downcase).freeze
+    end
+  end
+end

data/lib/aikido/zen/attack_wave.rb ADDED Viewed

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+require_relative "cache"
+require_relative "attack_wave/helpers"
+module Aikido::Zen
+  module AttackWave
+    class Detector
+      def initialize(config: Aikido::Zen.config, clock: nil)
+        @config = config
+        @event_times = Cache.new(@config.attack_wave_max_cache_entries, ttl: @config.attack_wave_min_time_between_events, clock: clock)
+        @request_counts = Cache.new(@config.attack_wave_max_cache_entries, 0, ttl: @config.attack_wave_min_time_between_requests, clock: clock)
+      end
+      def attack_wave?(context)
+        client_ip = context.request.client_ip
+        return false unless client_ip
+        return false if @event_times[client_ip]
+        return false unless AttackWave::Helpers.web_scanner?(context)
+        request_count = @request_counts[client_ip] += 1
+        return false if request_count < @config.attack_wave_threshold
+        @event_times[client_ip] = Time.now.utc
+        true
+      end
+    end
+    class Request
+      # @return [String]
+      attr_reader :ip_address
+      # @return [String]
+      attr_reader :user_agent
+      # @return [String]
+      attr_reader :source
+      # @param ip_address [String]
+      # @param user_agent [String]
+      # @param source [String]
+      # @return [Aikido::Zen::AttackWave::Request]
+      def initialize(ip_address:, user_agent:, source:)
+        @ip_address = ip_address
+        @user_agent = user_agent
+        @source = source
+      end
+      def as_json
+        {
+          ipAddress: @ip_address,
+          userAgent: @user_agent,
+          source: @source
+        }.compact
+      end
+    end
+    class Attack
+      # @return [Hash<String, String>]
+      attr_reader :metadata
+      # @return [Aikido::Zen::Actor]
+      attr_reader :user
+      # @param metadata [Hash<String, String>]
+      # @param metadata [Aikido::Zen::Actor]
+      # @return [Aikido::Zen::AttackWave::Attack]
+      def initialize(metadata:, user:)
+        @metadata = metadata
+        @user = user
+      end
+      def as_json
+        {
+          metadata: @metadata.as_json,
+          user: @user.as_json
+        }.compact
+      end
+    end
+  end
+end

data/lib/aikido/zen/cache.rb ADDED Viewed

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  class Cache
+    extend Forwardable
+    # @api private
+    # Visible for testing.
+    def_delegators :@data,
+      :size, :empty?
+    def initialize(capacity, default_value = nil, ttl:, clock: nil)
+      @default_value = default_value
+      @ttl = ttl
+      @clock = clock
+      @data = CappedMap.new(capacity, mode: :lru)
+    end
+    def key?(key)
+      @data.key?(key) && !@data[key].expired?
+    end
+    # @param key [Object] the key
+    # @param value [Object] the value
+    # @return [Object] the value that the key was set to
+    def []=(key, value)
+      if key?(key)
+        entry = @data[key]
+        entry.refresh
+        entry.value = value
+      else
+        @data[key] = CacheEntry.new(value, ttl: @ttl, clock: @clock)
+      end
+    end
+    def [](key)
+      if key?(key)
+        @data[key].value
+      else
+        @default_value
+      end
+    end
+    def delete(key)
+      if key?(key)
+        @data.delete(key).value
+      else
+        @data.delete(key)
+        nil
+      end
+    end
+    # @api private
+    # Visible for testing.
+    def to_a
+      @data.map { |key, entry| [key, entry.value] }
+    end
+    # @api private
+    # Visible for testing.
+    def to_h
+      to_a.to_h
+    end
+  end
+  class CacheEntry
+    attr_accessor :value
+    DEFAULT_CLOCK = -> { Process.clock_gettime(Process::CLOCK_MONOTONIC, :millisecond) }
+    # @param value [Object] the value
+    # @param ttl [Integer] the time-to-live in milliseconds
+    # @return [Aikido::Zen::CacheEntry]
+    def initialize(value, ttl:, clock: nil)
+      @value = value
+      @ttl = ttl
+      @clock = clock || DEFAULT_CLOCK
+      refresh
+    end
+    def refresh
+      @expires = @clock.call + @ttl
+    end
+    def expired?
+      @clock.call >= @expires
+    end
+  end
+end

data/lib/aikido/zen/capped_collections.rb CHANGED Viewed

@@ -18,8 +18,8 @@ module Aikido::Zen
     # @return [Integer]
     attr_reader :capacity
-    def initialize(capacity)
-      @data = CappedMap.new(capacity)
+    def initialize(capacity, mode: :fifo)
+      @data = CappedMap.new(capacity, mode: mode)
     end
     def <<(element)
@@ -47,16 +47,23 @@ module Aikido::Zen
     extend Forwardable
     def_delegators :@data,
-      :[], :fetch, :delete, :key?,
+      :delete, :key?,
       :each, :each_key, :each_value,
       :size, :empty?, :to_hash
     # @return [Integer]
     attr_reader :capacity
-    def initialize(capacity)
+    def initialize(capacity, mode: :fifo)
       raise ArgumentError, "cannot set capacity lower than 1: #{capacity}" if capacity < 1
+      unless [:fifo, :lru].include?(mode)
+        raise ArgumentError, "unsupported mode: #{mode}"
+      end
       @capacity = capacity
+      @mode = mode
       @data = {}
     end
@@ -64,5 +71,16 @@ module Aikido::Zen
       @data[key] = value
       @data.delete(@data.each_key.first) if @data.size > @capacity
     end
+    def [](key)
+      @data[key] = @data.delete(key) if @mode == :lru && key?(key)
+      @data[key]
+    end
+    def fetch(key, ...)
+      return self[key] if key?(key)
+      @data.fetch(key, ...)
+    end
   end
 end