aikido-zen 1.0.2-aarch64-linux

data/lib/aikido/zen/request/heuristic_router.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+require_relative "../route"
+require_relative "../request"
+
+module Aikido::Zen
+  # Simple router implementation that just identifies the currently requested
+  # URL as a route, attempting to heuristically substitute any path segments
+  # that may look like a parameterized value by something descriptive.
+  #
+  # For example, "/categories/123/events/2024-10-01" would be matched as
+  # "/categories/:number/events/:date"
+  class Request::HeuristicRouter
+    # @param request [Aikido::Zen::Request]
+    # @return [Aikido::Zen::Route, nil]
+    def recognize(request)
+      path = parameterize(request.path)
+      Route.new(verb: request.request_method, path: path)
+    end
+
+    private def parameterize(path)
+      return if path.nil?
+
+      path = path.split("/").map { |part| parameterize_segment(part) }.join("/")
+      path.prepend("/") unless path.start_with?("/")
+      path.chomp!("/") if path.size > 1
+      path
+    end
+
+    private def parameterize_segment(segment)
+      case segment
+      when ULID
+        ":ulid"
+      when OBJECT_ID
+        ":objectId"
+      when NUMBER
+        ":number"
+      when UUID
+        ":uuid"
+      when DATE
+        ":date"
+      when EMAIL
+        ":email"
+      when IP
+        ":ip"
+      when HASH
+        ":hash"
+      when SecretMatcher
+        ":secret"
+      else
+        segment
+      end
+    end
+
+    NUMBER = /\A\d+\z/
+    HEX = /\A[a-f0-9]+\z/i
+    DATE = /\A\d{4}-\d{2}-\d{2}|\d{2}-\d{2}-\d{4}\z/
+    UUID = /\A
+            (?:[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}
+            | 00000000-0000-0000-0000-000000000000
+            | ffffffff-ffff-ffff-ffff-ffffffffffff
+            )\z/ix
+    ULID = /\A[0-9A-HJKMNP-TV-Z]{26}\z/i
+    OBJECT_ID = /\A[0-9a-f]{24}\z/i
+    EMAIL = /\A
+              [a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+
+              @
+              [a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?
+              (?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*
+            \z/x
+    IP = ->(segment) {
+      IPAddr::RE_IPV4ADDRLIKE.match?(segment) ||
+        IPAddr::RE_IPV6ADDRLIKE_COMPRESSED.match?(segment) ||
+        IPAddr::RE_IPV6ADDRLIKE_FULL.match?(segment)
+    }
+    HASH = ->(segment) { [32, 40, 64, 128].include?(segment.size) && HEX === segment }
+
+    class SecretMatcher
+      # Decides if a given string looks random enough to be a "secret".
+      #
+      # @param candidate [String]
+      # @return [Boolean]
+      def self.===(candidate)
+        new(candidate).matches?
+      end
+
+      private def initialize(string)
+        @string = string
+      end
+
+      def matches?
+        return false if @string.size <= MIN_LENGTH
+        return false if SEPARATORS === @string
+        return false unless DIGIT === @string
+        return false if [LOWER, UPPER, SPECIAL].none? { |pattern| pattern === @string }
+
+        ratios = @string.chars.each_cons(MIN_LENGTH).map do |window|
+          window.to_set.size / MIN_LENGTH.to_f
+        end
+
+        ratios.sum / ratios.size > SECRET_THRESHOLD
+      end
+
+      MIN_LENGTH = 10
+      SECRET_THRESHOLD = 0.75
+
+      LOWER = /[[:lower:]]/
+      UPPER = /[[:upper:]]/
+      DIGIT = /[[:digit:]]/
+      SPECIAL = /[!#\$%^&*|;:<>]/
+      SEPARATORS = /[[:space:]]|-/
+    end
+  end
+end

data/lib/aikido/zen/request/rails_router.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require_relative "../route"
+require_relative "../request"
+
+module Aikido::Zen
+  # The Rails router relies on introspecting the routes defined in the Rails
+  # app to match the current request to the correct route, building Route
+  # objects that have the exact pattern defined by the developer, rather than
+  # a heuristic approximation.
+  #
+  # For example, given the following route definitions:
+  #
+  #   resources :posts do
+  #     resources :comments
+  #   end
+  #
+  # The router will map a request to "/posts/123/comments/234" to
+  # "/posts/:post_id/comments/:id(.:format)".
+  #
+  # @see Aikido::Zen::Router::HeuristicRouter
+  class Request::RailsRouter
+    def initialize(route_set)
+      @route_set = route_set
+    end
+
+    def recognize(request)
+      recognize_in_route_set(request, @route_set)
+    end
+
+    private def recognize_in_route_set(request, route_set, prefix: nil)
+      # ActionDispatch::Journey::Router#recognize modifies the Rack environment.
+      # This is correct for Rails routing, but it is not expected to be used in
+      # Rack middleware, and using it here can break Rails routing.
+      #
+      # To avoid this, the Rack environment is duplicated when building request.
+      route_set.router.recognize(request) do |route, _|
+        app = route.app
+        next unless app.matches?(request)
+
+        if app.dispatcher?
+          return build_route(route, request, prefix: prefix)
+        end
+
+        if app.engine?
+          # If the SCRIPT_NAME has any path parameters, we want those to be
+          # captured by the router. (eg `mount API => "/api/:version/`)
+          prefix = ActionDispatch::Routing::RouteWrapper.new(route).path
+          return recognize_in_route_set(request, app.rack_app.routes, prefix: prefix)
+        end
+
+        if app.rack_app.respond_to?(:redirect?) && app.rack_app.redirect?
+          return build_route(route, request, prefix: prefix)
+        end
+
+        # At this point we're matching plain Rack apps, where Rails does not
+        # remove the SCRIPT_NAME from PATH_INFO, so we should avoid adding
+        # SCRIPT_NAME twice.
+        return build_route(route, request, prefix: nil)
+      end
+
+      nil
+    end
+
+    private
+
+    def build_route(route, request, prefix: request.script_name)
+      route_wrapper = ActionDispatch::Routing::RouteWrapper.new(route)
+
+      path = if prefix.present?
+        prefix_route_path(prefix.to_s, route_wrapper.path)
+      else
+        route_wrapper.path
+      end
+
+      Aikido::Zen::Route.new(verb: request.request_method, path: path)
+    end
+
+    def prefix_route_path(string1, string2)
+      # The strings appear to start with "/", allowing them to be concatenated
+      # directly after removing trailing "/". However, as it is not currently
+      # known whether this is guaranteed, we insert a separator when necessary.
+
+      separator = string2.start_with?("/") ? "" : "/"
+
+      string1 = string1.chomp("/")
+      string2 = string2.chomp("/")
+
+      "#{string1}#{separator}#{string2}"
+    end
+  end
+end

data/lib/aikido/zen/request/schema/auth_discovery.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require_relative "auth_schemas"
+
+module Aikido::Zen
+  class Request::Schema
+    class AuthDiscovery
+      def initialize(context)
+        @context = context
+      end
+
+      def schemas
+        schemas = []
+        schemas << extract_from_authorization_header if headers["Authorization"]
+        schemas.concat(extract_from_headers)
+        schemas.concat(extract_from_cookies)
+
+        AuthSchemas.new(schemas)
+      end
+
+      private
+
+      def extract_from_authorization_header
+        type, _ = headers["Authorization"].to_s.split(/\s+/, 2)
+
+        if AUTHORIZATION_SCHEMES.include?(type.to_s.downcase)
+          AuthSchemas::Authorization.new(type)
+        else
+          AuthSchemas::ApiKey.new(:header, "Authorization")
+        end
+      end
+
+      def extract_from_headers
+        (headers.keys & COMMON_API_KEY_HEADERS)
+          .map { |header| AuthSchemas::ApiKey.new(:header, header) }
+      end
+
+      def extract_from_cookies
+        cookie_names = @context.payload_sources[:cookie].keys.map(&:downcase)
+
+        (cookie_names & COMMON_COOKIE_NAMES)
+          .map { |cookie| AuthSchemas::ApiKey.new(:cookie, cookie) }
+      end
+
+      def headers
+        @context.request.normalized_headers
+      end
+
+      AUTHORIZATION_SCHEMES = %w[
+        basic
+        bearer
+        digest
+        dpop
+        gnap
+        hoba
+        mutal
+        negotiate
+        privatetoken
+        scram-sha-1
+        scram-sha-256
+        vapid
+      ].freeze
+
+      COMMON_API_KEY_HEADERS = %w[
+        Apikey
+        Api-Key
+        Token
+        X-Api-Key
+        X-Token
+      ]
+
+      COMMON_COOKIE_NAMES = %w[
+        user_id
+        auth
+        session
+        jwt
+        token
+        sid
+        connect.sid
+        auth_token
+        access_token
+        refresh_token
+      ]
+    end
+  end
+end

data/lib/aikido/zen/request/schema/auth_schemas.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  class Request::Schema
+    class AuthSchemas
+      attr_reader :schemas
+
+      def initialize(schemas)
+        @schemas = schemas
+      end
+
+      def merge(other)
+        self.class.new((schemas + other.schemas).uniq)
+      end
+      alias_method :|, :merge
+
+      def as_json
+        @schemas.map(&:as_json) unless @schemas.empty?
+      end
+
+      def self.from_json(schemas_array)
+        return NONE if !schemas_array || schemas_array.empty?
+
+        AuthSchemas.new(schemas_array.map do |schema|
+          if schema[:type] == "http"
+            Authorization.new(schema[:scheme])
+          elsif schema[:type] == "apiKey"
+            ApiKey.new(schema[:in], schema[:name])
+          else
+            raise "Invalid schema type: #{schema[:type]}"
+          end
+        end)
+      end
+
+      def ==(other)
+        other.is_a?(self.class) && schemas == other.schemas
+      end
+
+      NONE = new([])
+
+      Authorization = Struct.new(:scheme) do
+        def as_json
+          {type: "http", scheme: scheme.downcase}
+        end
+      end
+
+      ApiKey = Struct.new(:location, :name) do
+        def as_json
+          {type: "apiKey", in: location, name: name}.compact
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/request/schema/builder.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+require_relative "definition"
+require_relative "empty_schema"
+require_relative "auth_discovery"
+
+module Aikido::Zen
+  class Request::Schema
+    # @api private
+    class Builder
+      def initialize(context: Aikido::Zen.current_context, config: Aikido::Zen.config)
+        @context = context
+        @config = config
+        @max_depth = @config.api_schema_collection_max_depth
+        @max_props = @config.api_schema_collection_max_properties
+      end
+
+      def schema
+        Request::Schema.new(
+          content_type: body_data_type,
+          body_schema: body_schema,
+          query_schema: query_schema,
+          auth_schema: AuthDiscovery.new(@context).schemas
+        )
+      end
+
+      private
+
+      def new(definition)
+        Aikido::Zen::Request::Schema::Definition.new(definition)
+      end
+
+      def request
+        @context.request
+      end
+
+      def body_data_type
+        media_type = request.media_type.to_s
+
+        # If the media type includes any tree other than the standard (vnd., prs.,
+        # x., etc) and a suffix, then remove that bit and just keep the suffix,
+        # which should tell us what the underlying data structure is.
+        #
+        # application/json               => application/json
+        # application/vnd.github.v3+json => application/json
+        media_type = media_type.sub(%r{/.*\+}, "/") if media_type.include?("+")
+
+        DATA_TYPES.fetch(media_type, nil)
+      end
+
+      def query_schema
+        return EMPTY_SCHEMA if request.query_string.to_s.empty?
+
+        discover_schema(@context.payload_sources[:query])
+      end
+
+      def body_schema
+        return EMPTY_SCHEMA if request.content_length.to_i.zero?
+
+        discover_schema(sanitize_data(@context.payload_sources[:body]))
+      end
+
+      def discover_schema(object, depth: 0)
+        case object
+        when nil
+          new(type: "null")
+        when true, false
+          new(type: "boolean")
+        when String
+          new(type: "string")
+        when Numeric
+          new(type: "number")
+        when Array
+          # If the array has at least one item, we assume it's homogeneous for
+          # performance reasons, and so only inspect the type of the first one.
+          sub_schema = {items: discover_schema(object.first, depth: depth + 1)} unless object.empty?
+          new({type: "array"}.merge(sub_schema.to_h))
+        when Hash
+          object
+            .take(@max_props)
+            .each_with_object({type: "object", properties: {}}) { |(key, value), schema|
+              break schema if depth >= @max_depth
+              schema[:properties][key] = discover_schema(value, depth: depth + 1)
+            }
+            .then { |dfn| new(dfn) }
+        end
+      end
+
+      # By default, Rails' automatic decoding wraps non Hash inputs in a Hash
+      # with a _json key, so that the "params" object is always a Hash. So, for
+      # example, the request body: '["this","is","json"]' is transformed to
+      # '{"_json": ["this","is","json"]}' before being passed to the controller.
+      #
+      # We want to make sure to avoid this extra key when building the schema,
+      # since we won't be able to play back requests with it.
+      def sanitize_data(data)
+        return data unless @context.request.framework == "rails"
+        return data unless data.is_a?(Hash)
+
+        if data.is_a?(Hash) && data.keys == ["_json"]
+          data["_json"]
+        else
+          data
+        end
+      end
+
+      DATA_TYPES = {
+        "application/csp-report" => :json,
+        "application/x-json" => :json,
+        "application/json" => :json,
+
+        "application/x-www-form-urlencoded" => :"form-urlencoded",
+
+        "multipart/form-data" => :"form-data",
+
+        "application/xml" => :xml,
+        "text/xml" => :xml
+      }
+    end
+  end
+end

data/lib/aikido/zen/request/schema/definition.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+require "forwardable"
+require_relative "empty_schema"
+
+module Aikido::Zen
+  class Request::Schema
+    # @api private
+    #
+    # The "JSON Schema"-like implementation that we extract from looking at the
+    # request body and/or query string.
+    class Definition
+      extend Forwardable
+      def_delegators :definition, :deconstruct_keys
+
+      def initialize(definition)
+        @definition = definition
+      end
+
+      # Recursively merges this schema definition with another one.
+      #
+      # * Properties missing in one or the other schemas are treated as optional.
+      # * Merging any property with a null schema results in an optional schema.
+      # * Number and Integer schemas are merged into Number schemas, since it's
+      #   the more permissive of the types.
+      #
+      # Other than that, everything else just results in additive merging,
+      # resulting in combining types together.
+      #
+      # @param other [Aikido::Zen::Request::Schema::Definition, nil]
+      # @return [Aikido::Zen::Request::Schema::Definition]
+      #
+      # @see https://cswr.github.io/JsonSchema/spec/introduction/
+      def merge(other)
+        case [self, other]
+
+        # Merging with itself or with nil results in just a copy
+        in [obj, ^obj | nil | EMPTY_SCHEMA]
+          dup
+
+        # objects where at least one of them has properties
+        in [{type: "object", properties: _}, {type: "object", properties: _}] |
+           [{type: "object", properties: _}, {type: "object"}] |
+           [{type: "object"}, {type: "object", properties: _}]
+          left, right = definition[:properties], other.definition[:properties]
+          merged_props = (left.keys.to_a | right.keys.to_a)
+            .map { |key| [key, left.fetch(key, NULL).merge(right.fetch(key, NULL))] }
+            .to_h
+          new(definition.merge(other.definition).merge(properties: merged_props))
+
+        # arrays where at least one of them has items
+        in [{type: "array", items: _}, {type: "array", items: _}] |
+           [{type: "array", items: _}, {type: "array"}] |
+           [{type: "array"}, {type: "array", items: _}]
+          items = [definition[:items], other.definition[:items]].compact.reduce(:merge)
+          new(definition.merge(other.definition).merge({items: items}.compact))
+
+        # x | x => x
+        in {type: type}, {type: ^type}
+          new(definition.merge(other.definition))
+
+        # any | null => any?
+        in {type: "null"}, {type: _}
+          new(other.definition.merge(optional: true))
+        in {type: _}, {type: "null"}
+          new(definition.merge(optional: true))
+
+        # x | y => [x, y] if x != y
+        else
+          left_type, right_type = definition[:type], other.definition[:type]
+          types = [left_type, right_type].flatten.uniq.sort
+          new(definition.merge(other.definition).merge(type: types))
+
+        end
+      end
+      alias_method :|, :merge
+
+      def ==(other)
+        as_json == other.as_json
+      end
+
+      def as_json
+        definition
+          .transform_keys(&:to_s)
+          .transform_values do |val|
+            val.respond_to?(:as_json) ? val.as_json : val
+          end
+      end
+
+      def inspect
+        format("#<%s %p>", self.class, definition)
+      end
+
+      protected
+
+      attr_reader :definition
+
+      private
+
+      def new(definition)
+        self.class.new(definition)
+      end
+
+      NULL = new(type: "null") # used as a stand-in to merge missing object props
+    end
+  end
+end

data/lib/aikido/zen/request/schema/empty_schema.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  class Request::Schema
+    # @!visibility private
+    #
+    # Singleton used as a placeholder until we get a schema for a request.
+    # When "merged" it waits until a non-nil value is given and returns that.
+    EMPTY_SCHEMA = Object.new
+
+    class << EMPTY_SCHEMA
+      # @!visibility private
+      def merge(schema)
+        schema || self
+      end
+      alias_method :|, :merge
+
+      # @!visibility private
+      def as_json
+        nil
+      end
+
+      def inspect
+        "#<Aikido::Zen::Schema EMPTY>"
+      end
+    end
+  end
+end

data/lib/aikido/zen/request/schema.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require "forwardable"
+
+module Aikido::Zen
+  # Defines the shape of a request received by your application as seen by Zen.
+  # This is used to understand how requests are made against your app, so
+  # dynamic security testing on your API endpoints can take place.
+  #
+  # @see Aikido::Zen::Config#api_schema_collection_enabled?
+  class Request::Schema
+    # @return [Symbol, nil] an identifier for the Content-Type header of the
+    #   request, if sent.
+    attr_reader :content_type
+
+    # @return [Aikido::Zen::Request::Schema::Definition]
+    attr_reader :body_schema
+
+    # @return [Aikido::Zen::Request::Schema::Definition]
+    attr_reader :query_schema
+
+    # @return [Aikido::Zen::Request::Schema::AuthSchemas]
+    attr_reader :auth_schema
+
+    # Extracts the request information from the current Context (if configured)
+    # and builds a Schema out of it.
+    #
+    # @param context [Aikido::Zen::Context, nil]
+    # @return [Aikido::Zen::Request::Schema, nil]
+    def self.build(context = Aikido::Zen.current_context)
+      return if context.nil?
+
+      Request::Schema::Builder.new(context: context).schema
+    end
+
+    def initialize(content_type:, body_schema:, query_schema:, auth_schema:)
+      @content_type = content_type
+      @query_schema = query_schema
+      @body_schema = body_schema
+      @auth_schema = auth_schema
+    end
+
+    # @return [Hash]
+    def as_json
+      body = {type: content_type, schema: body_schema.as_json}.compact
+      body = nil if body.empty?
+
+      {body: body, query: query_schema.as_json, auth: auth_schema.as_json}.compact
+    end
+
+    def self.from_json(data)
+      if data.empty?
+        return Request::Schema.new(
+          content_type: nil,
+          body_schema: EMPTY_SCHEMA,
+          query_schema: EMPTY_SCHEMA,
+          auth_schema: Aikido::Zen::Request::Schema::AuthSchemas.new([])
+        )
+      end
+
+      Request::Schema.new(
+        content_type: data[:body].nil? ? nil : data[:body][:type],
+        body_schema: data[:body].nil? ? EMPTY_SCHEMA : Aikido::Zen::Request::Schema::Definition.new(data[:body][:schema]),
+        query_schema: data[:query].nil? ? EMPTY_SCHEMA : Aikido::Zen::Request::Schema::Definition.new(data[:query]),
+        auth_schema: Aikido::Zen::Request::Schema::AuthSchemas.from_json(data[:auth])
+      )
+    end
+
+    # Merges the request specification with another request's specification.
+    #
+    # @param other [Aikido::Zen::Request::Schema, nil]
+    # @return [Aikido::Zen::Request::Schema]
+    def merge(other)
+      return self if other.nil?
+
+      self.class.new(
+        content_type: other.content_type,
+        body_schema: body_schema.merge(other.body_schema),
+        query_schema: query_schema.merge(other.query_schema),
+        auth_schema: auth_schema.merge(other.auth_schema)
+      )
+    end
+    alias_method :|, :merge
+  end
+end
+
+require_relative "schema/builder"