RubyGems - aikido-zen - Versions diffs - 1.0.2-aarch64-linux - Mend

aikido-zen 1.0.2-aarch64-linux

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (125) hide show

checksums.yaml +7 -0
data/.aikido +6 -0
data/.ruby-version +1 -0
data/.simplecov +32 -0
data/.standard.yml +3 -0
data/LICENSE +674 -0
data/README.md +148 -0
data/Rakefile +67 -0
data/benchmarks/README.md +22 -0
data/benchmarks/rails7.1_benchmark.js +1 -0
data/benchmarks/rails7.1_sql_injection.js +102 -0
data/docs/banner.svg +202 -0
data/docs/config.md +133 -0
data/docs/proxy.md +10 -0
data/docs/rails.md +112 -0
data/docs/troubleshooting.md +62 -0
data/lib/aikido/zen/actor.rb +146 -0
data/lib/aikido/zen/agent/heartbeats_manager.rb +66 -0
data/lib/aikido/zen/agent.rb +181 -0
data/lib/aikido/zen/api_client.rb +145 -0
data/lib/aikido/zen/attack.rb +217 -0
data/lib/aikido/zen/attack_wave/helpers.rb +457 -0
data/lib/aikido/zen/attack_wave.rb +88 -0
data/lib/aikido/zen/background_worker.rb +52 -0
data/lib/aikido/zen/cache.rb +91 -0
data/lib/aikido/zen/capped_collections.rb +86 -0
data/lib/aikido/zen/collector/event.rb +238 -0
data/lib/aikido/zen/collector/hosts.rb +30 -0
data/lib/aikido/zen/collector/routes.rb +71 -0
data/lib/aikido/zen/collector/sink_stats.rb +95 -0
data/lib/aikido/zen/collector/stats.rb +122 -0
data/lib/aikido/zen/collector/users.rb +32 -0
data/lib/aikido/zen/collector.rb +223 -0
data/lib/aikido/zen/config.rb +312 -0
data/lib/aikido/zen/context/rack_request.rb +27 -0
data/lib/aikido/zen/context/rails_request.rb +47 -0
data/lib/aikido/zen/context.rb +145 -0
data/lib/aikido/zen/detached_agent/agent.rb +79 -0
data/lib/aikido/zen/detached_agent/front_object.rb +41 -0
data/lib/aikido/zen/detached_agent/server.rb +78 -0
data/lib/aikido/zen/detached_agent.rb +2 -0
data/lib/aikido/zen/errors.rb +107 -0
data/lib/aikido/zen/event.rb +116 -0
data/lib/aikido/zen/helpers.rb +24 -0
data/lib/aikido/zen/internals.rb +123 -0
data/lib/aikido/zen/libzen-v0.1.48-aarch64-linux.so +0 -0
data/lib/aikido/zen/middleware/allowed_address_checker.rb +26 -0
data/lib/aikido/zen/middleware/attack_wave_protector.rb +46 -0
data/lib/aikido/zen/middleware/context_setter.rb +26 -0
data/lib/aikido/zen/middleware/fork_detector.rb +23 -0
data/lib/aikido/zen/middleware/middleware.rb +11 -0
data/lib/aikido/zen/middleware/rack_throttler.rb +50 -0
data/lib/aikido/zen/middleware/request_tracker.rb +197 -0
data/lib/aikido/zen/outbound_connection.rb +62 -0
data/lib/aikido/zen/outbound_connection_monitor.rb +23 -0
data/lib/aikido/zen/package.rb +22 -0
data/lib/aikido/zen/payload.rb +50 -0
data/lib/aikido/zen/rails_engine.rb +53 -0
data/lib/aikido/zen/rate_limiter/breaker.rb +61 -0
data/lib/aikido/zen/rate_limiter/bucket.rb +76 -0
data/lib/aikido/zen/rate_limiter/result.rb +31 -0
data/lib/aikido/zen/rate_limiter.rb +50 -0
data/lib/aikido/zen/request/heuristic_router.rb +115 -0
data/lib/aikido/zen/request/rails_router.rb +92 -0
data/lib/aikido/zen/request/schema/auth_discovery.rb +86 -0
data/lib/aikido/zen/request/schema/auth_schemas.rb +54 -0
data/lib/aikido/zen/request/schema/builder.rb +121 -0
data/lib/aikido/zen/request/schema/definition.rb +107 -0
data/lib/aikido/zen/request/schema/empty_schema.rb +28 -0
data/lib/aikido/zen/request/schema.rb +87 -0
data/lib/aikido/zen/request.rb +88 -0
data/lib/aikido/zen/route.rb +96 -0
data/lib/aikido/zen/runtime_settings/endpoints.rb +78 -0
data/lib/aikido/zen/runtime_settings/ip_set.rb +36 -0
data/lib/aikido/zen/runtime_settings/protection_settings.rb +62 -0
data/lib/aikido/zen/runtime_settings/rate_limit_settings.rb +47 -0
data/lib/aikido/zen/runtime_settings.rb +66 -0
data/lib/aikido/zen/scan.rb +75 -0
data/lib/aikido/zen/scanners/path_traversal/helpers.rb +68 -0
data/lib/aikido/zen/scanners/path_traversal_scanner.rb +64 -0
data/lib/aikido/zen/scanners/shell_injection/helpers.rb +159 -0
data/lib/aikido/zen/scanners/shell_injection_scanner.rb +65 -0
data/lib/aikido/zen/scanners/sql_injection_scanner.rb +94 -0
data/lib/aikido/zen/scanners/ssrf/dns_lookups.rb +27 -0
data/lib/aikido/zen/scanners/ssrf/private_ip_checker.rb +97 -0
data/lib/aikido/zen/scanners/ssrf_scanner.rb +266 -0
data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb +55 -0
data/lib/aikido/zen/scanners.rb +7 -0
data/lib/aikido/zen/sink.rb +118 -0
data/lib/aikido/zen/sinks/action_controller.rb +85 -0
data/lib/aikido/zen/sinks/async_http.rb +80 -0
data/lib/aikido/zen/sinks/curb.rb +113 -0
data/lib/aikido/zen/sinks/em_http.rb +83 -0
data/lib/aikido/zen/sinks/excon.rb +118 -0
data/lib/aikido/zen/sinks/file.rb +153 -0
data/lib/aikido/zen/sinks/http.rb +93 -0
data/lib/aikido/zen/sinks/httpclient.rb +95 -0
data/lib/aikido/zen/sinks/httpx.rb +78 -0
data/lib/aikido/zen/sinks/kernel.rb +33 -0
data/lib/aikido/zen/sinks/mysql2.rb +31 -0
data/lib/aikido/zen/sinks/net_http.rb +101 -0
data/lib/aikido/zen/sinks/patron.rb +103 -0
data/lib/aikido/zen/sinks/pg.rb +72 -0
data/lib/aikido/zen/sinks/resolv.rb +62 -0
data/lib/aikido/zen/sinks/socket.rb +85 -0
data/lib/aikido/zen/sinks/sqlite3.rb +46 -0
data/lib/aikido/zen/sinks/trilogy.rb +31 -0
data/lib/aikido/zen/sinks/typhoeus.rb +78 -0
data/lib/aikido/zen/sinks.rb +36 -0
data/lib/aikido/zen/sinks_dsl.rb +250 -0
data/lib/aikido/zen/synchronizable.rb +24 -0
data/lib/aikido/zen/system_info.rb +80 -0
data/lib/aikido/zen/version.rb +10 -0
data/lib/aikido/zen/worker.rb +87 -0
data/lib/aikido/zen.rb +303 -0
data/lib/aikido-zen.rb +3 -0
data/placeholder/.gitignore +4 -0
data/placeholder/README.md +11 -0
data/placeholder/Rakefile +75 -0
data/placeholder/lib/placeholder.rb.template +3 -0
data/placeholder/placeholder.gemspec.template +20 -0
data/tasklib/bench.rake +94 -0
data/tasklib/libzen.rake +133 -0
data/tasklib/wrk.rb +88 -0
metadata +214 -0

data/lib/aikido/zen/collector/sink_stats.rb ADDED Viewed

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+require_relative "../capped_collections"
+module Aikido::Zen
+  # @api private
+  #
+  # Tracks data specific to a single Sink.
+  class Collector::SinkStats
+    # @return [Integer] number of total calls to Sink#scan.
+    attr_accessor :scans
+    # @return [Integer] number of scans where our scanners raised an
+    #   error that was handled.
+    attr_accessor :errors
+    # @return [Integer] number of scans where an attack was detected.
+    attr_accessor :attacks
+    # @return [Integer] number of scans where an attack was detected
+    #   _and_ blocked by the Zen.
+    attr_accessor :blocked_attacks
+    # @return [Set<Float>] keeps the duration of individual scans. If
+    #   this grows to match Config#max_performance_samples, the set is
+    #   cleared and the data is aggregated into #compressed_timings.
+    attr_accessor :timings
+    # @return [Array<CompressedTiming>] list of aggregated stats.
+    attr_accessor :compressed_timings
+    def initialize(name, config)
+      @name = name
+      @config = config
+      @scans = 0
+      @errors = 0
+      @attacks = 0
+      @blocked_attacks = 0
+      @timings = Set.new
+      @compressed_timings = CappedSet.new(@config.max_compressed_stats)
+    end
+    def add_timing(duration)
+      compress_timings if @timings.size >= @config.max_performance_samples
+      @timings << duration
+    end
+    def compress_timings(at: Time.now.utc)
+      return if @timings.empty?
+      list = @timings.sort
+      @timings.clear
+      mean = list.sum / list.size
+      percentiles = percentiles(list, 50, 75, 90, 95, 99)
+      @compressed_timings << CompressedTiming.new(mean, percentiles, at)
+    end
+    def as_json
+      {
+        total: @scans,
+        interceptorThrewError: @errors,
+        withoutContext: 0,
+        attacksDetected: {
+          total: @attacks,
+          blocked: @blocked_attacks
+        },
+        compressedTimings: @compressed_timings.as_json
+      }
+    end
+    private def percentiles(sorted, *scores)
+      return {} if sorted.empty? || scores.empty?
+      scores.map { |p|
+        index = (sorted.size * (p / 100.0)).floor
+        [p, sorted.at(index)]
+      }.to_h
+    end
+    CompressedTiming = Struct.new(:mean, :percentiles, :compressed_at) do
+      def as_json
+        {
+          averageInMs: mean * 1000,
+          percentiles: percentiles.transform_values { |t| t * 1000 },
+          compressedAt: compressed_at.to_i * 1000
+        }
+      end
+    end
+  end
+end

data/lib/aikido/zen/collector/stats.rb ADDED Viewed

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+require_relative "../capped_collections"
+module Aikido::Zen
+  # @api private
+  #
+  # Tracks information about how the Aikido Agent is used in the app.
+  class Collector::Stats
+    # @!visibility private
+    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :attack_waves, :blocked_attack_waves, :sinks
+    # @!visibility private
+    attr_writer :ended_at
+    def initialize(config = Aikido::Zen.config)
+      super()
+      @config = config
+      @started_at = @ended_at = nil
+      @requests = 0
+      @aborted_requests = 0
+      @attack_waves = 0
+      @blocked_attack_waves = 0
+      @sinks = Hash.new { |h, k| h[k] = Collector::SinkStats.new(k, @config) }
+    end
+    # @return [Boolean]
+    def empty?
+      @requests.zero? && @sinks.empty?
+    end
+    # @return [Boolean]
+    def any?
+      !empty?
+    end
+    # Track the timestamp we start tracking this series of stats.
+    #
+    # @param at [Time]
+    # @return [void]
+    def start(at = Time.now.utc)
+      @started_at = at
+    end
+    # Sets the end time for these stats block, freezes it to avoid any more
+    # writing to them, and compresses the timing stats in anticipation of
+    # sending these to the Aikido servers.
+    #
+    # @param at [Time] the time at which we're resetting, which is set as the
+    #   ending time for the returned copy.
+    # @return [void]
+    def flush(at: Time.now.utc)
+      # Make sure the timing stats are compressed before copying, since we
+      # need these compressed when we serialize this for the API.
+      @sinks.each_value { |sink| sink.compress_timings(at: at) }
+      @ended_at = at
+      freeze
+    end
+    # @return [void]
+    def add_request
+      @requests += 1
+    end
+    # @param being_blocked [Boolean] whether the Agent blocked the request
+    # @return [void]
+    def add_attack_wave(being_blocked:)
+      @attack_waves += 1
+      @blocked_attack_waves += 1 if being_blocked
+    end
+    # @param sink_name [String] the name of the sink
+    # @param duration [Float] the length the scan in seconds
+    # @param has_errors [Boolean] whether errors occurred during the scan
+    # @return [void]
+    def add_scan(sink_name, duration, has_errors:)
+      stats = @sinks[sink_name]
+      stats.scans += 1
+      stats.errors += 1 if has_errors
+      stats.add_timing(duration)
+    end
+    # @param sink_name [String] the name of the sink
+    # @param being_blocked [Boolean] whether the Agent blocked the request
+    # @return [void]
+    def add_attack(sink_name, being_blocked:)
+      stats = @sinks[sink_name]
+      stats.attacks += 1
+      stats.blocked_attacks += 1 if being_blocked
+    end
+    def as_json
+      total_attacks, total_blocked = aggregate_attacks_from_sinks
+      {
+        startedAt: @started_at.to_i * 1000,
+        endedAt: (@ended_at.to_i * 1000 if @ended_at),
+        operations: @sinks.transform_values(&:as_json),
+        requests: {
+          total: @requests,
+          aborted: @aborted_requests,
+          attacksDetected: {
+            total: total_attacks,
+            blocked: total_blocked
+          },
+          attackWaves: {
+            total: @attack_waves,
+            blocked: @blocked_attack_waves
+          }
+        }
+      }
+    end
+    private def aggregate_attacks_from_sinks
+      @sinks.each_value.reduce([0, 0]) { |(attacks, blocked), stats|
+        [attacks + stats.attacks, blocked + stats.blocked_attacks]
+      }
+    end
+  end
+end
+require_relative "sink_stats"

data/lib/aikido/zen/collector/users.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+require_relative "../capped_collections"
+module Aikido::Zen
+  # @api private
+  #
+  # Keeps track of the users that were seen by the app.
+  class Collector::Users < Aikido::Zen::CappedMap
+    def initialize(config = Aikido::Zen.config)
+      super(config.max_users_tracked)
+    end
+    # @param actor [Aikido::Zen::Actor]
+    # @return [void]
+    def add(actor)
+      if key?(actor.id)
+        self[actor.id] |= actor
+      else
+        self[actor.id] = actor
+      end
+    end
+    def each(&blk)
+      each_value(&blk)
+    end
+    def as_json
+      map(&:as_json)
+    end
+  end
+end

data/lib/aikido/zen/collector.rb ADDED Viewed

@@ -0,0 +1,223 @@
+# frozen_string_literal: true
+require_relative "collector/event"
+module Aikido::Zen
+  # Handles collecting all the runtime statistics to report back to the Aikido
+  # servers.
+  class Collector
+    def initialize(config: Aikido::Zen.config)
+      @config = config
+      @events = Queue.new
+      @stats = Concurrent::AtomicReference.new(Stats.new(@config))
+      @users = Concurrent::AtomicReference.new(Users.new(@config))
+      @hosts = Concurrent::AtomicReference.new(Hosts.new(@config))
+      @routes = Concurrent::AtomicReference.new(Routes.new(@config))
+      @middleware_installed = Concurrent::AtomicBoolean.new
+    end
+    # Add an event, to be handled in the collector in current process or sent
+    # to a collector in another process.
+    #
+    # @param event [Aikido::Zen::Collector::Event] the event to add
+    # @return [void]
+    def add_event(event)
+      @events << event
+    end
+    # @return [Boolean] whether the collector has any events
+    def has_events?
+      !@events.empty?
+    end
+    # Flush all events.
+    #
+    # @return [Array<Aikido::Zen::Collector::Event>]
+    def flush_events
+      Array.new(@events.size) { @events.pop }
+    end
+    # Handle the events in the queue.
+    #
+    # @return [void]
+    def handle
+      flush_events.each { |event| event.handle(self) }
+    end
+    # Flush all the stats into a Heartbeat event that can be reported back to
+    # the Aikido servers.
+    #
+    # @param at [Time] the time at which stats collection stopped and the start
+    #   of the new stats collection period. Defaults to now.
+    # @return [Aikido::Zen::Events::Heartbeat]
+    def flush(at: Time.now.utc)
+      handle
+      stats = @stats.get_and_set(Stats.new(@config))
+      users = @users.get_and_set(Users.new(@config))
+      hosts = @hosts.get_and_set(Hosts.new(@config))
+      routes = @routes.get_and_set(Routes.new(@config))
+      start(at: at)
+      stats = stats.flush(at: at)
+      Aikido::Zen::Events::Heartbeat.new(
+        stats: stats, users: users, hosts: hosts, routes: routes, middleware_installed: middleware_installed?
+      )
+    end
+    # Sets the start time for this collection period.
+    #
+    # @param at [Time] defaults to now.
+    # @return [void]
+    def start(at: Time.now.utc)
+      synchronize(@stats) { |stats| stats.start(at) }
+    end
+    # Track stats about the requests
+    #
+    # @return [void]
+    def track_request
+      add_event(Events::TrackRequest.new)
+    end
+    def handle_track_request
+      synchronize(@stats) { |stats| stats.add_request }
+    end
+    # Track stats about an attack detected by our scanners.
+    #
+    # @param attack [Aikido::Zen::Events::AttackWave]
+    # @return [void]
+    def track_attack_wave(being_blocked:)
+      add_event(Events::TrackAttackWave.new(being_blocked: being_blocked))
+    end
+    def handle_track_attack_wave(being_blocked:)
+      synchronize(@stats) do |stats|
+        stats.add_attack_wave(being_blocked: being_blocked)
+      end
+    end
+    # Track stats about a scan performed by one of our sinks.
+    #
+    # @param scan [Aikido::Zen::Scan]
+    # @return [void]
+    def track_scan(scan)
+      add_event(Events::TrackScan.new(scan.sink.name, scan.duration, has_errors: scan.errors?))
+    end
+    def handle_track_scan(sink_name, duration, has_errors:)
+      synchronize(@stats) do |stats|
+        stats.add_scan(sink_name, duration, has_errors: has_errors)
+      end
+    end
+    # Track stats about an attack detected by our scanners.
+    #
+    # @param attack [Aikido::Zen::Attack]
+    # @return [void]
+    def track_attack(attack)
+      add_event(Events::TrackAttack.new(attack.sink.name, being_blocked: attack.blocked?))
+    end
+    def handle_track_attack(sink_name, being_blocked:)
+      synchronize(@stats) do |stats|
+        stats.add_attack(sink_name, being_blocked: being_blocked)
+      end
+    end
+    # Track the user reported by the developer to be behind this request.
+    #
+    # @param actor [Aikido::Zen::Actor]
+    # @return [void]
+    def track_user(actor)
+      add_event(Events::TrackUser.new(actor))
+    end
+    def handle_track_user(actor)
+      synchronize(@users) { |users| users.add(actor) }
+    end
+    # Track an HTTP connections to an external host.
+    #
+    # @param connection [Aikido::Zen::OutboundConnection]
+    # @return [void]
+    def track_outbound(connection)
+      add_event(Events::TrackOutbound.new(connection))
+    end
+    def handle_track_outbound(connection)
+      synchronize(@hosts) { |hosts| hosts.add(connection) }
+    end
+    # Record the visited endpoint, and if enabled, the API schema for this endpoint.
+    #
+    # @param request [Aikido::Zen::Request]
+    # @return [void]
+    def track_route(request)
+      add_event(Events::TrackRoute.new(request.route, request.schema))
+    end
+    def handle_track_route(route, schema)
+      synchronize(@routes) { |routes| routes.add(route, schema) }
+    end
+    def middleware_installed!
+      @middleware_installed.make_true
+    end
+    # @api private
+    #
+    # @note Visible for testing.
+    def stats
+      handle
+      @stats.get
+    end
+    # @api private
+    #
+    # @note Visible for testing.
+    def users
+      handle
+      @users.get
+    end
+    # @api private
+    #
+    # @note Visible for testing.
+    def hosts
+      handle
+      @hosts.get
+    end
+    # @api private
+    #
+    # @note Visible for testing.
+    def routes
+      handle
+      @routes.get
+    end
+    # @api private
+    #
+    # @note Visible for testing.
+    def middleware_installed?
+      @middleware_installed.true?
+    end
+    # Atomically modify an object's state within a block, ensuring it's safe
+    # from other threads.
+    private def synchronize(object)
+      object.update { |obj| obj.tap { yield obj } }
+    end
+  end
+end
+require_relative "collector/stats"
+require_relative "collector/users"
+require_relative "collector/hosts"
+require_relative "collector/routes"