aikido-zen 1.0.1.beta.5-arm64-linux → 1.0.2-arm64-linux

data/lib/aikido/zen/sinks/file.rb

@@ -18,11 +18,12 @@ module Aikido::Zen
         ::File.singleton_class.class_eval do
           extend Sinks::DSL
 
-          # Create a copy of the original method for internal use only to prevent
+          # Create a copy of the original methods for internal use only to prevent
           # recursion in PathTraversalScanner.
           #
-          # IMPORTANT: The alias must be created before the method is overridden.
+          # IMPORTANT: The aliases must be created before the method is overridden.
           alias_method :expand_path__internal_for_aikido_zen, :expand_path
+          alias_method :join__internal_for_aikido_zen, :join
 
           sink_before :open do |path|
             Helpers.scan(path, "open")
@@ -80,8 +81,48 @@ module Aikido::Zen
             end
           end
 
-          sink_after :join do |result|
-            Helpers.scan(result, "join")
+          def join(*args, **kwargs, &blk)
+            if Aikido::Zen.config.harden?
+              # IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
+              #
+              # File.join has undocumented behavior:
+              #
+              # File.join recursively joins nested string arrays.
+              #
+              # This prevents path traversal detection when an array originates
+              # from user input that was assumed to be a string.
+              #
+              # This undocumented behavior has been restricted to support path
+              # traversal detection.
+              #
+              # File.join no longer joins nested string arrays, but still accepts
+              # a single string array argument.
+
+              # File.join is often incorrectly called with a single array argument.
+              #
+              # i.e.
+              #
+              # File.join(["prefix", "filename"])
+              #
+              # This is considered acceptable.
+              #
+              # Calling File.join with a single string argument returns the string
+              # argument itself, having no practical effect. Therefore, it can be
+              # presumed that if File.join is called with a single array argument
+              # then this was its intended usage, and the array did not originate
+              # from user input that was assumed to be a string.
+              strings = args
+              strings = args.first if args.size == 1 && args.first.is_a?(Array)
+              strings.each do |string|
+                raise TypeError.new("Zen prevented implicit conversion of Array to String in hardened method. Visit https://github.com/AikidoSec/firewall-ruby for more information.") if string.is_a?(Array)
+              end
+            end
+
+            result = join__internal_for_aikido_zen(*args, **kwargs, &blk)
+            Sinks::DSL.safe do
+              Helpers.scan(result, "join")
+            end
+            result
           end
 
           sink_before :expand_path do |file_name|

data/lib/aikido/zen/sinks/kernel.rb

@@ -16,7 +16,7 @@ module Aikido::Zen
           klass.class_eval do
             extend Sinks::DSL
 
-            %i[system spawn].each do |method_name|
+            %i[system spawn `].each do |method_name|
               sink_before method_name do |*args|
                 # Remove the optional environment argument before the command-line.
                 args.shift if args.first.is_a?(Hash)

data/lib/aikido/zen/sinks/socket.rb

@@ -68,6 +68,13 @@ module Aikido::Zen
             # :nocov:
             Helpers.scan(remote_host, socket, "open")
             # :nocov:
+          rescue Aikido::Zen::UnderAttackError, Aikido::Zen::Sinks::DSL::PresafeError
+            # If the scan raises an exception that will escape the safe block,
+            # the open socket must be closed because it will not be returned,
+            # so the user cannot close it.
+            socket.close
+
+            raise
           end
         end
       end

data/lib/aikido/zen/sinks_dsl.rb

@@ -109,6 +109,8 @@ module Aikido::Zen
       #
       # @return [void]
       def presafe_sink_before(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         original = instance_method(method_name)
 
         define_method(method_name) do |*args, **kwargs, &blk|
@@ -131,6 +133,8 @@ module Aikido::Zen
       #
       # @note the block is executed within `safe` to handle errors safely; the original method is executed outside of `safe` to preserve the original behavior
       def sink_before(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         presafe_sink_before(method_name) do |*args, **kwargs|
           DSL.safe do
             instance_exec(*args, **kwargs, &block)
@@ -149,6 +153,8 @@ module Aikido::Zen
       #
       # @return [void]
       def presafe_sink_after(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         original = instance_method(method_name)
 
         define_method(method_name) do |*args, **kwargs, &blk|
@@ -173,6 +179,8 @@ module Aikido::Zen
       #
       # @note the block is executed within `safe` to handle errors safely; the original method is executed outside of `safe` to preserve the original behavior
       def sink_after(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         presafe_sink_after(method_name) do |result, *args, **kwargs|
           DSL.safe do
             instance_exec(result, *args, **kwargs, &block)
@@ -191,6 +199,8 @@ module Aikido::Zen
       #
       # @return [void]
       def presafe_sink_around(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         original = instance_method(method_name)
 
         define_method(method_name) do |*args, **kwargs, &blk|
@@ -219,6 +229,8 @@ module Aikido::Zen
       # @note the block is executed within `safe` to handle errors safely; the original method is executed within `presafe` to preserve the original behavior
       # @note if the block does not call `original_call`, the original method is called automatically after the block is executed
       def sink_around(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         presafe_sink_around(method_name) do |presafe_original_call, *args, **kwargs|
           original_called = false
           original_call = proc do

data/lib/aikido/zen/system_info.rb

@@ -8,12 +8,8 @@ require_relative "package"
 module Aikido::Zen
   # Provides information about the currently running Agent.
   class SystemInfo
-    def initialize(config = Aikido::Zen.config)
-      @config = config
-    end
-
     def attacks_block_requests?
-      !!@config.blocking_mode
+      !!Aikido::Zen.blocking_mode?
     end
 
     def attacks_are_only_reported?

data/lib/aikido/zen/version.rb

@@ -2,9 +2,9 @@
 
 module Aikido
   module Zen
-    VERSION = "1.0.1.beta.5"
+    VERSION = "1.0.2"
 
     # The version of libzen_internals that we build against.
-    LIBZEN_VERSION = "0.1.39"
+    LIBZEN_VERSION = "0.1.48"
   end
 end

data/lib/aikido/zen.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative "zen/helpers"
 require_relative "zen/version"
 require_relative "zen/errors"
 require_relative "zen/actor"
@@ -11,14 +12,17 @@ require_relative "zen/agent"
 require_relative "zen/api_client"
 require_relative "zen/context"
 require_relative "zen/detached_agent"
-require_relative "zen/middleware/check_allowed_addresses"
 require_relative "zen/middleware/middleware"
+require_relative "zen/middleware/fork_detector"
+require_relative "zen/middleware/context_setter"
+require_relative "zen/middleware/allowed_address_checker"
+require_relative "zen/middleware/attack_wave_protector"
 require_relative "zen/middleware/request_tracker"
-require_relative "zen/middleware/set_context"
 require_relative "zen/outbound_connection"
 require_relative "zen/outbound_connection_monitor"
 require_relative "zen/runtime_settings"
 require_relative "zen/rate_limiter"
+require_relative "zen/attack_wave"
 require_relative "zen/scanners"
 
 module Aikido
@@ -36,8 +40,6 @@ module Aikido
         return
       end
 
-      return unless config.protect?
-
       unless load_sources! && load_sinks!
         config.logger.warn("Zen could not find any supported libraries or frameworks. Visit https://github.com/AikidoSec/firewall-ruby for more information.")
         return
@@ -78,6 +80,16 @@ module Aikido
       @runtime_settings = settings
     end
 
+    # @return [Boolean] whether the Aikido agent is currently blocking requests.
+    #   Blocking mode is configured at startup and can be controlled through the
+    #   Aikido dashboard at runtime.
+    def self.blocking_mode?
+      blocking_mode = runtime_settings.blocking_mode
+      return blocking_mode unless blocking_mode.nil?
+
+      config.blocking_mode
+    end
+
     # Gets information about the current system configuration, which is sent to
     # the server along with any events.
     def self.system_info
@@ -87,15 +99,9 @@ module Aikido
     # Manages runtime metrics extracted from your app, which are uploaded to the
     # Aikido servers if configured to do so.
     def self.collector
-      check_and_handle_fork
       @collector ||= Collector.new
     end
 
-    def self.detached_agent
-      check_and_handle_fork
-      @detached_agent ||= DetachedAgent::Agent.new
-    end
-
     # Gets the current context object that holds all information about the
     # current request.
     #
@@ -121,6 +127,18 @@ module Aikido
       collector.track_request
     end
 
+    # Track statistics about an attack wave the app is handling.
+    #
+    # @param attack_wave [Aikido::Zen::Events::AttackWave]
+    # @return [void]
+    def self.track_attack_wave(attack_wave)
+      collector.track_attack_wave(being_blocked: false)
+    end
+
+    # Track statistics about a route that the app has discovered.
+    #
+    # @param request [Aikido::Zen::Request]
+    # @return [void]
     def self.track_discovered_route(request)
       collector.track_route(request)
     end
@@ -165,12 +183,22 @@ module Aikido
       end
     end
 
+    # Align with other Zen implementations, while keeping internal consistency.
+    class << self
+      alias_method :set_user, :track_user
+    end
+
     # Marks that the Zen middleware was installed properly
     # @return void
     def self.middleware_installed!
       collector.middleware_installed!
     end
 
+    # @return [Aikido::Zen::AttackWave::Detector] the attack wave detector.
+    def self.attack_wave_detector
+      @attack_wave_detector ||= AttackWave::Detector.new
+    end
+
     # @!visibility private
     # Load all sources.
     #
@@ -208,8 +236,12 @@ module Aikido
       @agent ||= Agent.start
     end
 
+    def self.detached_agent
+      @detached_agent ||= DetachedAgent::Agent.new
+    end
+
     def self.detached_agent_server
-      @detached_agent_server ||= DetachedAgent::Server.start!
+      @detached_agent_server ||= DetachedAgent::Server.start
     end
 
     class << self
@@ -218,24 +250,54 @@ module Aikido
       LOCK = Mutex.new
 
       def start!
+        return unless start?
+
         @pid = Process.pid
+
         LOCK.synchronize do
           agent
           detached_agent_server
         end
       end
 
+      def start?
+        !config.api_token.nil? ||
+          config.blocking_mode? ||
+          config.debugging?
+      end
+
       def check_and_handle_fork
-        if has_forked
-          @detached_agent&.handle_fork
-        end
+        handle_fork if forked?
       end
 
-      def has_forked
+      def forked?
         pid_changed = Process.pid != @pid
         @pid = Process.pid
         pid_changed
       end
+
+      def handle_fork
+        @detached_agent&.handle_fork
+      end
+    end
+
+    # @!visibility private
+    # Returns the stack trace trimmed to where execution last entered Zen.
+    #
+    # @return [String]
+    def self.clean_stack_trace
+      stack_trace = caller_locations
+
+      spec = Gem.loaded_specs["aikido-zen"]
+
+      # Only trim stack frames from .../lib/aikido/zen/ in the aikido-zen gem,
+      # so calls in sample apps are preserved.
+      lib_path_start = File.expand_path(File.join(spec.full_gem_path, "lib", "aikido", "zen")) + File::SEPARATOR
+
+      index = stack_trace.index { |frame| !File.expand_path(frame.path).start_with?(lib_path_start) }
+      stack_trace = stack_trace[index..] if index
+
+      stack_trace.map(&:to_s).join("\n")
     end
   end
 end

data/tasklib/bench.rake

@@ -87,7 +87,7 @@ Pathname.glob("sample_apps/*").select(&:directory?).each do |dir|
       end
 
       task :boot_unprotected_app do
-        boot_server(dir, port: PORT_UNPROTECTED, env: {"AIKIDO_DISABLED" => "true"})
+        boot_server(dir, port: PORT_UNPROTECTED, env: {"AIKIDO_DISABLE" => "true"})
       end
     end
   end

data/tasklib/libzen.rake

@@ -76,6 +76,7 @@ LIBZENS = [
   LibZen.new("arm64-darwin.dylib", "libzen_internals_aarch64-apple-darwin.dylib"),
   LibZen.new("arm64-linux.so", "libzen_internals_aarch64-unknown-linux-gnu.so"),
   LibZen.new("arm64-linux-musl.so", "libzen_internals_aarch64-unknown-linux-musl.so"),
+  LibZen.new("aarch64-linux.so", "libzen_internals_aarch64-unknown-linux-gnu.so"),
   LibZen.new("x86_64-darwin.dylib", "libzen_internals_x86_64-apple-darwin.dylib"),
   LibZen.new("x86_64-linux.so", "libzen_internals_x86_64-unknown-linux-gnu.so"),
   LibZen.new("x86_64-linux-musl.so", "libzen_internals_x86_64-unknown-linux-musl.so"),

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.0.1.beta.5
+  version: 1.0.2
 platform: arm64-linux
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-08-19 00:00:00.000000000 Z
+date: 2025-12-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -71,10 +71,13 @@ files:
 - README.md
 - Rakefile
 - benchmarks/README.md
+- benchmarks/rails7.1_benchmark.js
 - benchmarks/rails7.1_sql_injection.js
 - docs/banner.svg
 - docs/config.md
+- docs/proxy.md
 - docs/rails.md
+- docs/troubleshooting.md
 - lib/aikido-zen.rb
 - lib/aikido/zen.rb
 - lib/aikido/zen/actor.rb
@@ -82,9 +85,13 @@ files:
 - lib/aikido/zen/agent/heartbeats_manager.rb
 - lib/aikido/zen/api_client.rb
 - lib/aikido/zen/attack.rb
+- lib/aikido/zen/attack_wave.rb
+- lib/aikido/zen/attack_wave/helpers.rb
 - lib/aikido/zen/background_worker.rb
+- lib/aikido/zen/cache.rb
 - lib/aikido/zen/capped_collections.rb
 - lib/aikido/zen/collector.rb
+- lib/aikido/zen/collector/event.rb
 - lib/aikido/zen/collector/hosts.rb
 - lib/aikido/zen/collector/routes.rb
 - lib/aikido/zen/collector/sink_stats.rb
@@ -100,13 +107,16 @@ files:
 - lib/aikido/zen/detached_agent/server.rb
 - lib/aikido/zen/errors.rb
 - lib/aikido/zen/event.rb
+- lib/aikido/zen/helpers.rb
 - lib/aikido/zen/internals.rb
-- lib/aikido/zen/libzen-v0.1.39-arm64-linux.so
-- lib/aikido/zen/middleware/check_allowed_addresses.rb
+- lib/aikido/zen/libzen-v0.1.48-arm64-linux.so
+- lib/aikido/zen/middleware/allowed_address_checker.rb
+- lib/aikido/zen/middleware/attack_wave_protector.rb
+- lib/aikido/zen/middleware/context_setter.rb
+- lib/aikido/zen/middleware/fork_detector.rb
 - lib/aikido/zen/middleware/middleware.rb
 - lib/aikido/zen/middleware/rack_throttler.rb
 - lib/aikido/zen/middleware/request_tracker.rb
-- lib/aikido/zen/middleware/set_context.rb
 - lib/aikido/zen/outbound_connection.rb
 - lib/aikido/zen/outbound_connection_monitor.rb
 - lib/aikido/zen/package.rb