aikido-zen 1.0.2-aarch64-linux

data/lib/aikido/zen/sinks/curb.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Curl
+      SINK = Sinks.add("curb", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+
+      module Helpers
+        def self.wrap_request(curl, url: curl.url)
+          Scanners::SSRFScanner::Request.new(
+            verb: nil, # Curb hides this by directly setting an option in C
+            uri: URI(url),
+            headers: curl.headers
+          )
+        end
+
+        def self.wrap_response(curl)
+          # Curb made an… interesting choice by not parsing the response headers
+          # and forcing users to do this manually if they need to look at them.
+          _, *headers = curl.header_str.split(/[\r\n]+/).map(&:strip)
+          headers = headers.flat_map { |str| str.scan(/\A(\S+): (.+)\z/) }.to_h
+
+          if curl.url != curl.last_effective_url
+            status = 302 # We can't know what the original status was, but we just need a 3XX
+            headers["Location"] = curl.last_effective_url
+          else
+            status = curl.status.to_i
+          end
+
+          Scanners::SSRFScanner::Response.new(status: status, headers: headers)
+        end
+
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "curb", ">= 0.2.3"
+          require "curb"
+
+          ::Curl::Easy.class_eval do
+            extend Sinks::DSL
+
+            sink_around :perform do |original_call|
+              wrapped_request = Helpers.wrap_request(self)
+
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+
+              connection = OutboundConnection.from_uri(URI(url))
+
+              Helpers.scan(wrapped_request, connection, "request")
+
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(self)
+              )
+
+              # When libcurl has follow_location set, it will handle redirections
+              # internally, and expose the "last_effective_url" as the URI that was
+              # last requested in the redirect chain.
+              #
+              # In this case, we can't actually stop the request from happening, but
+              # we can scan again (now that we know another request happened), to
+              # stop the response from being exposed to the user. This downgrades
+              # the SSRF into a blind SSRF, which is better than doing nothing.
+              if url != last_effective_url
+                last_effective_request = Helpers.wrap_request(self, url: last_effective_url)
+
+                # Code coverage is disabled here because the else clause is a no-op,
+                # so there is nothing to cover.
+                # :nocov:
+                if context
+                  context["ssrf.request"] = last_effective_request
+                else
+                  # empty
+                end
+                # :nocov:
+
+                connection = OutboundConnection.from_uri(URI(last_effective_url))
+
+                Helpers.scan(last_effective_request, connection, "request")
+              end
+
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::Curl.load_sinks!

data/lib/aikido/zen/sinks/em_http.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module EventMachine
+      module HttpRequest
+        SINK = Sinks.add("em-http-request", scanners: [
+          Scanners::SSRFScanner,
+          OutboundConnectionMonitor
+        ])
+
+        module Helpers
+          def self.scan(request, connection, operation)
+            SINK.scan(
+              request: request,
+              connection: connection,
+              operation: operation
+            )
+          end
+        end
+
+        def self.load_sinks!
+          if Aikido::Zen.satisfy "em-http-request", ">= 1.0"
+            require "em-http-request"
+
+            ::EventMachine::HttpRequest.use(EventMachine::HttpRequest::Middleware)
+
+            # NOTE: We can't use middleware to intercept requests as we want to ensure any
+            # modifications to the request from user-supplied middleware are already applied
+            # before we scan the request.
+            ::EventMachine::HttpClient.class_eval do
+              extend Sinks::DSL
+
+              sink_before :send_request do
+                wrapped_request = Scanners::SSRFScanner::Request.new(
+                  verb: req.method.to_s,
+                  uri: URI(req.uri),
+                  headers: req.headers
+                )
+
+                # Store the request information so the DNS sinks can pick it up.
+                context = Aikido::Zen.current_context
+                context["ssrf.request"] = wrapped_request if context
+
+                connection = OutboundConnection.new(
+                  host: req.host,
+                  port: req.port
+                )
+
+                Helpers.scan(wrapped_request, connection, "request")
+              end
+            end
+          end
+        end
+
+        class Middleware
+          def response(client)
+            # Store the request information so the DNS sinks can pick it up.
+            context = Aikido::Zen.current_context
+            context["ssrf.request"] = nil if context
+
+            Scanners::SSRFScanner.track_redirects(
+              request: Scanners::SSRFScanner::Request.new(
+                verb: client.req.method,
+                uri: URI(client.req.uri),
+                headers: client.req.headers
+              ),
+              response: Scanners::SSRFScanner::Response.new(
+                status: client.response_header.status,
+                headers: client.response_header.to_h
+              )
+            )
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::EventMachine::HttpRequest.load_sinks!

data/lib/aikido/zen/sinks/excon.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module Excon
+      SINK = Sinks.add("excon", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+
+      module Helpers
+        def self.build_request(connection, request)
+          uri = URI(format("%<scheme>s://%<host>s:%<port>i%<path>s", {
+            scheme: request.fetch(:scheme) { connection[:scheme] },
+            host: request.fetch(:hostname) { connection[:hostname] },
+            port: request.fetch(:port) { connection[:port] },
+            path: request.fetch(:path) { connection[:path] }
+          }))
+          uri.query = request.fetch(:query) { connection[:query] }
+
+          Scanners::SSRFScanner::Request.new(
+            verb: request.fetch(:method) { connection[:method] },
+            uri: uri,
+            headers: connection[:headers].to_h.merge(request[:headers].to_h)
+          )
+        end
+
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "excon", ">= 0.50.0"
+          require "excon"
+
+          ::Excon::Connection.class_eval do
+            extend Sinks::DSL
+
+            sink_around :request do |original_call, params = {}|
+              request = Helpers.build_request(@data, params)
+
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = request
+              end
+
+              connection = OutboundConnection.from_uri(request.uri)
+
+              Helpers.scan(request, connection, "request")
+
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: request,
+                response: Scanners::SSRFScanner::Response.new(
+                  status: response.status,
+                  headers: response.headers.to_h
+                )
+              )
+
+              response
+            rescue Sinks::DSL::PresafeError => err
+              outer_cause = err.cause
+              case outer_cause
+              when ::Excon::Error::Socket
+                inner_cause = outer_cause.cause
+                # Excon wraps errors inside the lower level layer. This only happens
+                # to our scanning exceptions when a request is using RedirectFollower,
+                # so we unwrap them when it happens so host apps can handle errors
+                # consistently.
+                raise inner_cause if inner_cause.is_a?(Aikido::Zen::UnderAttackError)
+              end
+              raise
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
+
+          ::Excon::Middleware::RedirectFollower.class_eval do
+            extend Sinks::DSL
+
+            sink_before :response_call do |datum|
+              response = datum[:response]
+
+              # Code coverage is disabled here because the else clause is a no-op,
+              # so there is nothing to cover.
+              # :nocov:
+              if !response.nil?
+                Scanners::SSRFScanner.track_redirects(
+                  request: Helpers.build_request(datum, {}),
+                  response: Scanners::SSRFScanner::Response.new(
+                    status: response[:status],
+                    headers: response[:headers]
+                  )
+                )
+              else
+                # empty
+              end
+              # :nocov:
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::Excon.load_sinks!

data/lib/aikido/zen/sinks/file.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Sinks
+    module File
+      SINK = Sinks.add("File", scanners: [Scanners::PathTraversalScanner])
+
+      module Helpers
+        def self.scan(filepath, operation)
+          SINK.scan(
+            filepath: filepath,
+            operation: operation
+          )
+        end
+      end
+
+      def self.load_sinks!
+        ::File.singleton_class.class_eval do
+          extend Sinks::DSL
+
+          # Create a copy of the original methods for internal use only to prevent
+          # recursion in PathTraversalScanner.
+          #
+          # IMPORTANT: The aliases must be created before the method is overridden.
+          alias_method :expand_path__internal_for_aikido_zen, :expand_path
+          alias_method :join__internal_for_aikido_zen, :join
+
+          sink_before :open do |path|
+            Helpers.scan(path, "open")
+          end
+
+          sink_before :read do |path|
+            Helpers.scan(path, "read")
+          end
+
+          sink_before :write do |path|
+            Helpers.scan(path, "write")
+          end
+
+          sink_before :truncate do |file_name|
+            Helpers.scan(file_name, "truncate")
+          end
+
+          sink_before :rename do |old_name, new_name|
+            Helpers.scan(old_name, "rename")
+            Helpers.scan(new_name, "rename")
+          end
+
+          sink_before :unlink do |*file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "unlink")
+            end
+          end
+
+          sink_before :delete do |*file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "delete")
+            end
+          end
+
+          sink_before :symlink do |old_name, new_name|
+            Helpers.scan(old_name, "symlink")
+            Helpers.scan(new_name, "symlink")
+          end
+
+          sink_before :chmod do |_mode_int, *file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "chmod")
+            end
+          end
+
+          sink_before :chown do |_owner_int, group_int, *file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "chown")
+            end
+          end
+
+          sink_before :utime do |_atime, _mtime, *file_names|
+            file_names.each do |file_name|
+              Helpers.scan(file_name, "utime")
+            end
+          end
+
+          def join(*args, **kwargs, &blk)
+            if Aikido::Zen.config.harden?
+              # IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
+              #
+              # File.join has undocumented behavior:
+              #
+              # File.join recursively joins nested string arrays.
+              #
+              # This prevents path traversal detection when an array originates
+              # from user input that was assumed to be a string.
+              #
+              # This undocumented behavior has been restricted to support path
+              # traversal detection.
+              #
+              # File.join no longer joins nested string arrays, but still accepts
+              # a single string array argument.
+
+              # File.join is often incorrectly called with a single array argument.
+              #
+              # i.e.
+              #
+              # File.join(["prefix", "filename"])
+              #
+              # This is considered acceptable.
+              #
+              # Calling File.join with a single string argument returns the string
+              # argument itself, having no practical effect. Therefore, it can be
+              # presumed that if File.join is called with a single array argument
+              # then this was its intended usage, and the array did not originate
+              # from user input that was assumed to be a string.
+              strings = args
+              strings = args.first if args.size == 1 && args.first.is_a?(Array)
+              strings.each do |string|
+                raise TypeError.new("Zen prevented implicit conversion of Array to String in hardened method. Visit https://github.com/AikidoSec/firewall-ruby for more information.") if string.is_a?(Array)
+              end
+            end
+
+            result = join__internal_for_aikido_zen(*args, **kwargs, &blk)
+            Sinks::DSL.safe do
+              Helpers.scan(result, "join")
+            end
+            result
+          end
+
+          sink_before :expand_path do |file_name|
+            Helpers.scan(file_name, "expand_path")
+          end
+
+          sink_before :realpath do |file_name|
+            Helpers.scan(file_name, "realpath")
+          end
+
+          sink_before :realdirpath do |file_name|
+            Helpers.scan(file_name, "realdirpath")
+          end
+        end
+
+        ::File.class_eval do
+          extend Sinks::DSL
+
+          sink_before :initialize do |path|
+            Helpers.scan(path, "new")
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::File.load_sinks!

data/lib/aikido/zen/sinks/http.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module HTTP
+      SINK = Sinks.add("http", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+
+      module Helpers
+        # Maps an HTTP Request to an Aikido OutboundConnection.
+        #
+        # @param req [HTTP::Request]
+        # @return [Aikido::Zen::OutboundConnection]
+        def self.build_outbound(req)
+          OutboundConnection.new(
+            host: req.socket_host,
+            port: req.socket_port
+          )
+        end
+
+        # Wraps the HTTP request with an API we can depend on.
+        #
+        # @param req [HTTP::Request]
+        # @return [Aikido::Zen::Scanners::SSRFScanner::Request]
+        def self.wrap_request(req)
+          Scanners::SSRFScanner::Request.new(
+            verb: req.verb,
+            uri: URI(req.uri.to_s),
+            headers: req.headers.to_h
+          )
+        end
+
+        def self.wrap_response(resp)
+          Scanners::SSRFScanner::Response.new(
+            status: resp.status,
+            headers: resp.headers.to_h
+          )
+        end
+
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+      end
+
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "http", ">= 1.0"
+          require "http"
+
+          ::HTTP::Client.class_eval do
+            extend Sinks::DSL
+
+            sink_around :perform do |original_call, req|
+              wrapped_request = Helpers.wrap_request(req)
+
+              # Store the request information so the DNS sinks can pick it up.
+              context = Aikido::Zen.current_context
+              if context
+                prev_request = context["ssrf.request"]
+                context["ssrf.request"] = wrapped_request
+              end
+
+              connection = Helpers.build_outbound(req)
+
+              Helpers.scan(wrapped_request, connection, "request")
+
+              response = original_call.call
+
+              Scanners::SSRFScanner.track_redirects(
+                request: wrapped_request,
+                response: Helpers.wrap_response(response)
+              )
+
+              response
+            ensure
+              context["ssrf.request"] = prev_request if context
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::HTTP.load_sinks!

data/lib/aikido/zen/sinks/httpclient.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require_relative "../scanners/ssrf_scanner"
+require_relative "../outbound_connection_monitor"
+
+module Aikido::Zen
+  module Sinks
+    module HTTPClient
+      SINK = Sinks.add("httpclient", scanners: [
+        Scanners::SSRFScanner,
+        OutboundConnectionMonitor
+      ])
+
+      module Helpers
+        def self.wrap_request(req)
+          Scanners::SSRFScanner::Request.new(
+            verb: req.http_header.request_method,
+            uri: req.http_header.request_uri,
+            headers: req.headers
+          )
+        end
+
+        def self.wrap_response(resp)
+          # Code coverage is disabled here because `do_get_header` is not called,
+          # because WebMock does not mock it.
+          # :nocov:
+          Scanners::SSRFScanner::Response.new(
+            status: resp.http_header.status_code,
+            headers: resp.headers
+          )
+          # :nocov:
+        end
+
+        def self.scan(request, connection, operation)
+          SINK.scan(
+            request: request,
+            connection: connection,
+            operation: operation
+          )
+        end
+
+        def self.sink(req, &block)
+          wrapped_request = wrap_request(req)
+          connection = OutboundConnection.from_uri(req.http_header.request_uri)
+
+          # Store the request information so the DNS sinks can pick it up.
+          context = Aikido::Zen.current_context
+          if context
+            prev_request = context["ssrf.request"]
+            context["ssrf.request"] = wrapped_request
+          end
+
+          scan(wrapped_request, connection, "request")
+
+          yield
+        ensure
+          context["ssrf.request"] = prev_request if context
+        end
+      end
+
+      def self.load_sinks!
+        if Aikido::Zen.satisfy "httpclient", ">= 2.0"
+          require "httpclient"
+
+          ::HTTPClient.class_eval do
+            extend Sinks::DSL
+
+            private
+
+            sink_around :do_get_block do |original_call, req|
+              Helpers.sink(req, &original_call)
+            end
+
+            sink_around :do_get_stream do |original_call, req|
+              Helpers.sink(req, &original_call)
+            end
+
+            sink_after :do_get_header do |_result, req, res, _sess|
+              # Code coverage is disabled here because `do_get_header` is not called,
+              # because WebMock does not mock it.
+              # :nocov:
+              Scanners::SSRFScanner.track_redirects(
+                request: Helpers.wrap_request(req),
+                response: Helpers.wrap_response(res)
+              )
+              # :nocov:
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Aikido::Zen::Sinks::HTTPClient.load_sinks!