aikido-zen 1.0.2-aarch64-linux

data/lib/aikido/zen/request.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require "delegate"
+
+module Aikido::Zen
+  # Wrapper around Rack::Request-like objects to add some behavior.
+  class Request < SimpleDelegator
+    # @return [String] identifier of the framework handling this HTTP request.
+    attr_reader :framework
+
+    # @return [Aikido::Zen::Router]
+    attr_reader :router
+
+    # The current user, if set by the host app.
+    #
+    # @return [Aikido::Zen::Actor, nil]
+    # @see Aikido::Zen.track_user
+    attr_accessor :actor
+
+    def initialize(delegate, config = Aikido::Zen.config, framework:, router:)
+      super(delegate)
+      @config = config
+      @framework = framework
+      @router = router
+    end
+
+    def __setobj__(delegate) # :nodoc:
+      super
+      @route = @normalized_header = nil
+    end
+
+    # @return [Aikido::Zen::Route] the framework route being requested.
+    def route
+      @route ||= @router.recognize(self)
+    end
+
+    # @return [Aikido::Zen::Request::Schema, nil]
+    def schema
+      @schema ||= Aikido::Zen::Request::Schema.build
+    end
+
+    # @return [String] the IP address of the client making the request.
+    def client_ip
+      return @client_ip if @client_ip
+
+      if @config.client_ip_header
+        value = env[@config.client_ip_header]
+        if Resolv::AddressRegex.match?(value)
+          @client_ip = value
+        else
+          @config.logger.warn("Invalid IP address in custom client IP header `#{@config.client_ip_header}`: `#{value}`")
+        end
+      end
+
+      @client_ip ||= respond_to?(:remote_ip) ? remote_ip : ip
+    end
+
+    # Map the CGI-style env Hash into "pretty-looking" headers, preserving the
+    # values as-is. For example, HTTP_ACCEPT turns into "Accept", CONTENT_TYPE
+    # turns into "Content-Type", and HTTP_X_FORWARDED_FOR turns into
+    # "X-Forwarded-For".
+    #
+    # @return [Hash<String, String>]
+    def normalized_headers
+      @normalized_headers ||= env.slice(*BLESSED_CGI_HEADERS)
+        .merge(env.select { |key, _| key.start_with?("HTTP_") })
+        .transform_keys { |header|
+          name = header.sub(/^HTTP_/, "").downcase
+          name.split("_").map { |part| part[0].upcase + part[1..] }.join("-")
+        }
+    end
+
+    def as_json
+      {
+        method: request_method.upcase,
+        url: url,
+        ipAddress: client_ip,
+        userAgent: user_agent,
+        source: framework,
+        route: route&.path
+      }
+    end
+
+    BLESSED_CGI_HEADERS = %w[CONTENT_TYPE CONTENT_LENGTH]
+  end
+end
+
+require_relative "request/schema"

data/lib/aikido/zen/route.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Routes keep information about the mapping defined in the current web
+  # framework to go from a given HTTP request to the code that handles said
+  # request.
+  class Route
+    def self.from_json(data)
+      new(
+        verb: data[:method],
+        path: data[:path]
+      )
+    end
+
+    # @return [String] the HTTP verb used to request this route.
+    attr_reader :verb
+
+    # @return [String] the URL pattern used to match request paths. For
+    #   example "/users/:id".
+    attr_reader :path
+
+    def initialize(verb:, path:)
+      @verb = verb
+      @path = path
+    end
+
+    def as_json
+      {method: verb, path: path}
+    end
+
+    def ==(other)
+      other.is_a?(Route) &&
+        other.verb == verb &&
+        other.path == path
+    end
+    alias_method :eql?, :==
+
+    def hash
+      [verb, path].hash
+    end
+
+    # Sort routes by wildcard matching order deterministically:
+    #
+    #   1. Exact path before wildcard path
+    #   2. Fewer wildcards in path relative to path length
+    #   3. Earliest wildcard position in path
+    #   4. Exact verb before wildcard verb
+    #   5. Lexicographic path (tie-break)
+    #   6. Lexicographic verb (tie-break)
+    #
+    # @return [Array] the sort key
+    def sort_key
+      @sort_key ||= begin
+        stars = []
+        i = -1
+        while (i = path.index("*", i + 1))
+          stars << i
+        end
+
+        [
+          stars.empty? ? 0 : 1,
+          stars.length - path.length,
+          stars,
+          (verb == "*") ? 1 : 0,
+          path,
+          verb
+        ].freeze
+      end
+    end
+
+    def match?(other)
+      other.is_a?(Route) &&
+        pattern(verb).match?(other.verb) &&
+        pattern(path).match?(other.path)
+    end
+
+    def inspect
+      "#<#{self.class.name} #{verb} #{path.inspect}>"
+    end
+
+    # Construct a regular expression equivalent to the wildcard string,
+    # where '*' is the wildcard operator.
+    #
+    # The resulting pattern matches the entire input, allows an optional
+    # trailing slash, and is case-insensitive.
+    #
+    # All other special characters in the regular expression are escaped
+    # so that they are treated literally.
+    #
+    # @param string [String] wildcard string
+    # @return [Regexp] regular expression matching the wildcard string
+    private def pattern(string)
+      /^#{Regexp.escape(string).gsub("\\*", ".*")}\/?$/i
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/endpoints.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require_relative "../route"
+require_relative "protection_settings"
+
+module Aikido::Zen
+  # Wraps the list of endpoint protection settings, providing an interface for
+  # checking the settings for any given route. If the route has no configured
+  # settings, that will return the singleton
+  # {RuntimeSettings::ProtectionSettings.none}.
+  #
+  # @example
+  #   endpoint = runtime_settings.endpoints[request.route]
+  #   block_request unless endpoint.allows?(request.ip)
+  class RuntimeSettings::Endpoints
+    # @param data [Array<Hash>]
+    # @return [Aikido::Zen::RuntimeSettings::Endpoints]
+    def self.from_json(data)
+      endpoint_pairs = Array(data).map do |value|
+        route = Route.new(verb: value["method"], path: value["route"])
+        settings = RuntimeSettings::ProtectionSettings.from_json(value)
+        [route, settings]
+      end
+
+      # Sort endpoints by wildcard matching order
+      endpoint_pairs.sort_by! do |route, settings|
+        route.sort_key
+      end
+
+      new(endpoint_pairs.to_h)
+    end
+
+    # @param endpoints [Hash] the endpoints in wildcard matching order
+    # @return [Aikido::Zen::RuntimeSettings::Endpoints]
+    def initialize(endpoints = {})
+      @endpoints = endpoints
+      @endpoints.default = RuntimeSettings::ProtectionSettings.none
+    end
+
+    # @param route [Aikido::Zen::Route]
+    # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings]
+    def [](route)
+      return @endpoints[route] if @endpoints.key?(route)
+
+      # Wildcard endpoint matching
+
+      @endpoints.each do |pattern, settings|
+        return settings if pattern.match?(route)
+      end
+
+      @endpoints.default
+    end
+
+    # @param route [Aikido::Zen::Route]
+    # @return [Array<Aikido::Zen::RuntimeSettings::ProtectionSettings>]
+    def match(route)
+      matches = []
+
+      @endpoints.each do |pattern, settings|
+        matches << settings if pattern.match?(route)
+      end
+
+      matches << @endpoints.default if matches.empty?
+
+      matches
+    end
+
+    # @!visibility private
+    def ==(other)
+      other.is_a?(RuntimeSettings::Endpoints) && to_h == other.to_h
+    end
+
+    # @!visibility private
+    protected def to_h
+      @endpoints
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/ip_set.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+
+module Aikido::Zen
+  # Models a list of IP addresses or CIDR blocks, where we can check if a given
+  # address is part of any of the members.
+  class RuntimeSettings::IPSet
+    def self.from_json(ips)
+      new(Array(ips).map { |ip| IPAddr.new(ip) })
+    end
+
+    def initialize(ips = Set.new)
+      @ips = ips.to_set
+    end
+
+    def empty?
+      @ips.empty?
+    end
+
+    def include?(ip)
+      @ips.any? { |pattern| pattern === ip }
+    end
+    alias_method :===, :include?
+
+    def ==(other)
+      other.is_a?(RuntimeSettings::IPSet) && to_set == other.to_set
+    end
+
+    protected
+
+    def to_set
+      @ips
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/protection_settings.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require_relative "ip_set"
+require_relative "rate_limit_settings"
+
+module Aikido::Zen
+  # Models the settings for a given Route as configured in the Aikido UI.
+  class RuntimeSettings::ProtectionSettings
+    # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings] singleton
+    #   instance for endpoints with no configured protections on a given route,
+    #   that can be used as a default value for routes.
+    def self.none
+      @no_settings ||= new
+    end
+
+    # Initialize settings from an API response.
+    #
+    # @param data [Hash] the deserialized JSON data.
+    # @option data [Boolean] "forceProtectionOff" whether the user has
+    #   disabled attack protection for this route.
+    # @option data [Array<String>] "allowedIPAddresses" the list of IPs that
+    #   can make requests to this endpoint.
+    # @option data [Hash] "rateLimiting" the rate limiting options for this
+    #   endpoint. See {Aikido::Zen::RuntimeSettings::RateLimitSettings.from_json}.
+    #
+    # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings]
+    # @raise [IPAddr::InvalidAddressError] if any of the IPs in
+    #   "allowedIPAddresses" is not a valid address or family.
+    def self.from_json(data)
+      ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
+      rate_limiting = RuntimeSettings::RateLimitSettings.from_json(data["rateLimiting"])
+
+      new(
+        protected: !data["forceProtectionOff"],
+        allowed_ips: ips,
+        rate_limiting: rate_limiting
+      )
+    end
+
+    # @return [Aikido::Zen::RuntimeSettings::IPSet] list of IP addresses which
+    #   are allowed to make requests on this route. If empty, all IP addresses
+    #   are allowed.
+    attr_reader :allowed_ips
+
+    # @return [Aikido::Zen::RuntimeSettings::RateLimitSettings]
+    attr_reader :rate_limiting
+
+    def initialize(
+      protected: true,
+      allowed_ips: RuntimeSettings::IPSet.new,
+      rate_limiting: RuntimeSettings::RateLimitSettings.disabled
+    )
+      @protected = !!protected
+      @rate_limiting = rate_limiting
+      @allowed_ips = allowed_ips
+    end
+
+    def protected?
+      @protected
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings/rate_limit_settings.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Simple data object that holds the configuration for rate limiting a given
+  # endpoint.
+  class RuntimeSettings::RateLimitSettings
+    # Initialize the settings from an API response.
+    #
+    # @param data [Hash] the deserialized JSON data.
+    # @option data [Boolean] "enabled"
+    # @option data [Integer] "maxRequests"
+    # @option data [Integer] "windowSizeInMS"
+    #
+    # @return [Aikido::Zen::RateLimitSettings]
+    def self.from_json(data)
+      new(
+        enabled: !!data["enabled"],
+        max_requests: Integer(data["maxRequests"]),
+        period: Integer(data["windowSizeInMS"]) / 1000
+      )
+    end
+
+    # Initializes a disabled object that we can use as a default value for
+    # endpoints that have not configured rate limiting.
+    #
+    # @return [Aikido::Zen::RuntimeSettings::RateLimitSettings]
+    def self.disabled
+      new(enabled: false)
+    end
+
+    # @return [Integer] the fixed window to bucket requests in, in seconds.
+    attr_reader :period
+
+    # @return [Integer]
+    attr_reader :max_requests
+
+    def initialize(enabled: false, max_requests: 1000, period: 60)
+      @enabled = enabled
+      @period = period
+      @max_requests = max_requests
+    end
+
+    def enabled?
+      @enabled
+    end
+  end
+end

data/lib/aikido/zen/runtime_settings.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Stores the firewall configuration sourced from the Aikido dashboard. This
+  # object is updated by the Agent regularly.
+  #
+  # Because the RuntimeSettings object can be modified in runtime, it implements
+  # the {Observable} API, allowing you to subscribe to updates. These are
+  # triggered whenever #update_from_json makes a change (i.e. if the settings
+  # don't change, no update is triggered).
+  #
+  # You can subscribe to changes with +#add_observer(object, func_name)+, which
+  # will call the function passing the settings as an argument.
+  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :allowed_ips, :received_any_stats, :blocking_mode) do
+    def initialize(*)
+      super
+      self.endpoints ||= RuntimeSettings::Endpoints.new
+      self.allowed_ips ||= RuntimeSettings::IPSet.new
+    end
+
+    # @!attribute [rw] updated_at
+    #   @return [Time] when these settings were updated in the Aikido dashboard.
+
+    # @!attribute [rw] heartbeat_interval
+    #   @return [Integer] duration in seconds between heartbeat requests to the
+    #     Aikido server.
+
+    # @!attribute [rw] received_any_stats
+    #   @return [Boolean] whether the Aikido server has received any data from
+    #     this application.
+
+    # @!attribute [rw] endpoints
+    #   @return [Aikido::Zen::RuntimeSettings::Endpoints]
+
+    # @!attribute [rw] blocked_user_ids
+    #   @return [Array]
+
+    # @!attribute [rw] allowed_ips
+    #   @return [Aikido::Zen::RuntimeSettings::IPSet]
+
+    # Parse and interpret the JSON response from the core API with updated
+    # settings, and apply the changes. This will also notify any subscriber
+    # to updates
+    #
+    # @param data [Hash] the decoded JSON payload from the /api/runtime/config
+    #   API endpoint.
+    #
+    # @return [bool]
+    def update_from_json(data)
+      last_updated_at = updated_at
+
+      self.updated_at = Time.at(data["configUpdatedAt"].to_i / 1000)
+      self.heartbeat_interval = data["heartbeatIntervalInMS"].to_i / 1000
+      self.endpoints = RuntimeSettings::Endpoints.from_json(data["endpoints"])
+      self.blocked_user_ids = data["blockedUserIds"]
+      self.allowed_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
+      self.received_any_stats = data["receivedAnyStats"]
+      self.blocking_mode = data["block"]
+
+      updated_at != last_updated_at
+    end
+  end
+end
+
+require_relative "runtime_settings/ip_set"
+require_relative "runtime_settings/endpoints"

data/lib/aikido/zen/scan.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Scans track information about a single call made by one of our Sinks
+  # including whether it was detected as an attack or how long it took.
+  class Scan
+    # @return [Aikido::Zen::Sink] the originating Sink.
+    attr_reader :sink
+
+    # @return [Aikido::Zen::Context] the current Context, wrapping the HTTP
+    #   request during which this scan was performed.
+    attr_reader :context
+
+    # @return [Aikido::Zen::Attack, nil] a detected Attack, or
+    #   +nil+ if the scan was considered safe.
+    attr_reader :attack
+
+    # @return [Float, nil] duration in (fractional) seconds of the scan.
+    attr_reader :duration
+
+    # @return [Array<Hash>] list of captured exceptions while scanning.
+    attr_reader :errors
+
+    # @param sink [Aikido::Zen::Sink]
+    # @param context [Aikido::Zen::Context]
+    def initialize(sink:, context:)
+      @sink = sink
+      @context = context
+      @errors = []
+      @performed = false
+    end
+
+    def performed?
+      @performed
+    end
+
+    # @return [Boolean] whether this scan detected an Attack.
+    def attack?
+      @attack != nil
+    end
+
+    # @return [Boolean] whether any errors were caught by this Scan.
+    def errors?
+      @errors.any?
+    end
+
+    # Runs a block of code, capturing its return value as the potential
+    # Attack object (or nil, if safe), and how long it took to run.
+    #
+    # @yieldreturn [Aikido::Zen::Attack, nil]
+    # @return [void]
+    def perform
+      @performed = true
+      started_at = monotonic_time
+      @attack = yield
+    ensure
+      @duration = monotonic_time - started_at
+    end
+
+    # Keep track of exceptions encountered during scanning.
+    #
+    # @param error [Exception]
+    # @param scanner [#call]
+    #
+    # @return [nil]
+    def track_error(error, scanner)
+      @errors << {error: error, scanner: scanner}
+      nil
+    end
+
+    private def monotonic_time
+      Process.clock_gettime(Process::CLOCK_MONOTONIC)
+    end
+  end
+end

data/lib/aikido/zen/scanners/path_traversal/helpers.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Scanners
+    module PathTraversal
+      DANGEROUS_PATH_PARTS = ["../", "..\\"]
+
+      LINUX_PATH_STARTS = [
+        "/bin/",
+        "/boot/",
+        "/dev/",
+        "/etc/",
+        "/home/",
+        "/init/",
+        "/lib/",
+        "/media/",
+        "/mnt/",
+        "/opt/",
+        "/proc/",
+        "/root/",
+        "/run/",
+        "/sbin/",
+        "/srv/",
+        "/sys/",
+        "/tmp/",
+        "/usr/",
+        "/var/"
+      ]
+
+      WINDOWS_PATH_STARTS = ["c:/", "c:\\"]
+
+      DANGEROUS_PATH_STARTS = LINUX_PATH_STARTS + WINDOWS_PATH_STARTS
+
+      module Helpers
+        def self.include_unsafe_path_parts?(filepath)
+          DANGEROUS_PATH_PARTS.each do |dangerous_part|
+            return true if filepath.include?(dangerous_part)
+          end
+
+          false
+        end
+
+        def self.start_with_unsafe_path?(filepath, user_input)
+          # Check if path is relative (not absolute or drive letter path)
+          # Required because `expand_path` will build absolute paths from relative paths
+          return false if Pathname.new(filepath).relative? || Pathname.new(user_input).relative?
+
+          normalized_path = File.expand_path__internal_for_aikido_zen(filepath).downcase
+          normalized_user_input = File.expand_path__internal_for_aikido_zen(user_input).downcase
+
+          DANGEROUS_PATH_STARTS.each do |dangerous_start|
+            if normalized_path.start_with?(dangerous_start) && normalized_path.start_with?(normalized_user_input)
+              # If the user input is the same as the dangerous start, we don't want to flag it
+              # to prevent false positives.
+              # e.g., if user input is /etc/ and the path is /etc/passwd, we don't want to flag it,
+              # as long as the user input does not contain a subdirectory or filename
+              return false if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
+
+              return true
+            end
+          end
+
+          false
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require_relative "path_traversal/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class PathTraversalScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # Checks if the user introduced input is trying to access other path using
+      # Path Traversal kind of attacks.
+      #
+      # @param filepath [String] the expanded path that is tried to be read
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #
+      # @return [Aikido::Zen::Attacks::PathTraversalAttack, nil] an Attack if any
+      # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
+      def self.call(filepath:, sink:, context:, operation:)
+        context.payloads.each do |payload|
+          next unless new(filepath, payload.value.to_s).attack?
+
+          return Attacks::PathTraversalAttack.new(
+            sink: sink,
+            input: payload,
+            filepath: filepath,
+            context: context,
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
+          )
+        end
+
+        nil
+      end
+
+      def initialize(filepath, input)
+        @filepath = filepath.downcase
+        @input = input.downcase
+      end
+
+      def attack?
+        # Single character are ignored because they don't pose a big threat
+        return false if @input.length <= 1
+
+        # We ignore cases where the user input is longer than the file path.
+        # Because the user input can't be part of the file path.
+        return false if @input.length > @filepath.length
+
+        # We ignore cases where the user input is not part of the file path.
+        return false unless @filepath.include?(@input)
+
+        if PathTraversal::Helpers.include_unsafe_path_parts?(@filepath) && PathTraversal::Helpers.include_unsafe_path_parts?(@input)
+          return true
+        end
+
+        # Check for absolute path traversal
+        PathTraversal::Helpers.start_with_unsafe_path?(@filepath, @input)
+      end
+    end
+  end
+end