aikido-zen 1.0.1.beta.5-x86_64-mingw-64 → 1.0.2.beta.2-x86_64-mingw-64

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c35cec4c784296981a3deb9fe1fd2d34fd6a653fbd6d2d3037c24632bfe0322e
-  data.tar.gz: a6f19f666167e9c39b5c273bea3481b2acf2e2dd817bee5aee9bb9b3da3a0252
+  metadata.gz: df08748f71489b839ce1f792902314b6584d7262c306e9db836bcc977549223f
+  data.tar.gz: bb19e98304fbfc5b4676e9472dba44ed68517921c2bce17e79a8136d4d2da800
 SHA512:
-  metadata.gz: 9becfc0eb3e60ac46f8af101d3d6b30bcf3aa8505a8a296378ee1d0dfe278c34b578ec5e5682c59d196b2e72415adfc1d8de218511400aa971d1386bece19817
-  data.tar.gz: 605f53dbf38a95839ccd3effd9a9bc75900bb2b12b0b45553db16182aae66739a4d9bf7114baa34b6ec9c8ff16a05edc318529db9f8ed23aa712e51c0b09879b
+  metadata.gz: 120676b9f0f20fd1876ef61e6e74b8c62366707ecce112427f930f9b2753cbd17af5190d3fd037708c0dc80fb8c280755502b8fafbb6f08340b815dce1af56be
+  data.tar.gz: e78d3459416dc19e6cd5e0a9e6a0f2545a5101ec92975d64273ec455601697fc717dd3248648274dce7031d58fe80a0ad05d8ca45331723ddcf4800f38303b26

data/docs/proxy.md

@@ -0,0 +1,10 @@
+# Proxy settings
+
+We'll automatically use the `HTTP_X_FORWARDED_FOR` header to determine the client's IP address when behind a trusted proxy.
+
+If you need to use a different header to determine the client's IP address, you can set the `AIKIDO_CLIENT_IP_HEADER` environment variable to the name of that header. This will override the default `HTTP_X_FORWARDED_FOR` header.
+
+```bash
+# For Fly.io Platform
+AIKIDO_CLIENT_IP_HEADER=HTTP_FLY_CLIENT_IP bin/rails server
+```

data/docs/rails.md

@@ -2,19 +2,63 @@
 
 To install Zen, add the gem:
 
-```
+```sh
 bundle add aikido-zen
 ```
 
+And require it before `Bundler.require` in `config/application.rb`:
+
+```ruby
+# config/application.rb
+require_relative "boot"
+
+require "rails/all"
+
+require "aikido-zen"
+Aikido::Zen.protect!
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+...
+```
+
 That's it! Zen will start to run inside your app when it starts getting
 requests.
 
+## Rate limiting and user blocking
+
+If you want to add the rate limiting feature to your app, modify your code like this:
+
+```ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  private
+
+  def current_user
+    return unless session[:user_id]
+    User.find(session[:user_id])
+  end
+
+  def authenticate_user!
+    # Your authentication logic here
+    # ...
+    # Optional, if you want to use user based rate limiting or block specific users
+    Aikido::Zen.set_user(
+      id: current_user.id,
+      name: current_user.name
+    )
+  end
+end
+```
+
 ## Configuration
 
 Zen exposes its configuration object to the Rails configuration, which you can
 modify in an initializer if desired:
 
-``` ruby
+```ruby
 # config/initializers/zen.rb
 Rails.application.config.zen.api_timeouts = 20
 ```
@@ -22,7 +66,7 @@ Rails.application.config.zen.api_timeouts = 20
 You can access the configuration object both as `Aikido::Zen.config` or
 `Rails.configuration.zen`.
 
-See our [configuration guide](docs/config.md) for more details.
+See our [configuration guide](./config.md) for more details.
 
 ## Using Rails encrypted credentials
 
@@ -30,7 +74,7 @@ If you're using Rails' [encrypted credentials][creds], and prefer not storing
 sensitive values in your env vars, you can easily configure Zen for it. For
 example, assuming the following credentials structure:
 
-``` yaml
+```yaml
 # config/credentials.yml.enc
 zen:
   token: "AIKIDO_RUNTIME_..."
@@ -38,7 +82,7 @@ zen:
 
 You can just tell Zen to use it like so:
 
-``` ruby
+```ruby
 # config/initializers/zen.rb
 Rails.application.config.zen.token = Rails.application.credentials.zen.token
 ```
@@ -61,7 +105,7 @@ way.
 By default, Zen will use the Rails logger, prefixing messages with `[aikido]`.
 You can redirect the log to a separate stream by overriding the logger:
 
-```
+```ruby
 # config/initializers/zen.rb
 Rails.application.config.zen.logger = Logger.new(...)
 ```

data/lib/aikido/zen/config.rb

@@ -61,10 +61,10 @@ module Aikido::Zen
     # @return [Logger]
     attr_reader :logger
 
-    # @return [string] Path of the socket where the detached agent will listen.
+    # @return [String] Path of the socket where the detached agent will listen.
     # By default, is stored under the root application path with file name
     # `aikido-detached-agent.sock`
-    attr_reader :detached_agent_socket_path
+    attr_accessor :detached_agent_socket_path
 
     # @return [Boolean] is the agent in debugging mode?
     attr_accessor :debugging
@@ -150,6 +150,9 @@ module Aikido::Zen
     #   allow known hosts that should be able to resolve to the IMDS service.
     attr_accessor :imds_allowed_hosts
 
+    # @return [String] environment specific HTTP header providing the client IP.
+    attr_accessor :client_ip_header
+
     def initialize
       self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
       self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
@@ -163,8 +166,9 @@ module Aikido::Zen
       self.json_decoder = DEFAULT_JSON_DECODER
       self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
       self.logger = Logger.new($stdout, progname: "aikido", level: debugging ? Logger::DEBUG : Logger::INFO)
-      self.max_performance_samples = 5000
       self.detached_agent_socket_path = ENV.fetch("AIKIDO_DETACHED_AGENT_SOCKET_PATH", DEFAULT_DETACHED_AGENT_SOCKET_PATH)
+      self.client_ip_header = ENV.fetch("AIKIDO_CLIENT_IP_HEADER", nil)
+      self.max_performance_samples = 5000
       self.max_compressed_stats = 100
       self.max_outbound_connections = 200
       self.max_users_tracked = 1000
@@ -222,9 +226,8 @@ module Aikido::Zen
       @api_timeouts.update(value)
     end
 
-    def detached_agent_socket_path=(path)
-      @detached_agent_socket_path = path
-      @detached_agent_socket_path = "drbunix:" + @detached_agent_socket_path unless @detached_agent_socket_path.start_with?("drbunix:")
+    def detached_agent_socket_uri
+      "drbunix:" + @detached_agent_socket_path
     end
 
     private

data/lib/aikido/zen/detached_agent/agent.rb

@@ -32,7 +32,7 @@ module Aikido::Zen::DetachedAgent
       @polling_interval = polling_interval
       @worker = worker
       @collector = collector
-      @detached_agent_front = DRbObject.new_with_uri(config.detached_agent_socket_path)
+      @detached_agent_front = DRbObject.new_with_uri(config.detached_agent_socket_uri)
       @has_forked = false
       schedule_tasks
     end

data/lib/aikido/zen/detached_agent/server.rb

@@ -1,41 +1,78 @@
 # frozen_string_literal: true
 
+require "fileutils"
+
 module Aikido::Zen::DetachedAgent
   class Server
+    # Initialize and start a detached agent server instance.
+    #
+    # @return [Aikido::Zen::DetachedAgent::Server]
+    def self.start(**opts)
+      new(**opts).tap(&:start!)
+    end
+
     def initialize(config: Aikido::Zen.config)
-      @detached_agent_front = FrontObject.new
-      @drb_server = DRb.start_service(config.detached_agent_socket_path, @detached_agent_front)
+      @started_at = nil
 
-      # We don't want to see drb logs unless in debug mode
-      @drb_server.verbose = config.logger.debug?
-    end
+      @config = config
 
-    def alive?
-      @drb_server.alive?
+      @socket_path = config.detached_agent_socket_path
+      @socket_uri = config.detached_agent_socket_uri
     end
 
-    def stop!
-      @drb_server.stop_service
-      DRb.stop_service
+    def started?
+      !!@started_at
     end
 
-    class << self
-      def start!
-        Aikido::Zen.config.logger.debug("Starting DRb Server...")
-        max_attempts = 10
-        @server = new
-
-        attempts = 0
-        until @server.alive?
-          Aikido::Zen.config.logger.info("DRb Server still not alive. #{max_attempts - attempts} attempts remaining")
-          sleep 0.1
-          attempts += 1
-          raise Aikido::Zen::DetachedAgentError.new("Impossible to start the dRB server (socket=#{Aikido::Zen.config.detached_agent_socket_path})") \
-            if attempts == max_attempts
-        end
-
-        @server
+    def start!
+      @config.logger.info("Starting DRb Server...")
+
+      # Try to ensure that the DRb service can start if the DRb service did
+      # not stop cleanly.
+      begin
+        # Check whether the Unix domain socket is in use by another process.
+        UNIXSocket.new(@socket_path).close
+      rescue Errno::ECONNREFUSED
+        @config.logger.debug("Removing residual Unix domain socket...")
+
+        # Remove the residual Unix domain socket.
+        FileUtils.rm_f(@socket_path)
+      rescue
+        # empty
+      end
+
+      @front = FrontObject.new
+
+      # If the Unix domain socket is in use by another process and/or the
+      # residual Unix domain socket could not be removed DRb will raise an
+      # appropriate error.
+      @drb_server = DRb.start_service(@socket_uri, @front)
+
+      # Only show DRb output in debug mode.
+      @drb_server.verbose = @config.logger.debug?
+
+      # Ensure that the DRb server is alive.
+      max_attempts = 10
+      attempts = 0
+      until @drb_server.alive?
+        @config.logger.info("DRb Server still not alive. #{max_attempts - attempts} attempts remaining")
+        sleep 0.1
+        attempts += 1
+        raise Aikido::Zen::DetachedAgentError.new("Impossible to start the dRB server (socket=#{Aikido::Zen.config.detached_agent_socket_path})") \
+          if attempts == max_attempts
       end
+
+      @started_at = Time.now.utc
+
+      at_exit { stop! if started? }
+    end
+
+    def stop!
+      @config.logger.info("Stopping DRb Server...")
+      @started_at = nil
+
+      @drb_server.stop_service if @drb_server.alive?
+      DRb.stop_service
     end
   end
 end

data/lib/aikido/zen/payload.rb

@@ -27,7 +27,7 @@ module Aikido::Zen
       {
         payload: value.to_s,
         source: SOURCE_SERIALIZATIONS[source],
-        pathToPayload: path.to_s
+        path: path.to_s
       }
     end
 

data/lib/aikido/zen/request.rb

@@ -17,8 +17,9 @@ module Aikido::Zen
     # @see Aikido::Zen.track_user
     attr_accessor :actor
 
-    def initialize(delegate, framework:, router:)
+    def initialize(delegate, config = Aikido::Zen.config, framework:, router:)
       super(delegate)
+      @config = config
       @framework = framework
       @router = router
       @body_read = false
@@ -40,6 +41,24 @@ module Aikido::Zen
       @schema ||= Aikido::Zen::Request::Schema.build
     end
 
+    # @api private
+    #
+    # @return [String] the IP address of the client making the request.
+    def client_ip
+      return @client_ip if @client_ip
+
+      if @config.client_ip_header
+        value = env[@config.client_ip_header]
+        if Resolv::AddressRegex.match?(value)
+          @client_ip = value
+        else
+          @config.logger.warn("Invalid IP address in custom client IP header `#{@config.client_ip_header}`: `#{value}`")
+        end
+      end
+
+      @client_ip ||= respond_to?(:remote_ip) ? remote_ip : ip
+    end
+
     # Map the CGI-style env Hash into "pretty-looking" headers, preserving the
     # values as-is. For example, HTTP_ACCEPT turns into "Accept", CONTENT_TYPE
     # turns into "Content-Type", and HTTP_X_FORWARDED_FOR turns into
@@ -87,7 +106,7 @@ module Aikido::Zen
       {
         method: request_method.downcase,
         url: url,
-        ipAddress: ip,
+        ipAddress: client_ip,
         userAgent: user_agent,
         headers: normalized_headers.reject { |_, val| val.to_s.empty? },
         body: truncated_body,

data/lib/aikido/zen/sinks_dsl.rb

@@ -109,6 +109,8 @@ module Aikido::Zen
       #
       # @return [void]
       def presafe_sink_before(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         original = instance_method(method_name)
 
         define_method(method_name) do |*args, **kwargs, &blk|
@@ -131,6 +133,8 @@ module Aikido::Zen
       #
       # @note the block is executed within `safe` to handle errors safely; the original method is executed outside of `safe` to preserve the original behavior
       def sink_before(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         presafe_sink_before(method_name) do |*args, **kwargs|
           DSL.safe do
             instance_exec(*args, **kwargs, &block)
@@ -149,6 +153,8 @@ module Aikido::Zen
       #
       # @return [void]
       def presafe_sink_after(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         original = instance_method(method_name)
 
         define_method(method_name) do |*args, **kwargs, &blk|
@@ -173,6 +179,8 @@ module Aikido::Zen
       #
       # @note the block is executed within `safe` to handle errors safely; the original method is executed outside of `safe` to preserve the original behavior
       def sink_after(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         presafe_sink_after(method_name) do |result, *args, **kwargs|
           DSL.safe do
             instance_exec(result, *args, **kwargs, &block)
@@ -191,6 +199,8 @@ module Aikido::Zen
       #
       # @return [void]
       def presafe_sink_around(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         original = instance_method(method_name)
 
         define_method(method_name) do |*args, **kwargs, &blk|
@@ -219,6 +229,8 @@ module Aikido::Zen
       # @note the block is executed within `safe` to handle errors safely; the original method is executed within `presafe` to preserve the original behavior
       # @note if the block does not call `original_call`, the original method is called automatically after the block is executed
       def sink_around(method_name, &block)
+        raise ArgumentError, "block required" unless block
+
         presafe_sink_around(method_name) do |presafe_original_call, *args, **kwargs|
           original_called = false
           original_call = proc do

data/lib/aikido/zen/version.rb

@@ -2,7 +2,7 @@
 
 module Aikido
   module Zen
-    VERSION = "1.0.1.beta.5"
+    VERSION = "1.0.2.beta.2"
 
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.39"

data/lib/aikido/zen.rb

@@ -165,6 +165,11 @@ module Aikido
       end
     end
 
+    # Align with other Zen implementations, while keeping internal consistency.
+    class << self
+      alias_method :set_user, :track_user
+    end
+
     # Marks that the Zen middleware was installed properly
     # @return void
     def self.middleware_installed!
@@ -209,7 +214,7 @@ module Aikido
     end
 
     def self.detached_agent_server
-      @detached_agent_server ||= DetachedAgent::Server.start!
+      @detached_agent_server ||= DetachedAgent::Server.start
     end
 
     class << self

data/tasklib/libzen.rake

@@ -76,6 +76,7 @@ LIBZENS = [
   LibZen.new("arm64-darwin.dylib", "libzen_internals_aarch64-apple-darwin.dylib"),
   LibZen.new("arm64-linux.so", "libzen_internals_aarch64-unknown-linux-gnu.so"),
   LibZen.new("arm64-linux-musl.so", "libzen_internals_aarch64-unknown-linux-musl.so"),
+  LibZen.new("aarch64-linux.so", "libzen_internals_aarch64-unknown-linux-gnu.so"),
   LibZen.new("x86_64-darwin.dylib", "libzen_internals_x86_64-apple-darwin.dylib"),
   LibZen.new("x86_64-linux.so", "libzen_internals_x86_64-unknown-linux-gnu.so"),
   LibZen.new("x86_64-linux-musl.so", "libzen_internals_x86_64-unknown-linux-musl.so"),

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aikido-zen
 version: !ruby/object:Gem::Version
-  version: 1.0.1.beta.5
+  version: 1.0.2.beta.2
 platform: x86_64-mingw-64
 authors:
 - Aikido Security
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-08-19 00:00:00.000000000 Z
+date: 2025-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -74,6 +74,7 @@ files:
 - benchmarks/rails7.1_sql_injection.js
 - docs/banner.svg
 - docs/config.md
+- docs/proxy.md
 - docs/rails.md
 - lib/aikido-zen.rb
 - lib/aikido/zen.rb