aikido-zen 1.0.2-aarch64-linux

data/lib/aikido/zen/middleware/request_tracker.rb

@@ -0,0 +1,197 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Middleware
+    # Rack middleware used to track request
+    # It implements the logic under that which is considered worthy of being tracked.
+    class RequestTracker
+      def initialize(app, settings: Aikido::Zen.runtime_settings)
+        @app = app
+        @settings = settings
+      end
+
+      def call(env)
+        request = Aikido::Zen::Middleware.request_from(env)
+        response = @app.call(env)
+
+        if request.route && track?(
+          status_code: response[0],
+          route: request.route.path,
+          http_method: request.request_method,
+          ip: request.ip
+        )
+          Aikido::Zen.track_request(request)
+
+          if Aikido::Zen.config.collect_api_schema?
+            Aikido::Zen.track_discovered_route(request)
+          end
+        end
+
+        response
+      end
+
+      IGNORED_METHODS = %w[OPTIONS HEAD]
+      IGNORED_EXTENSIONS = %w[properties config webmanifest]
+      IGNORED_SEGMENTS = ["cgi-bin"]
+      WELL_KNOWN_URIS = %w[
+        /.well-known/acme-challenge
+        /.well-known/amphtml
+        /.well-known/api-catalog
+        /.well-known/appspecific
+        /.well-known/ashrae
+        /.well-known/assetlinks.json
+        /.well-known/broadband-labels
+        /.well-known/brski
+        /.well-known/caldav
+        /.well-known/carddav
+        /.well-known/change-password
+        /.well-known/cmp
+        /.well-known/coap
+        /.well-known/coap-eap
+        /.well-known/core
+        /.well-known/csaf
+        /.well-known/csaf-aggregator
+        /.well-known/csvm
+        /.well-known/did.json
+        /.well-known/did-configuration.json
+        /.well-known/dnt
+        /.well-known/dnt-policy.txt
+        /.well-known/dots
+        /.well-known/ecips
+        /.well-known/edhoc
+        /.well-known/enterprise-network-security
+        /.well-known/enterprise-transport-security
+        /.well-known/est
+        /.well-known/genid
+        /.well-known/gnap-as-rs
+        /.well-known/gpc.json
+        /.well-known/gs1resolver
+        /.well-known/hoba
+        /.well-known/host-meta
+        /.well-known/host-meta.json
+        /.well-known/hosting-provider
+        /.well-known/http-opportunistic
+        /.well-known/idp-proxy
+        /.well-known/jmap
+        /.well-known/keybase.txt
+        /.well-known/knx
+        /.well-known/looking-glass
+        /.well-known/masque
+        /.well-known/matrix
+        /.well-known/mercure
+        /.well-known/mta-sts.txt
+        /.well-known/mud
+        /.well-known/nfv-oauth-server-configuration
+        /.well-known/ni
+        /.well-known/nodeinfo
+        /.well-known/nostr.json
+        /.well-known/oauth-authorization-server
+        /.well-known/oauth-protected-resource
+        /.well-known/ohttp-gateway
+        /.well-known/openid-federation
+        /.well-known/open-resource-discovery
+        /.well-known/openid-configuration
+        /.well-known/openorg
+        /.well-known/oslc
+        /.well-known/pki-validation
+        /.well-known/posh
+        /.well-known/privacy-sandbox-attestations.json
+        /.well-known/private-token-issuer-directory
+        /.well-known/probing.txt
+        /.well-known/pvd
+        /.well-known/rd
+        /.well-known/related-website-set.json
+        /.well-known/reload-config
+        /.well-known/repute-template
+        /.well-known/resourcesync
+        /.well-known/sbom
+        /.well-known/security.txt
+        /.well-known/ssf-configuration
+        /.well-known/sshfp
+        /.well-known/stun-key
+        /.well-known/terraform.json
+        /.well-known/thread
+        /.well-known/time
+        /.well-known/timezone
+        /.well-known/tdmrep.json
+        /.well-known/tor-relay
+        /.well-known/tpcd
+        /.well-known/traffic-advice
+        /.well-known/trust.txt
+        /.well-known/uma2-configuration
+        /.well-known/void
+        /.well-known/webfinger
+        /.well-known/webweaver.json
+        /.well-known/wot
+      ]
+
+      # @param status_code [Integer]
+      # @param route [String]
+      # @param http_method [String]
+      def track?(status_code:, route:, http_method:, ip: nil)
+        # Bypass request and route tracking for allowed IPs
+        return false if @settings.allowed_ips.include?(ip)
+
+        # In the UI we want to show only successful (2xx) or redirect (3xx) responses
+        # anything else is discarded.
+        return false unless status_code >= 200 && status_code <= 399
+
+        return false if IGNORED_METHODS.include?(http_method)
+
+        segments = route.split "/"
+
+        # Do not discover routes with dot files like `/path/to/.file` or `/.directory/file`
+        # We want to allow discovery of well-known URIs like `/.well-known/acme-challenge`
+        return false if segments.any? { |s| is_dot_file s } && !is_well_known_uri(route)
+
+        return false if segments.any? { |s| contains_ignored_string s }
+
+        # Check for every file segment if it contains a file extension and if it
+        # should be discovered or ignored
+        segments.all? { |s| should_track_extension s }
+      end
+
+      private
+
+      # Check if a path is a well-known URI
+      # e.g. /.well-known/acme-challenge
+      # https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
+      def is_well_known_uri(route)
+        WELL_KNOWN_URIS.include?(route)
+      end
+
+      def is_dot_file(segment)
+        segment.start_with?(".") && segment.size > 1
+      end
+
+      def contains_ignored_string(segment)
+        IGNORED_SEGMENTS.any? { |ignored| segment.include?(ignored) }
+      end
+
+      # Ignore routes which contain file extensions
+      def should_track_extension(segment)
+        extension = get_file_extension(segment)
+
+        return true unless extension
+
+        # Do not discover files with extensions of 1 to 5 characters,
+        # e.g. file.css, file.js, file.woff2
+        return false if extension.size > 1 && extension.size < 6
+
+        # Ignore some file extensions that are longer than 5 characters or shorter than 2 chars
+        return false if IGNORED_EXTENSIONS.include?(extension)
+
+        true
+      end
+
+      def get_file_extension(segment)
+        extension = File.extname(segment)
+        if extension&.start_with?(".")
+          # Remove the dot from the extension
+          return extension[1..]
+        end
+        extension
+      end
+    end
+  end
+end

data/lib/aikido/zen/outbound_connection.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Simple data object to identify connections performed to outbound servers.
+  class OutboundConnection
+    def self.from_json(data)
+      new(
+        host: data[:hostname],
+        port: data[:port]
+      )
+    end
+
+    # Convenience factory to create connection descriptions out of URI objects.
+    #
+    # @param uri [URI]
+    # @return [Aikido::Zen::OutboundConnection]
+    def self.from_uri(uri)
+      new(host: uri.hostname, port: uri.port)
+    end
+
+    # @return [String] the hostname or IP address to which the connection was
+    #   attempted.
+    attr_reader :host
+
+    # @return [Integer] the port number to which the connection was attempted.
+    attr_reader :port
+
+    # @return [Integer] the number of times that this connection was seen by
+    #   the hosts collector.
+    attr_reader :hits
+
+    def initialize(host:, port:)
+      @host = host
+      @port = port
+    end
+
+    def hit
+      # Lazy initialize @hits, so it stays nil until the connection is tracked.
+      @hits ||= 0
+      @hits += 1
+    end
+
+    def as_json
+      {hostname: host, port: port, hits: hits}.compact
+    end
+
+    def ==(other)
+      other.is_a?(OutboundConnection) &&
+        host == other.host &&
+        port == other.port
+    end
+    alias_method :eql?, :==
+
+    def hash
+      [host, port].hash
+    end
+
+    def inspect
+      "#<#{self.class.name} #{host}:#{port}>"
+    end
+  end
+end

data/lib/aikido/zen/outbound_connection_monitor.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # This simple callable follows the Scanner API so that it can be injected into
+  # any Sink that wraps an HTTP library, and lets us keep track of any hosts to
+  # which the app communicates over HTTP.
+  module OutboundConnectionMonitor
+    def self.skips_on_nil_context?
+      false
+    end
+
+    # This simply reports the connection to the Agent, and always returns +nil+
+    # as it's not scanning for any particular attack.
+    #
+    # @param connection [Aikido::Zen::OutboundConnection]
+    # @return [nil]
+    def self.call(connection:, **)
+      Aikido::Zen.track_outbound(connection)
+
+      nil
+    end
+  end
+end

data/lib/aikido/zen/package.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative "sink"
+
+module Aikido::Zen
+  Package = Struct.new(:name, :version) do
+    def initialize(name, version, sinks = Aikido::Zen::Sinks.registry)
+      super(name, version)
+      @sinks = sinks
+    end
+
+    # @return [Boolean] whether we explicitly protect against exploits in this
+    #   library.
+    def supported?
+      @sinks.include?(name)
+    end
+
+    def as_json
+      {name => version.to_s}
+    end
+  end
+end

data/lib/aikido/zen/payload.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # An individual user input in a request, which may come from different
+  # sources (query string, body, cookies, etc).
+  class Payload
+    attr_reader :value, :source, :path
+
+    def initialize(value, source, path)
+      @value = value
+      @source = source
+      @path = path
+    end
+
+    UNKNOWN_PAYLOAD = Payload.new("unknown", "unknown", "unknown")
+
+    alias_method :to_s, :value
+
+    def ==(other)
+      other.is_a?(Payload) &&
+        other.value == value &&
+        other.source == source &&
+        other.path == path
+    end
+
+    def as_json
+      {
+        payload: value.to_s,
+        source: SOURCE_SERIALIZATIONS[source],
+        path: path.to_s
+      }
+    end
+
+    SOURCE_SERIALIZATIONS = {
+      query: "query",
+      body: "body",
+      header: "headers",
+      cookie: "cookies",
+      route: "routeParams",
+      graphql: "graphql",
+      xml: "xml",
+      subdomain: "subdomains"
+    }
+
+    def inspect
+      val = (value.to_s.size > 128) ? value[0..125] + "..." : value
+      "#<Aikido::Zen::Payload #{source}(#{path}) #{val.inspect}>"
+    end
+  end
+end

data/lib/aikido/zen/rails_engine.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "action_dispatch"
+
+module Aikido::Zen
+  class RailsEngine < ::Rails::Engine
+    config.before_configuration do
+      # Access library configuration at `Rails.application.config.zen`.
+      config.zen = Aikido::Zen.config
+    end
+
+    initializer "aikido.add_middleware" do |app|
+      app.middleware.insert_before 0, Aikido::Zen::Middleware::ForkDetector
+
+      app.middleware.use Aikido::Zen::Middleware::ContextSetter
+      app.middleware.use Aikido::Zen::Middleware::AllowedAddressChecker
+      app.middleware.use Aikido::Zen::Middleware::AttackWaveProtector
+      # Request Tracker stats do not consider failed request or 40x, so the middleware
+      # must be the last one wrapping the request.
+      app.middleware.use Aikido::Zen::Middleware::RequestTracker
+
+      ActiveSupport.on_load(:action_controller) do
+        # Due to how Rails sets up its middleware chain, the routing is evaluated
+        # (and the Request object constructed) in the app that terminates the
+        # chain, so no amount of middleware will be able to access it.
+        #
+        # This way, we overwrite the Request object as early as we can in the
+        # request handling, so that by the time we start evaluating inputs, we
+        # have assigned the request correctly.
+        before_action { Aikido::Zen.current_context.update_request(request) }
+      end
+    end
+
+    initializer "aikido.configuration" do |app|
+      app.config.zen.request_builder = Aikido::Zen::Context::RAILS_REQUEST_BUILDER
+
+      # Plug Rails' JSON encoder/decoder, but only if the user hasn't changed
+      # them for something else.
+      if app.config.zen.json_encoder == Aikido::Zen::Config::DEFAULT_JSON_ENCODER
+        app.config.zen.json_encoder = ActiveSupport::JSON.method(:encode)
+      end
+
+      if app.config.zen.json_decoder == Aikido::Zen::Config::DEFAULT_JSON_DECODER
+        app.config.zen.json_decoder = ActiveSupport::JSON.method(:decode)
+      end
+    end
+
+    config.after_initialize do
+      # Start the Aikido Agent only once the application starts.
+      Aikido::Zen.start!
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/breaker.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "bucket"
+
+module Aikido::Zen
+  # @api private
+  #
+  # Circuit breaker that rate limits internal API requests in two ways: By using
+  # a sliding window, to allow only a certain number of events over that window,
+  # and with the ability of manually being tripped open when the API responds to
+  # a request with a 429.
+  class RateLimiter::Breaker
+    def initialize(config: Aikido::Zen.config, clock: RateLimiter::Bucket::DEFAULT_CLOCK)
+      @config = config
+      @clock = clock
+
+      @bucket = RateLimiter::Bucket.new(
+        ttl: config.client_rate_limit_period,
+        max_size: config.client_rate_limit_max_events,
+        clock: clock
+      )
+      @opened_at = nil
+    end
+
+    # Trip the circuit open to force all events to be throttled until the
+    # deadline passes.
+    #
+    # @see Aikido::Zen::Config#server_rate_limit_deadline
+    # @return [void]
+    def open!
+      @opened_at = @clock.call
+    end
+
+    # @param event_type [String] an event type which we'll use to decide
+    #   if we should throttle it.
+    # @return [Boolean]
+    def throttle?(event_type)
+      return true if open? && !try_close
+
+      result = @bucket.increment(event_type)
+      result.throttled?
+    end
+
+    # @!visibility private
+    # @return [Boolean]
+    def open?
+      @opened_at
+    end
+
+    private
+
+    def past_deadline?
+      @opened_at < @clock.call - @config.server_rate_limit_deadline
+    end
+
+    def try_close
+      @opened_at = nil if past_deadline?
+      @opened_at.nil?
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/bucket.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require_relative "../synchronizable"
+require_relative "result"
+
+module Aikido::Zen
+  # This models a "sliding window" rate limiting bucket (where we keep a bucket
+  # per endpoint). The timestamps of requests are kept grouped by client, and
+  # when a new request is made, we check if the number of requests falls within
+  # the configured limit.
+  #
+  # @example
+  #   bucket = Aikido::Zen::RateLimiter::Bucket.new(ttl: 60, max_size: 3)
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 1)
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 2)
+  #
+  #   # 30 seconds go by
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 3)
+  #
+  #   # 20 more seconds go by
+  #   bucket.increment("1.2.3.4") #=> false (count for this key: 3)
+  #
+  #   # 20 more seconds go by
+  #   bucket.increment("1.2.3.4") #=> true (count for this key: 2)
+  #
+  class RateLimiter::Bucket
+    prepend Synchronizable
+
+    # @!visibility private
+    #
+    # Use the monotonic clock to ensure time differences are consistent
+    # and not affected by timezones.or daylight savings changes.
+    DEFAULT_CLOCK = -> { Process.clock_gettime(Process::CLOCK_MONOTONIC).round }
+
+    def initialize(ttl:, max_size:, clock: DEFAULT_CLOCK)
+      @ttl = ttl
+      @max_size = max_size
+      @data = Hash.new { |h, k| h[k] = [] }
+      @clock = clock
+    end
+
+    # Increments the key if the number of entries within the current TTL window
+    # is below the configured threshold.
+    #
+    # @param key [String] discriminating key to identify a client.
+    #   See {Aikido::Zen::Config#rate_limiting_discriminator}.
+    #
+    # @return [Aikido::Zen::RateLimiter::Result] the result of the operation and
+    #   statistics on this bucket for the given key.
+    def increment(key)
+      synchronize do
+        time = @clock.call
+        evict(key, at: time)
+
+        entries = @data[key]
+        throttled = entries.size >= @max_size
+
+        entries << time unless throttled
+
+        RateLimiter::Result.new(
+          throttled: throttled,
+          discriminator: key,
+          current_requests: entries.size,
+          max_requests: @max_size,
+          time_remaining: @ttl - (time - entries.min)
+        )
+      end
+    end
+
+    private
+
+    def evict(key, at: @clock.call)
+      synchronize { @data[key].delete_if { |time| time < (at - @ttl) } }
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter/result.rb

@@ -0,0 +1,31 @@
+module Aikido::Zen
+  # Holds the stats after checking if a request should be rate limited, which
+  # will be added to the Rack env.
+  class RateLimiter::Result
+    # @return [String] the output of the configured discriminator block, used to
+    #   uniquely identify a client (e.g. the remote IP).
+    attr_reader :discriminator
+
+    # @return [Integer] number of requests for the client in the current window.
+    attr_reader :current_requests
+
+    # @return [Integer] configured max number of requests per client.
+    attr_reader :max_requests
+
+    # @return [Integer] number of seconds remaining until the window resets.
+    attr_reader :time_remaining
+
+    def initialize(throttled:, discriminator:, current_requests:, max_requests:, time_remaining:)
+      @throttled = throttled
+      @discriminator = discriminator
+      @current_requests = current_requests
+      @max_requests = max_requests
+      @time_remaining = time_remaining
+    end
+
+    # @return [Boolean] whether the current request was throttled or not.
+    def throttled?
+      @throttled
+    end
+  end
+end

data/lib/aikido/zen/rate_limiter.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require_relative "synchronizable"
+require_relative "middleware/rack_throttler"
+
+module Aikido::Zen
+  # Keeps track of all requests in this process, broken up by Route and further
+  # discriminated by client. Provides a single method that checks if a certain
+  # Request needs to be throttled or not.
+  class RateLimiter
+    prepend Synchronizable
+
+    def initialize(
+      config: Aikido::Zen.config,
+      settings: Aikido::Zen.runtime_settings
+    )
+      @config = config
+      @settings = settings
+      @buckets = Hash.new { |store, route|
+        synchronize {
+          settings = settings_for(route)
+          store[route] = Bucket.new(ttl: settings.period, max_size: settings.max_requests)
+        }
+      }
+    end
+
+    # Calculate based on the configuration whether a request will be
+    # rate-limited or not.
+    #
+    # @param request [Aikido::Zen::Request]
+    # @return [Aikido::Zen::RateLimiter::Result, nil]
+    def calculate_rate_limits(request)
+      settings = settings_for(request.route)
+      return nil unless settings.enabled?
+
+      bucket = @buckets[request.route]
+      key = @config.rate_limiting_discriminator.call(request)
+      bucket.increment(key)
+    end
+
+    private
+
+    def settings_for(route)
+      @settings.endpoints[route].rate_limiting
+    end
+  end
+end
+
+require_relative "rate_limiter/bucket"
+require_relative "rate_limiter/breaker"