aikido-zen 1.0.2-aarch64-linux

data/lib/aikido/zen/scanners/shell_injection/helpers.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module Aikido::Zen::Scanners::ShellInjection
+  module Helpers
+    ESCAPE_CHARS = %W[' "]
+    DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES = %W[$ ` \\ !]
+    DANGEROUS_CHARS = [
+      "#", "!", '"', "$", "&", "'", "(", ")", "*", ";", "<", "=", ">", "?",
+      "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~"
+    ]
+
+    COMMANDS = %w[sleep shutdown reboot poweroff halt ifconfig chmod chown ping
+      ssh scp curl wget telnet kill killall rm mv cp touch echo cat head
+      tail grep find awk sed sort uniq wc ls env ps who whoami id w df du
+      pwd uname hostname netstat passwd arch printenv logname pstree hostnamectl
+      set lsattr killall5 dmesg history free uptime finger top shopt :]
+
+    PATH_PREFIXES = %w[/bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/]
+
+    SEPARATORS = [" ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">"]
+
+    # @param command [string]
+    # @param user_input [string]
+    def self.is_safely_encapsulated(command, user_input)
+      segments = command.split(user_input)
+
+      # The next condition is merely here to be compliant with what javascript does when splitting strings:
+      # From js doc https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/split
+      #   > If separator appears at the beginning (or end) of the string, it still has the effect of splitting,
+      #   > resulting in an empty (i.e. zero length) string appearing at the first (or last) position of
+      #   > the returned array.
+      # This is necessary because this code is ported form the firewall-node code.
+      if user_input.length > 1
+        if command.start_with? user_input
+          segments.unshift ""
+        end
+
+        if command.end_with? user_input
+          segments << ""
+        end
+      end
+
+      # Call the helper function to get current and next segments
+      get_current_and_next_segments(segments).all? do |segments_pair|
+        char_before_user_input = segments_pair[:current_segment][-1]
+        char_after_user_input = segments_pair[:next_segment][0]
+
+        # Check if the character before is an escape character
+        is_escape_char = ESCAPE_CHARS.include?(char_before_user_input)
+
+        unless is_escape_char
+          next false
+        end
+
+        # If characters before and after the user input do not match, return false
+        next false if char_before_user_input != char_after_user_input
+
+        # If user input contains the escape character, return false
+        next false if user_input.include?(char_before_user_input)
+
+        # Handle dangerous characters inside double quotes
+        if char_before_user_input == '"' && DANGEROUS_CHARS_INSIDE_DOUBLE_QUOTES.any? { |char| user_input.include?(char) }
+          next false
+        end
+
+        next true
+      end
+    end
+
+    def self.get_current_and_next_segments(segments)
+      segments.each_cons(2).map { |current_segment, next_segment| {current_segment: current_segment, next_segment: next_segment} }
+    end
+
+    # Helper function for sorting commands by length (longer commands first)
+    def self.by_length(a, b)
+      b.length - a.length
+    end
+
+    # Escape characters with special meaning either inside or outside character sets.
+    # Use a simple backslash escape when it’s always valid, and a `\xnn` escape when the simpler
+    # form would be disallowed by Unicode patterns’ stricter grammar.
+    #
+    # Inspired by https://github.com/sindresorhus/escape-string-regexp/
+    def self.escape_string_regexp(string)
+      string.gsub(/[|\\{}()\[\]^$+*?.]/) { "\\#{$&}" }.gsub("-", '\\x2d')
+    end
+
+    # Construct the regex for commands
+    COMMANDS_REGEX = Regexp.new(
+      "([/.]*((#{PATH_PREFIXES.map { |p| Helpers.escape_string_regexp(p) }.join("|")})?((#{COMMANDS.sort(&method(:by_length)).join("|")}))))",
+      Regexp::IGNORECASE
+    )
+
+    def self.contains_shell_syntax(command, user_input)
+      # Check if input is only whitespace
+      return false if user_input.strip.empty?
+
+      # Check if the user input contains any dangerous characters
+      if DANGEROUS_CHARS.any? { |c| user_input.include?(c) }
+        return true
+      end
+
+      # If the command is exactly the same as the user input, check if it matches the regex
+      if command == user_input
+        return match_all(command, COMMANDS_REGEX).any? do |match|
+          match[:match].length == command.length && match[:match] == command
+        end
+      end
+
+      # Check if the command contains a commonly used command
+      match_all(command, COMMANDS_REGEX).each do |match|
+        # We found a command like `rm` or `/sbin/shutdown` in the command
+        # Check if the command is the same as the user input
+        # If it's not the same, continue searching
+        next if user_input != match[:match]
+
+        # Otherwise, we'll check if the command is surrounded by separators
+        # These separators are used to separate commands and arguments
+        # e.g. `rm<space>-rf`
+        # e.g. `ls<newline>whoami`
+        # e.g. `echo<tab>hello` Check if the command is surrounded by separators
+        char_before = if match[:index] - 1 < 0
+          nil
+        else
+          command[match[:index] - 1]
+        end
+
+        char_after = if match[:index] + match[:match].length >= command.length
+          nil
+        else
+          command[match[:index] + match[:match].length]
+        end
+
+        # e.g. `<separator>rm<separator>`
+        if SEPARATORS.include?(char_before) && SEPARATORS.include?(char_after)
+          return true
+        end
+
+        # e.g. `<separator>rm`
+        if SEPARATORS.include?(char_before) && char_after.nil?
+          return true
+        end
+
+        # e.g. `rm<separator>`
+        if char_before.nil? && SEPARATORS.include?(char_after)
+          return true
+        end
+      end
+
+      false
+    end
+
+    def self.match_all(string, regex)
+      string.enum_for(:scan, regex).map do |match|
+        {match: match[0], index: $~.begin(0)}
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require_relative "shell_injection/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class ShellInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # @param command [String]
+      # @param sink [Aikido::Zen::Sink]
+      # @param context [Aikido::Zen::Context]
+      # @param operation [Symbol, String]
+      #
+      def self.call(command:, sink:, context:, operation:)
+        context.payloads.each do |payload|
+          next unless new(command, payload.value.to_s).attack?
+
+          return Attacks::ShellInjectionAttack.new(
+            sink: sink,
+            input: payload,
+            command: command,
+            context: context,
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
+          )
+        end
+
+        nil
+      end
+
+      # @param command [String]
+      # @param input [String]
+      def initialize(command, input)
+        @command = command
+        @input = input
+      end
+
+      def attack?
+        # Block single ~ character. For example `echo ~`
+        if @input == "~"
+          if @command.size > 1 && @command.include?("~")
+            return true
+          end
+        end
+
+        # we ignore single character since they don't pose a big threat.
+        # They are only able to crash the shell, not execute arbitraty commands.
+        return false if @input.size <= 1
+
+        # We ignore cases where the user input is longer than the command because
+        # the user input can't be part of the command
+        return false if @input.size > @command.size
+
+        return false unless @command.include?(@input)
+
+        return false if ShellInjection::Helpers.is_safely_encapsulated @command, @input
+
+        ShellInjection::Helpers.contains_shell_syntax @command, @input
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require_relative "../attack"
+require_relative "../internals"
+
+module Aikido::Zen
+  module Scanners
+    class SQLInjectionScanner
+      def self.skips_on_nil_context?
+        true
+      end
+
+      # Checks if the given SQL query may have dangerous user input injected,
+      # and returns an Attack if so, based on the current request.
+      #
+      # @param query [String]
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param dialect [Symbol] one of +:mysql+, +:postgesql+, or +:sqlite+.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #   Expects +sink.operation+ being set to get the full module/name combo.
+      #
+      # @return [Aikido::Zen::Attack, nil] an Attack if any user input is
+      #   detected to be attempting a SQL injection, or nil if this is safe.
+      #
+      # @raise [Aikido::Zen::InternalsError] if an error occurs when loading or
+      #   calling zenlib. See Sink#scan.
+      def self.call(query:, dialect:, sink:, context:, operation:)
+        dialect = DIALECTS.fetch(dialect) do
+          Aikido::Zen.config.logger.warn "Unknown SQL dialect #{dialect.inspect}"
+          DIALECTS[:common]
+        end
+
+        context.payloads.each do |payload|
+          next unless new(query, payload.value.to_s, dialect).attack?
+
+          return Attacks::SQLInjectionAttack.new(
+            sink: sink,
+            query: query,
+            input: payload,
+            dialect: dialect,
+            context: context,
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
+          )
+        end
+
+        nil
+      end
+
+      def initialize(query, input, dialect)
+        @query = query.downcase
+        @input = input.downcase
+        @dialect = dialect
+      end
+
+      def attack?
+        # Ignore single char inputs since they shouldn't be able to do much harm
+        return false if @input.length <= 1
+
+        # If the input is longer than the query, then it is not part of it
+        return false if @input.length > @query.length
+
+        # If the input is not included in the query at all, then we are safe
+        return false unless @query.include?(@input)
+
+        # If the input is solely alphanumeric, we can ignore it
+        return false if /\A[[:alnum:]_]+\z/i.match?(@input)
+
+        # If the input is a comma-separated list of numbers, ignore it.
+        return false if /\A(?:\d+(?:,\s*)?)+\z/i.match?(@input)
+
+        Internals.detect_sql_injection(@query, @input, @dialect)
+      end
+
+      # @api private
+      Dialect = Struct.new(:name, :internals_key, keyword_init: true) do
+        alias_method :to_s, :name
+        alias_method :to_int, :internals_key
+      end
+
+      # Maps easy-to-use Symbols to a struct that keeps both the name and the
+      # internal identifier used by libzen.
+      #
+      # @see https://github.com/AikidoSec/zen-internals/blob/main/src/sql_injection/helpers/select_dialect_based_on_enum.rs
+      DIALECTS = {
+        common: Dialect.new(name: "SQL", internals_key: 0),
+        mysql: Dialect.new(name: "MySQL", internals_key: 8),
+        postgresql: Dialect.new(name: "PostgreSQL", internals_key: 9),
+        sqlite: Dialect.new(name: "SQLite", internals_key: 12)
+      }
+    end
+  end
+end

data/lib/aikido/zen/scanners/ssrf/dns_lookups.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "delegate"
+
+module Aikido::Zen
+  module Scanners
+    module SSRF
+      # Simple per-request cache of all DNS lookups performed for a given host.
+      # We can store this in the context after performing a lookup, and have the
+      # SSRF scanner make sure the hostname being inspected doesn't actually
+      # resolve to an internal/dangerous IP.
+      class DNSLookups < SimpleDelegator
+        def initialize
+          super(Hash.new { |h, k| h[k] = [] })
+        end
+
+        def add(hostname, addresses)
+          self[hostname].concat(Array(addresses))
+        end
+
+        def ===(hostname)
+          key?(hostname)
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require "resolv"
+require "ipaddr"
+
+module Aikido::Zen
+  module Scanners
+    module SSRF
+      # Little helper to check if a given hostname or address is to be
+      # considered "dangerous" when used for an outbound HTTP request.
+      #
+      # When given a hostname:
+      #
+      # * If any DNS lookups have been performed and stored in the current Zen
+      #   context (under the "dns.lookups" metadata key), we will map it to the
+      #   list of IPs that we've resolved it to.
+      #
+      # * If not, we'll still try to map it to any statically defined address in
+      #   the system hosts file (e.g. /etc/hosts).
+      #
+      # Once we mapped the hostname to an IP address (or, if given an IP
+      # address), this will check that it's not a loopback address, a private IP
+      # address (as defined by RFCs 1918 and 4193), or in one of the
+      # "special-use" IP ranges defined in RFC 5735.
+      class PrivateIPChecker
+        def initialize(resolver = Resolv::Hosts.new)
+          @resolver = resolver
+        end
+
+        # @param hostname_or_address [String]
+        # @return [Boolean]
+        def private?(hostname_or_address)
+          resolve(hostname_or_address).any? do |ip|
+            PRIVATE_RANGES.any? { |range| range === ip }
+          end
+        end
+
+        private
+
+        # Source: https://github.com/AikidoSec/firewall-node/blob/main/library/vulnerabilities/ssrf/isPrivateIP.ts
+        PRIVATE_IPV4_RANGES = [
+          IPAddr.new("0.0.0.0/8"),         # "This" network (RFC 1122)
+          IPAddr.new("10.0.0.0/8"),        # Private-Use Networks (RFC 1918)
+          IPAddr.new("100.64.0.0/10"),     # Shared Address Space (RFC 6598)
+          IPAddr.new("127.0.0.0/8"),       # Loopback (RFC 1122)
+          IPAddr.new("169.254.0.0/16"),    # Link Local (RFC 3927)
+          IPAddr.new("172.16.0.0/12"),     # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.0.0.0/24"),      # IETF Protocol Assignments (RFC 5736)
+          IPAddr.new("192.0.2.0/24"),      # TEST-NET-1 (RFC 5737)
+          IPAddr.new("192.31.196.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("192.52.193.0/24"),   # Automatic Multicast Tunneling (RFC 7450)
+          IPAddr.new("192.88.99.0/24"),    # 6to4 Relay Anycast (RFC 3068)
+          IPAddr.new("192.168.0.0/16"),    # Private-Use Networks (RFC 1918)
+          IPAddr.new("192.175.48.0/24"),   # AS112 Redirection Anycast (RFC 7535)
+          IPAddr.new("198.18.0.0/15"),     # Network Interconnect Device Benchmark Testing (RFC 2544)
+          IPAddr.new("198.51.100.0/24"),   # TEST-NET-2 (RFC 5737)
+          IPAddr.new("203.0.113.0/24"),    # TEST-NET-3 (RFC 5737)
+          IPAddr.new("224.0.0.0/4"),       # Multicast (RFC 3171)
+          IPAddr.new("240.0.0.0/4"),       # Reserved for Future Use (RFC 1112)
+          IPAddr.new("255.255.255.255/32") # Limited Broadcast (RFC 919)
+        ]
+
+        PRIVATE_IPV6_RANGES = [
+          IPAddr.new("::/128"),            # Unspecified address (RFC 4291)
+          IPAddr.new("::1/128"),           # Loopback address (RFC 4291)
+          IPAddr.new("fc00::/7"),          # Unique local address (ULA) (RFC 4193
+          IPAddr.new("fe80::/10"),         # Link-local address (LLA) (RFC 4291)
+          IPAddr.new("100::/64"),          # Discard prefix (RFC 6666)
+          IPAddr.new("2001:db8::/32"),     # Documentation prefix (RFC 3849)
+          IPAddr.new("3fff::/20")          # Documentation prefix (RFC 9637)
+        ]
+
+        PRIVATE_RANGES = PRIVATE_IPV4_RANGES + PRIVATE_IPV6_RANGES + PRIVATE_IPV4_RANGES.map(&:ipv4_mapped)
+
+        def resolved_in_current_context
+          context = Aikido::Zen.current_context
+          context && context["dns.lookups"]
+        end
+
+        def resolve(hostname_or_address)
+          return [] if hostname_or_address.nil?
+
+          case hostname_or_address
+          when Resolv::AddressRegex
+            [IPAddr.new(hostname_or_address)]
+          when resolved_in_current_context
+            resolved_in_current_context[hostname_or_address]
+              .map { |address| IPAddr.new(address) }
+          else
+            @resolver.getaddresses(hostname_or_address.to_s)
+              .map { |address| IPAddr.new(address) }
+          end
+        end
+      end
+    end
+  end
+end