RubyGems - aikido-zen - Versions diffs - 1.0.2-aarch64-linux - Mend

aikido-zen 1.0.2-aarch64-linux

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (125) hide show

checksums.yaml +7 -0
data/.aikido +6 -0
data/.ruby-version +1 -0
data/.simplecov +32 -0
data/.standard.yml +3 -0
data/LICENSE +674 -0
data/README.md +148 -0
data/Rakefile +67 -0
data/benchmarks/README.md +22 -0
data/benchmarks/rails7.1_benchmark.js +1 -0
data/benchmarks/rails7.1_sql_injection.js +102 -0
data/docs/banner.svg +202 -0
data/docs/config.md +133 -0
data/docs/proxy.md +10 -0
data/docs/rails.md +112 -0
data/docs/troubleshooting.md +62 -0
data/lib/aikido/zen/actor.rb +146 -0
data/lib/aikido/zen/agent/heartbeats_manager.rb +66 -0
data/lib/aikido/zen/agent.rb +181 -0
data/lib/aikido/zen/api_client.rb +145 -0
data/lib/aikido/zen/attack.rb +217 -0
data/lib/aikido/zen/attack_wave/helpers.rb +457 -0
data/lib/aikido/zen/attack_wave.rb +88 -0
data/lib/aikido/zen/background_worker.rb +52 -0
data/lib/aikido/zen/cache.rb +91 -0
data/lib/aikido/zen/capped_collections.rb +86 -0
data/lib/aikido/zen/collector/event.rb +238 -0
data/lib/aikido/zen/collector/hosts.rb +30 -0
data/lib/aikido/zen/collector/routes.rb +71 -0
data/lib/aikido/zen/collector/sink_stats.rb +95 -0
data/lib/aikido/zen/collector/stats.rb +122 -0
data/lib/aikido/zen/collector/users.rb +32 -0
data/lib/aikido/zen/collector.rb +223 -0
data/lib/aikido/zen/config.rb +312 -0
data/lib/aikido/zen/context/rack_request.rb +27 -0
data/lib/aikido/zen/context/rails_request.rb +47 -0
data/lib/aikido/zen/context.rb +145 -0
data/lib/aikido/zen/detached_agent/agent.rb +79 -0
data/lib/aikido/zen/detached_agent/front_object.rb +41 -0
data/lib/aikido/zen/detached_agent/server.rb +78 -0
data/lib/aikido/zen/detached_agent.rb +2 -0
data/lib/aikido/zen/errors.rb +107 -0
data/lib/aikido/zen/event.rb +116 -0
data/lib/aikido/zen/helpers.rb +24 -0
data/lib/aikido/zen/internals.rb +123 -0
data/lib/aikido/zen/libzen-v0.1.48-aarch64-linux.so +0 -0
data/lib/aikido/zen/middleware/allowed_address_checker.rb +26 -0
data/lib/aikido/zen/middleware/attack_wave_protector.rb +46 -0
data/lib/aikido/zen/middleware/context_setter.rb +26 -0
data/lib/aikido/zen/middleware/fork_detector.rb +23 -0
data/lib/aikido/zen/middleware/middleware.rb +11 -0
data/lib/aikido/zen/middleware/rack_throttler.rb +50 -0
data/lib/aikido/zen/middleware/request_tracker.rb +197 -0
data/lib/aikido/zen/outbound_connection.rb +62 -0
data/lib/aikido/zen/outbound_connection_monitor.rb +23 -0
data/lib/aikido/zen/package.rb +22 -0
data/lib/aikido/zen/payload.rb +50 -0
data/lib/aikido/zen/rails_engine.rb +53 -0
data/lib/aikido/zen/rate_limiter/breaker.rb +61 -0
data/lib/aikido/zen/rate_limiter/bucket.rb +76 -0
data/lib/aikido/zen/rate_limiter/result.rb +31 -0
data/lib/aikido/zen/rate_limiter.rb +50 -0
data/lib/aikido/zen/request/heuristic_router.rb +115 -0
data/lib/aikido/zen/request/rails_router.rb +92 -0
data/lib/aikido/zen/request/schema/auth_discovery.rb +86 -0
data/lib/aikido/zen/request/schema/auth_schemas.rb +54 -0
data/lib/aikido/zen/request/schema/builder.rb +121 -0
data/lib/aikido/zen/request/schema/definition.rb +107 -0
data/lib/aikido/zen/request/schema/empty_schema.rb +28 -0
data/lib/aikido/zen/request/schema.rb +87 -0
data/lib/aikido/zen/request.rb +88 -0
data/lib/aikido/zen/route.rb +96 -0
data/lib/aikido/zen/runtime_settings/endpoints.rb +78 -0
data/lib/aikido/zen/runtime_settings/ip_set.rb +36 -0
data/lib/aikido/zen/runtime_settings/protection_settings.rb +62 -0
data/lib/aikido/zen/runtime_settings/rate_limit_settings.rb +47 -0
data/lib/aikido/zen/runtime_settings.rb +66 -0
data/lib/aikido/zen/scan.rb +75 -0
data/lib/aikido/zen/scanners/path_traversal/helpers.rb +68 -0
data/lib/aikido/zen/scanners/path_traversal_scanner.rb +64 -0
data/lib/aikido/zen/scanners/shell_injection/helpers.rb +159 -0
data/lib/aikido/zen/scanners/shell_injection_scanner.rb +65 -0
data/lib/aikido/zen/scanners/sql_injection_scanner.rb +94 -0
data/lib/aikido/zen/scanners/ssrf/dns_lookups.rb +27 -0
data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb +97 -0
data/lib/aikido/zen/scanners/ssrf_scanner.rb +266 -0
data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb +55 -0
data/lib/aikido/zen/scanners.rb +7 -0
data/lib/aikido/zen/sink.rb +118 -0
data/lib/aikido/zen/sinks/action_controller.rb +85 -0
data/lib/aikido/zen/sinks/async_http.rb +80 -0
data/lib/aikido/zen/sinks/curb.rb +113 -0
data/lib/aikido/zen/sinks/em_http.rb +83 -0
data/lib/aikido/zen/sinks/excon.rb +118 -0
data/lib/aikido/zen/sinks/file.rb +153 -0
data/lib/aikido/zen/sinks/http.rb +93 -0
data/lib/aikido/zen/sinks/httpclient.rb +95 -0
data/lib/aikido/zen/sinks/httpx.rb +78 -0
data/lib/aikido/zen/sinks/kernel.rb +33 -0
data/lib/aikido/zen/sinks/mysql2.rb +31 -0
data/lib/aikido/zen/sinks/net_http.rb +101 -0
data/lib/aikido/zen/sinks/patron.rb +103 -0
data/lib/aikido/zen/sinks/pg.rb +72 -0
data/lib/aikido/zen/sinks/resolv.rb +62 -0
data/lib/aikido/zen/sinks/socket.rb +85 -0
data/lib/aikido/zen/sinks/sqlite3.rb +46 -0
data/lib/aikido/zen/sinks/trilogy.rb +31 -0
data/lib/aikido/zen/sinks/typhoeus.rb +78 -0
data/lib/aikido/zen/sinks.rb +36 -0
data/lib/aikido/zen/sinks_dsl.rb +250 -0
data/lib/aikido/zen/synchronizable.rb +24 -0
data/lib/aikido/zen/system_info.rb +80 -0
data/lib/aikido/zen/version.rb +10 -0
data/lib/aikido/zen/worker.rb +87 -0
data/lib/aikido/zen.rb +303 -0
data/lib/aikido-zen.rb +3 -0
data/placeholder/.gitignore +4 -0
data/placeholder/README.md +11 -0
data/placeholder/Rakefile +75 -0
data/placeholder/lib/placeholder.rb.template +3 -0
data/placeholder/placeholder.gemspec.template +20 -0
data/tasklib/bench.rake +94 -0
data/tasklib/libzen.rake +133 -0
data/tasklib/wrk.rb +88 -0
metadata +214 -0

data/lib/aikido/zen/scanners/ssrf_scanner.rb ADDED Viewed

@@ -0,0 +1,266 @@
+# frozen_string_literal: true
+require_relative "ssrf/private_ip_checker"
+require_relative "ssrf/dns_lookups"
+module Aikido::Zen
+  module Scanners
+    class SSRFScanner
+      # SSRF attacks can be triggered through external inputs, so it is essential
+      # to have a valid context to safeguard against these attacks.
+      def self.skips_on_nil_context?
+        true
+      end
+      # Checks if an outbound HTTP request is to a hostname supplied from user
+      # input that resolves to a "dangerous" address. This is called from two
+      # different places:
+      #
+      # * HTTP library sinks, before we make a request. In these cases we can
+      #   detect very obvious attempts such as a request that attempts to access
+      #   localhost or an internal IP.
+      # * DNS lookup sinks, after we resolve a hostname. For HTTP requests that
+      #   are not obviously an attack, we let the DNS resolution happen, and
+      #   then check again, now knowing if the domain name provided actually
+      #   resolves to an internal IP or not.
+      #
+      # NOTE: Because not all DNS resolutions might be happening in the context
+      # of a protected HTTP request, the +request+ argument below *might* be nil
+      # and we can then skip this scan.
+      #
+      # @param request [Aikido::Zen::Scanners::SSRFScanner::Request, nil]
+      #   the ongoing outbound HTTP request.
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #   Expects +sink.operation+ being set to get the full module/name combo.
+      #
+      # @return [Aikido::Zen::Attacks::SSRFAttack, nil] an Attack if any user
+      #   input is detected to be attempting SSRF, or +nil+ if not.
+      def self.call(request:, sink:, context:, operation:, **)
+        return if request.nil? # See NOTE above.
+        context["ssrf.redirects"] ||= RedirectChains.new
+        context.payloads.each do |payload|
+          scanner = new(request.uri, payload.value, context["ssrf.redirects"])
+          next unless scanner.attack?
+          attack = Attacks::SSRFAttack.new(
+            sink: sink,
+            request: request,
+            input: payload,
+            context: context,
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
+          )
+          return attack
+        end
+        nil
+      end
+      # Track the origin of a redirection so we know if an attacker is using
+      # redirect chains to mask their use of a (seemingly) safe domain.
+      #
+      # @param request [Aikido::Zen::Scanners::SSRFScanner::Request]
+      # @param response [Aikido::Zen::Scanners::SSRFScanner::Response]
+      # @param context [Aikido::Zen::Context]
+      #
+      # @return [void]
+      def self.track_redirects(request:, response:, context: Aikido::Zen.current_context)
+        return unless response.redirect?
+        context["ssrf.redirects"] ||= RedirectChains.new
+        context["ssrf.redirects"].add(
+          source: request.uri,
+          destination: response.redirect_to
+        )
+      end
+      # @api private
+      def initialize(request_uri, input, redirects)
+        @request_uri = request_uri
+        @input = input
+        @redirects = redirects
+      end
+      # @api private
+      def attack?
+        return false if @input.nil? || @input.to_s.empty?
+        # If the request is not aimed at an internal IP, we can ignore it. (It
+        # might still be an SSRF if defined strictly, but it's unlikely to be
+        # exfiltrating data from the app's servers, and the risk for false
+        # positives is too high.)
+        return false unless private_ip?(@request_uri.hostname)
+        origins_for_request
+          .product(uris_from_input)
+          .any? { |(conn_uri, candidate)| match?(conn_uri, candidate) }
+      end
+      # @!visibility private
+      def self.private_ip_checker
+        @private_ip_checker ||= SSRF::PrivateIPChecker.new
+      end
+      private
+      def match?(conn_uri, input_uri)
+        return false if conn_uri.hostname.nil? || conn_uri.hostname.empty?
+        return false if input_uri.hostname.nil? || input_uri.hostname.empty?
+        # The URI library will automatically set the port to the default port
+        # for the current scheme if not provided, which means we can't just
+        # check if the port is present, as it always will be.
+        is_port_relevant = input_uri.port != input_uri.default_port
+        return false if is_port_relevant && input_uri.port != conn_uri.port
+        conn_uri.hostname == input_uri.hostname &&
+          conn_uri.port == input_uri.port
+      end
+      def private_ip?(hostname)
+        self.class.private_ip_checker.private?(hostname)
+      end
+      def origins_for_request
+        [@request_uri, @redirects.origin(@request_uri)].compact
+      end
+      # Maps the current user input into a Set of URIs we can check against:
+      #
+      # * The input itself, if it already looks like a URI.
+      # * The input prefixed with http://
+      # * The input prefixed with https://
+      # * The input prefixed with the scheme of the request's URI, to consider
+      #   things like an FTP request (to "ftp://localhost") with a plain host
+      #   as a user-input ("localhost").
+      #
+      # @return [Array<URI>] a list of unique URIs based on the above criteria.
+      def uris_from_input
+        input = @input.to_s
+        # If you build a URI manually and set the hostname to an IPv6 string,
+        # the URI library will be helpful to wrap it in brackets so it's a
+        # valid hostname. We should do the same for the input.
+        input = format("[%s]", input) if unescaped_ipv6?(input)
+        [
+          input,
+          "http://#{input}",
+          "https://#{input}",
+          "#{@request_uri.scheme}://#{input}"
+        ].map { |candidate| as_uri(candidate) }.compact.uniq
+      end
+      def as_uri(string)
+        URI(string)
+      rescue URI::InvalidURIError
+        nil
+      end
+      # Check if the input is an IPv6 that is not surrounded by square brackets.
+      def unescaped_ipv6?(input)
+        (
+          IPAddr::RE_IPV6ADDRLIKE_FULL.match?(input) ||
+          IPAddr::RE_IPV6ADDRLIKE_COMPRESSED.match?(input)
+        ) && !(input.start_with?("[") && input.end_with?("]"))
+      end
+      # @api private
+      module Headers
+        # @param headers [Hash<String, Object>]
+        # @param header_normalizer [Proc{Object => String}]
+        def initialize(headers:, header_normalizer: :to_s.to_proc)
+          @headers = headers.to_h
+          @header_normalizer = header_normalizer
+          @normalized_headers = false
+        end
+        # @return [Hash<String, String>]
+        def headers
+          return @headers if @normalized_headers
+          @headers
+            .transform_keys!(&:downcase)
+            .transform_values!(&@header_normalizer)
+            .tap { @normalized_headers = true }
+        end
+      end
+      # @api private
+      class Request
+        include Headers
+        attr_reader :verb
+        attr_reader :uri
+        def initialize(verb:, uri:, **header_options)
+          super(**header_options)
+          @verb = verb.to_s.upcase
+          @uri = URI(uri)
+        end
+        def to_s
+          [@verb, @uri.to_s].join(" ").strip
+        end
+      end
+      # @api private
+      class Response
+        include Headers
+        attr_reader :status
+        def initialize(status:, **header_options)
+          super(**header_options)
+          @status = status.to_s
+        end
+        def redirect?
+          @status.start_with?("3") && headers["location"]
+        end
+        def redirect_to
+          URI(headers["location"]) if redirect?
+        rescue URI::BadURIError
+          nil
+        end
+      end
+      # @api private
+      class RedirectChains
+        def initialize
+          @redirects = Hash.new { |h, k| h[k] = [] }
+        end
+        def add(source:, destination:)
+          @redirects[destination].push(source)
+          self
+        end
+        # Recursively looks for the original URI that triggered the current
+        # chain. If given a URI that was not the result of a redirect chain, it
+        # returns +nil+
+        #
+        # @param uri [URI]
+        # @return [URI, nil]
+        def origin(uri, visited = Set.new)
+          source = @redirects[uri].first
+          return source if visited.include?(source)
+          visited << source
+          if !@redirects[source].empty?
+            origin(source, visited)
+          else
+            source
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Scanners
+    # Inspects the result of DNS lookups, to determine if we're being the target
+    # of a stored SSRF targeting IMDS addresses (169.254.169.254).
+    class StoredSSRFScanner
+      # Stored-SSRF can occur without external input, so we do not require a
+      # context to determine if an attack is happening.
+      def self.skips_on_nil_context?
+        false
+      end
+      def self.call(hostname:, addresses:, operation:, sink:, context:, **opts)
+        offending_address = new(hostname, addresses).attack?
+        return if offending_address.nil?
+        Attacks::StoredSSRFAttack.new(
+          hostname: hostname,
+          address: offending_address,
+          sink: sink,
+          context: context,
+          operation: "#{sink.operation}.#{operation}",
+          stack: Aikido::Zen.clean_stack_trace
+        )
+      end
+      def initialize(hostname, addresses, config: Aikido::Zen.config)
+        @hostname = hostname
+        @addresses = addresses
+        @config = config
+      end
+      # @return [String, nil] either the offending address, or +nil+ if no
+      #   address is deemed dangerous.
+      def attack?
+        return unless @config.stored_ssrf? # Feature flag
+        return if @config.imds_allowed_hosts.include?(@hostname)
+        @addresses.find do |candidate|
+          DANGEROUS_ADDRESSES.any? { |address| address === candidate }
+        end
+      end
+      DANGEROUS_ADDRESSES = [
+        IPAddr.new("169.254.169.254"),
+        IPAddr.new("100.100.100.200"),
+        IPAddr.new("::ffff:169.254.169.254"),
+        IPAddr.new("::ffff:100.100.100.200"),
+        IPAddr.new("fd00:ec2::254")
+      ]
+    end
+  end
+end

data/lib/aikido/zen/scanners.rb ADDED Viewed

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+require_relative "scanners/sql_injection_scanner"
+require_relative "scanners/stored_ssrf_scanner"
+require_relative "scanners/ssrf_scanner"
+require_relative "scanners/path_traversal_scanner"
+require_relative "scanners/shell_injection_scanner"

data/lib/aikido/zen/sink.rb ADDED Viewed

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+require_relative "scan"
+module Aikido::Zen
+  module Sinks
+    # @api private
+    # @return [Hash<String, Sink>]
+    def self.registry
+      @registry ||= {}
+    end
+    # Primary interface to set up a sink with a list of given scanners.
+    #
+    # @param name [String] name of the library being patched. (This must
+    #   match the name of the gem, or we won't report that gem as
+    #   supported.)
+    # @param scanners [Array<#call>] a list of objects that respond to
+    #   #call with a Hash and return an Attack or nil.
+    # @param opts [Hash<Symbol, Object>] any other options to pass to
+    #   the Sink initializer.
+    #
+    # @return [void]
+    # @raise [ArgumentError] if a Sink with this name has already been
+    #   registered.
+    def self.add(name, scanners:, **opts)
+      raise ArgumentError, "Sink #{name} already registered" if registry.key?(name.to_s)
+      registry[name.to_s] = Sink.new(name.to_s, scanners: scanners, **opts)
+    end
+  end
+  # Sinks serve as the proxies between a given library that we protect
+  # (such as a database adapter that we patch to prevent SQL injections)
+  # and the reporting agent.
+  #
+  # When a library is patched to track and potentially block attacks, we
+  # rely on a sink to run any scans required, and report any attacks to
+  # our agent.
+  #
+  # @see ./sinks/trilogy.rb for a reference implementation.
+  class Sink
+    # @return [String] name of the patched library (e.g. "mysql2").
+    attr_reader :name
+    # @return [Array<#call>] list of registered scanners for this sink.
+    attr_reader :scanners
+    # @return [String] descriptor of the module / method being scanned
+    #   for attacks. This is fed into Attacks when instantiated. In
+    #   certain cases, some scanners allow you to specialize this by
+    #   using an +operation+ param of their own.
+    attr_reader :operation
+    DEFAULT_REPORTER = ->(scan) { Aikido::Zen.track_scan(scan) }
+    def initialize(name, scanners:, operation: name, reporter: DEFAULT_REPORTER)
+      raise ArgumentError, "scanners cannot be empty" if scanners.empty?
+      @name = name
+      @operation = operation
+      @scanners = scanners
+      @reporter = reporter
+    end
+    # Run the given arguments through all the registered scanners, until
+    # one of them returns an Attack or all return +nil+, and report the
+    # findings back to the Sink's +reporter+ to track statistics and
+    # potentially handle the +Attack+, if anything.
+    #
+    # This checks if runtime protection has been turned off for the current
+    # route first, and if so skips the scanning altogether, returning nil.
+    #
+    # @param scan_params [Hash] data to pass to all registered scanners.
+    # @option scan_params [Aikido::Zen::Context, nil] :context
+    #   The current Context, including the HTTP request being inspected, or
+    #   +nil+ if we're scanning outside of an HTTP request.
+    #
+    # @return [Aikido::Zen::Scan, nil] the result of the scan, or +nil+ if the
+    #   scan was skipped due to protection being disabled for the current route.
+    # @raise [Aikido::UnderAttackError] if an attack is detected and
+    #   blocking_mode is enabled.
+    def scan(context: Aikido::Zen.current_context, **scan_params)
+      return if context&.scanning
+      context&.scanning = true
+      return if context&.protection_disabled?
+      scan = Scan.new(sink: self, context: context)
+      scans_performed = 0
+      scan.perform do
+        result = nil
+        scanners.each do |scanner|
+          next if scanner.skips_on_nil_context? && context.nil?
+          result = scanner.call(sink: self, context: context, **scan_params)
+          scans_performed += 1
+          break result if result
+        rescue Aikido::Zen::InternalsError => error
+          Aikido::Zen.config.logger.warn(error.message)
+          scan.track_error(error, scanner)
+        rescue => error
+          scan.track_error(error, scanner)
+        end
+        result
+      end
+      @reporter.call(scan) if scans_performed > 0
+      scan
+    ensure
+      context&.scanning = false
+    end
+  end
+end

data/lib/aikido/zen/sinks/action_controller.rb ADDED Viewed

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+module Aikido::Zen
+  module Sinks
+    module ActionController
+      # Implements the "middleware" for blocking requests (i.e.: rate-limiting or blocking
+      # user/bots) in Rails apps, where we need to check at the end of the `before_action`
+      # chain, rather than in an actual Rack middleware, to allow for calls to
+      # `Zen.track_user` being made from before_actions in the host app, thus allowing
+      # block/rate-limit by user ID rather than solely by IP.
+      class BlockRequestChecker
+        def initialize(
+          config: Aikido::Zen.config,
+          settings: Aikido::Zen.runtime_settings,
+          detached_agent: Aikido::Zen.detached_agent
+        )
+          @config = config
+          @settings = settings
+          @detached_agent = detached_agent
+        end
+        def block?(controller)
+          context = controller.request.env[Aikido::Zen::ENV_KEY]
+          request = context.request
+          if should_block_user?(request)
+            status, headers, body = @config.blocked_responder.call(request, :user)
+            controller.headers.update(headers)
+            controller.render plain: Array(body).join, status: status
+            return true
+          end
+          if should_throttle?(request)
+            status, headers, body = @config.rate_limited_responder.call(request)
+            controller.headers.update(headers)
+            controller.render plain: Array(body).join, status: status
+            return true
+          end
+          false
+        end
+        private def should_throttle?(request)
+          # Bypass rate limiting for allowed IPs
+          return false if @settings.allowed_ips.include?(request.ip)
+          return false unless @settings.endpoints[request.route].rate_limiting.enabled?
+          result = @detached_agent.calculate_rate_limits(request)
+          return false unless result
+          request.env["aikido.rate_limiting"] = result
+          request.env["aikido.rate_limiting"].throttled?
+        end
+        # @param request [Aikido::Zen::Request]
+        private def should_block_user?(request)
+          return false if request.actor.nil?
+          Aikido::Zen.runtime_settings.blocked_user_ids&.include?(request.actor.id)
+        end
+      end
+      def self.block_request_checker
+        @block_request_checker ||= Aikido::Zen::Sinks::ActionController::BlockRequestChecker.new
+      end
+      module Extensions
+        def run_callbacks(kind, *)
+          return super unless kind == :process_action
+          super do
+            checker = Aikido::Zen::Sinks::ActionController.block_request_checker
+            yield if block_given? && !checker.block?(self)
+          end
+        end
+      end
+    end
+  end
+end
+::AbstractController::Callbacks.prepend(Aikido::Zen::Sinks::ActionController::Extensions)

data/lib/aikido/zen/sinks/async_http.rb ADDED Viewed

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+module Aikido::Zen
+  module Sinks
+    module Async
+      module HTTP
+        SINK = Sinks.add("async-http", scanners: [
+          Scanners::SSRFScanner,
+          OutboundConnectionMonitor
+        ])
+        module Helpers
+          def self.scan(request, connection, operation)
+            SINK.scan(
+              request: request,
+              connection: connection,
+              operation: operation
+            )
+          end
+        end
+        def self.load_sinks!
+          if Aikido::Zen.satisfy "async-http", ">= 0.70.0"
+            require "async/http"
+            ::Async::HTTP::Client.class_eval do
+              extend Sinks::DSL
+              sink_around :call do |original_call, request|
+                uri = URI(format("%<scheme>s://%<authority>s%<path>s", {
+                  scheme: request.scheme || scheme,
+                  authority: request.authority || authority,
+                  path: request.path
+                }))
+                wrapped_request = Scanners::SSRFScanner::Request.new(
+                  verb: request.method,
+                  uri: uri,
+                  headers: request.headers.to_h,
+                  header_normalizer: ->(value) { Array(value).join(", ") }
+                )
+                # Store the request information so the DNS sinks can pick it up.
+                context = Aikido::Zen.current_context
+                if context
+                  prev_request = context["ssrf.request"]
+                  context["ssrf.request"] = wrapped_request
+                end
+                connection = OutboundConnection.from_uri(uri)
+                Helpers.scan(wrapped_request, connection, "request")
+                response = original_call.call
+                Scanners::SSRFScanner.track_redirects(
+                  request: wrapped_request,
+                  response: Scanners::SSRFScanner::Response.new(
+                    status: response.status,
+                    headers: response.headers.to_h,
+                    header_normalizer: ->(value) { Array(value).join(", ") }
+                  )
+                )
+                response
+              ensure
+                context["ssrf.request"] = prev_request if context
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Aikido::Zen::Sinks::Async::HTTP.load_sinks!