aikido-zen 1.0.2-aarch64-linux

data/lib/aikido/zen/config.rb

@@ -0,0 +1,312 @@
+# frozen_string_literal: true
+
+require "uri"
+require "json"
+require "logger"
+
+require_relative "context"
+
+module Aikido::Zen
+  class Config
+    # @return [Boolean] whether Aikido should be turned completely off (no
+    #   intercepting calls to protect the app, no agent process running, no
+    #   middleware installed). Defaults to false (so, enabled). Can be set
+    #   via the AIKIDO_DISABLE environment variable.
+    attr_accessor :disabled
+    alias_method :disabled?, :disabled
+
+    # @return [Boolean] whether Aikido should only report infractions or block
+    #   the request by raising an Exception. Defaults to whether AIKIDO_BLOCK
+    #   is set to a non-empty value in your environment, or +false+ otherwise.
+    attr_accessor :blocking_mode
+    alias_method :blocking_mode?, :blocking_mode
+
+    # @return [URI] The HTTP host for the Aikido API. Defaults to
+    #   +https://guard.aikido.dev+.
+    attr_reader :api_endpoint
+
+    # @return [URI] The HTTP host for the Aikido Runtime API. Defaults to
+    #   +https://runtime.aikido.dev+.
+    attr_reader :realtime_endpoint
+
+    # @return [Hash] HTTP timeouts for communicating with the API.
+    attr_reader :api_timeouts
+
+    # @return [String] the token obtained when configuring the Firewall in the
+    #   Aikido interface.
+    attr_accessor :api_token
+
+    # @return [Integer] the interval in seconds to poll the runtime API for
+    #   settings changes. Defaults to evey 60 seconds.
+    attr_accessor :polling_interval
+
+    # @return [Array<Integer>] the delays in seconds to wait before sending
+    #   each initial heartbeat event.
+    attr_accessor :initial_heartbeat_delays
+
+    # @return [#call] Callable that can be passed an Object and returns a String
+    #   of JSON. Defaults to the standard library's JSON.dump method.
+    attr_accessor :json_encoder
+
+    # @return [#call] Callable that can be passed a JSON string and parses it
+    #   into an Object. Defaults to the standard library's JSON.parse method.
+    attr_accessor :json_decoder
+
+    # @return [Logger]
+    attr_reader :logger
+
+    # @return [String] Path of the socket where the detached agent will listen.
+    # By default, is stored under the root application path with file name
+    # `aikido-detached-agent.sock`
+    attr_accessor :detached_agent_socket_path
+
+    # @return [Boolean] is the agent in debugging mode?
+    attr_accessor :debugging
+    alias_method :debugging?, :debugging
+
+    # @return [String] environment specific HTTP header providing the client IP.
+    attr_accessor :client_ip_header
+
+    # @return [Integer] maximum number of timing measurements to keep in memory
+    #   before compressing them.
+    attr_accessor :max_performance_samples
+
+    # @return [Integer] maximum number of compressed performance samples to keep
+    #   in memory. If we take more than this before reporting them to Aikido, we
+    #   will discard the oldest samples.
+    attr_accessor :max_compressed_stats
+
+    # @return [Integer] maximum number of connections to outbound hosts to keep
+    #   in memory in order to report them in the next heartbeat event. If new
+    #   connections are added to the set before reporting them to Aikido, we
+    #   will discard the oldest data point.
+    attr_accessor :max_outbound_connections
+
+    # @return [Integer] maximum number of users tracked via Zen.track_user to
+    #   share with the Aikido servers on the next heartbeat event. If more
+    #   unique users (by their ID) are tracked than this number, we will discard
+    #   the oldest seen users.
+    attr_accessor :max_users_tracked
+
+    # @return [Proc{(Aikido::Zen::Request, Symbol) => Array(Integer, Hash, #each)}]
+    #   Rack handler used to respond to requests from IPs, users or others blocked in the Aikido
+    #   dashboard.
+    attr_accessor :blocked_responder
+
+    # @return [Proc{Aikido::Zen::Request => Array(Integer, Hash, #each)}]
+    #   Rack handler used to respond to requests that have been rate limited.
+    attr_accessor :rate_limited_responder
+
+    # @return [Proc{Aikido::Zen::Request => String}] a proc that reads
+    #   information off the current request and returns a String to
+    #   differentiate different clients. By default this uses the request IP.
+    attr_accessor :rate_limiting_discriminator
+
+    # @return [Boolean] whether Aikido Zen should collect api schemas.
+    #   Defaults to true. Can be set through AIKIDO_FEATURE_COLLECT_API_SCHEMA
+    #   environment variable.
+    attr_accessor :collect_api_schema
+    alias_method :collect_api_schema?, :collect_api_schema
+
+    # @return [Integer] max number of requests we sample per endpoint when
+    #   computing the schema.
+    attr_accessor :api_schema_max_samples
+
+    # @api private
+    # @return [Integer] max number of levels deep we want to read a nested
+    #   strcture for performance reasons.
+    attr_accessor :api_schema_collection_max_depth
+
+    # @api private
+    # @return [Integer] max number of properties that we want to inspect per
+    #   level of the structure for performance reasons.
+    attr_accessor :api_schema_collection_max_properties
+
+    # @api private
+    # @return [Proc<Hash => Aikido::Zen::Context>] callable that takes a
+    #   Rack-compatible env Hash and returns a Context object with an HTTP
+    #   request. This is meant to be overridden by each framework adapter.
+    attr_accessor :request_builder
+
+    # @api private
+    # @return [Integer] number of seconds to perform client-side rate limiting
+    #   of events sent to the server.
+    attr_accessor :client_rate_limit_period
+
+    # @api private
+    # @return [Integer] max number of events sent during a sliding
+    #   {client_rate_limit_period} window.
+    attr_accessor :client_rate_limit_max_events
+
+    # @api private
+    # @return [Integer] number of seconds to wait before sending an event after
+    #   the server returns a 429 response.
+    attr_accessor :server_rate_limit_deadline
+
+    # @return [Boolean] whether Aikido Zen should scan for stored SSSRF attacks.
+    #   Defaults to true. Can be set through AIKIDO_FEATURE_STORED_SSRF
+    #   environment variable.
+    attr_accessor :stored_ssrf
+    alias_method :stored_ssrf?, :stored_ssrf
+
+    # @return [Array<String>] when checking for stored SSRF attacks, we want to
+    #   allow known hosts that should be able to resolve to the IMDS service.
+    attr_accessor :imds_allowed_hosts
+
+    # @return [Boolean] whether Aikido Zen should harden methods where possible.
+    #   Defaults to true. Can be set through AIKIDO_HARDEN environment variable.
+    attr_accessor :harden
+    alias_method :harden?, :harden
+
+    # @return [Integer] how many suspicious requests are allowed before an
+    #   attack wave detected event is reported.
+    #   Defaults to 15 requests.
+    attr_accessor :attack_wave_threshold
+
+    # @return [Integer] the minimum time in milliseconds between requests for
+    #   requests to be part of an attack wave.
+    #   Defaults to 1 minute in milliseconds.
+    attr_accessor :attack_wave_min_time_between_requests
+
+    # @return [Integer] the minimum time in milliseconds between reporting
+    #   attack wave events.
+    #   Defaults to 20 minutes in milliseconds.
+    attr_accessor :attack_wave_min_time_between_events
+
+    # @return [Integer] the maximum number of entries in the LRU cache.
+    #   Defaults to 10,000 entries.
+    attr_accessor :attack_wave_max_cache_entries
+
+    def initialize
+      self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLE", false)) || read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
+      self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
+      self.api_timeouts = 10
+      self.api_endpoint = ENV.fetch("AIKIDO_ENDPOINT", DEFAULT_AIKIDO_ENDPOINT)
+      self.realtime_endpoint = ENV.fetch("AIKIDO_REALTIME_ENDPOINT", DEFAULT_RUNTIME_BASE_URL)
+      self.api_token = ENV.fetch("AIKIDO_TOKEN", nil)
+      self.polling_interval = 60 # 1 min
+      self.initial_heartbeat_delays = [30, 60 * 2] # 30 sec, 2 min
+      self.json_encoder = DEFAULT_JSON_ENCODER
+      self.json_decoder = DEFAULT_JSON_DECODER
+      self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
+      self.logger = Logger.new($stdout, progname: "aikido", level: debugging ? Logger::DEBUG : Logger::INFO)
+      self.detached_agent_socket_path = ENV.fetch("AIKIDO_DETACHED_AGENT_SOCKET_PATH", DEFAULT_DETACHED_AGENT_SOCKET_PATH)
+      self.client_ip_header = ENV.fetch("AIKIDO_CLIENT_IP_HEADER", nil)
+      self.max_performance_samples = 5000
+      self.max_compressed_stats = 100
+      self.max_outbound_connections = 200
+      self.max_users_tracked = 1000
+      self.request_builder = Aikido::Zen::Context::RACK_REQUEST_BUILDER
+      self.blocked_responder = DEFAULT_BLOCKED_RESPONDER
+      self.rate_limited_responder = DEFAULT_RATE_LIMITED_RESPONDER
+      self.rate_limiting_discriminator = DEFAULT_RATE_LIMITING_DISCRIMINATOR
+      self.server_rate_limit_deadline = 30 * 60 # 30 min
+      self.client_rate_limit_period = 60 * 60 # 1 hour
+      self.client_rate_limit_max_events = 100
+      self.collect_api_schema = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_COLLECT_API_SCHEMA", true))
+      self.api_schema_max_samples = Integer(ENV.fetch("AIKIDO_MAX_API_DISCOVERY_SAMPLES", 10))
+      self.api_schema_collection_max_depth = 20
+      self.api_schema_collection_max_properties = 20
+      self.stored_ssrf = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_STORED_SSRF", true))
+      self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
+      self.harden = read_boolean_from_env(ENV.fetch("AIKIDO_HARDEN", true))
+      self.attack_wave_threshold = 15
+      self.attack_wave_min_time_between_requests = 60 * 1000 # 1 min (ms)
+      self.attack_wave_min_time_between_events = 20 * 60 * 1000 # 20 min (ms)
+      self.attack_wave_max_cache_entries = 10_000
+    end
+
+    # Set the base URL for API requests.
+    #
+    # @param url [String, URI]
+    def api_endpoint=(url)
+      @api_endpoint = URI(url)
+    end
+
+    # Set the base URL for runtime API requests.
+    #
+    # @param url [String, URI]
+    def realtime_endpoint=(url)
+      @realtime_endpoint = URI(url)
+    end
+
+    # Set the logger and configure its severity level according to agent's debug mode
+    # @param logger [::Logger]
+    def logger=(logger)
+      @logger = logger
+      @logger.level = Logger::DEBUG if debugging
+    end
+
+    # @overload def api_timeouts=(timeouts)
+    #   Configure granular connection timeouts for the Aikido Zen API. You
+    #   can set any of these per call.
+    #   @param timeouts [Hash]
+    #   @option timeouts [Integer] :open_timeout Duration in seconds.
+    #   @option timeouts [Integer] :read_timeout Duration in seconds.
+    #   @option timeouts [Integer] :write_timeout Duration in seconds.
+    #
+    # @overload def api_timeouts=(duration)
+    #   Configure the connection timeouts for the Aikido Zen API.
+    #   @param duration [Integer] Duration in seconds to set for all three
+    #     timeouts (open, read, and write).
+    def api_timeouts=(value)
+      value = {open_timeout: value, read_timeout: value, write_timeout: value} if value.respond_to?(:to_int)
+
+      @api_timeouts ||= {}
+      @api_timeouts.update(value)
+    end
+
+    def detached_agent_socket_uri
+      "drbunix:" + @detached_agent_socket_path
+    end
+
+    private
+
+    def read_boolean_from_env(value)
+      return value unless value.respond_to?(:to_str)
+
+      case value.to_str.strip
+      when "false", "", "0", "f"
+        false
+      else
+        true
+      end
+    end
+
+    # @!visibility private
+    DEFAULT_AIKIDO_ENDPOINT = "https://guard.aikido.dev"
+
+    # @!visibility private
+    DEFAULT_RUNTIME_BASE_URL = "https://runtime.aikido.dev"
+
+    # @!visibility private
+    DEFAULT_JSON_ENCODER = JSON.method(:dump)
+
+    # @!visibility private
+    DEFAULT_JSON_DECODER = JSON.method(:parse)
+
+    # @!visibility private
+    DEFAULT_DETACHED_AGENT_SOCKET_PATH = "aikido-detached-agent.sock"
+
+    # @!visibility private
+    DEFAULT_BLOCKED_RESPONDER = ->(request, blocking_type) do
+      message = case blocking_type
+      when :ip
+        format("Your IP address is not allowed to access this resource. (Your IP: %s)", request.ip)
+      else
+        "You are blocked by Zen."
+      end
+      [403, {"Content-Type" => "text/plain"}, [message]]
+    end
+
+    # @!visibility private
+    DEFAULT_RATE_LIMITED_RESPONDER = ->(request) do
+      [429, {"Content-Type" => "text/plain"}, ["Too many requests."]]
+    end
+
+    # @!visibility private
+    DEFAULT_RATE_LIMITING_DISCRIMINATOR = ->(request) {
+      request.actor ? "actor:#{request.actor.id}" : request.ip
+    }
+  end
+end

data/lib/aikido/zen/context/rack_request.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative "../request"
+require_relative "../request/heuristic_router"
+
+module Aikido::Zen
+  # @!visibility private
+  Context::RACK_REQUEST_BUILDER = ->(env) do
+    # Normalize PATH_INFO so routes are correctly recognized in middleware.
+    env["PATH_INFO"] = Helpers.normalize_path(env["PATH_INFO"])
+
+    delegate = Rack::Request.new(env)
+    router = Aikido::Zen::Request::HeuristicRouter.new
+    request = Aikido::Zen::Request.new(delegate, framework: "rack", router: router)
+
+    Context.new(request) do |req|
+      {
+        query: req.GET,
+        body: req.POST,
+        route: {},
+        header: req.normalized_headers,
+        cookie: req.cookies,
+        subdomain: []
+      }
+    end
+  end
+end

data/lib/aikido/zen/context/rails_request.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require_relative "../request"
+require_relative "../request/rails_router"
+
+module Aikido::Zen
+  module Rails
+    def self.router
+      @router ||= Request::RailsRouter.new(::Rails.application.routes)
+    end
+  end
+
+  # @!visibility private
+  Context::RAILS_REQUEST_BUILDER = ->(env) do
+    # Normalize PATH_INFO so routes are correctly recognized in middleware.
+    env["PATH_INFO"] = Helpers.normalize_path(env["PATH_INFO"])
+
+    # Duplicate the Rack environment to prevent unexpected modifications from
+    # breaking Rails routing.
+    delegate = ActionDispatch::Request.new(env.dup)
+    request = Aikido::Zen::Request.new(
+      delegate, framework: "rails", router: Rails.router
+    )
+
+    decrypt_cookies = ->(req) do
+      return req.cookies unless req.respond_to?(:cookie_jar)
+
+      req.cookie_jar.map { |key, value|
+        plain_text = req.cookie_jar.encrypted[key].presence ||
+          req.cookie_jar.signed[key].presence ||
+          value
+        [key, plain_text]
+      }.to_h
+    end
+
+    Context.new(request) do |req|
+      {
+        query: req.query_parameters,
+        body: req.request_parameters,
+        route: req.path_parameters,
+        header: req.normalized_headers,
+        cookie: decrypt_cookies.call(req),
+        subdomain: req.subdomains
+      }
+    end
+  end
+end

data/lib/aikido/zen/context.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require "forwardable"
+
+require_relative "request"
+require_relative "payload"
+
+module Aikido::Zen
+  class Context
+    # Build a Context object for the current HTTP request based on the currently
+    # configured request builder.
+    #
+    # @param env [Hash] the Rack env hash.
+    # @param config [Aikido::Zen::Config]
+    # @return [Aikido::Zen::Context]
+    def self.from_rack_env(env, config = Aikido::Zen.config)
+      config.request_builder.call(env)
+    end
+
+    # @return [Aikido::Zen::Request]
+    attr_reader :request
+
+    # @return [Boolean]
+    attr_accessor :scanning
+
+    # @param request [Rack::Request] a Request object that implements the
+    #   Rack::Request API, to which we will delegate behavior.
+    # @param settings [Aikido::Zen::RuntimeSettings]
+    #
+    # @yieldparam request [Rack::Request] the given request object.
+    # @yieldreturn [Hash<Symbol, #flat_map>] map of payload source types
+    #   to the actual data from the request to populate them.
+    def initialize(request, settings: Aikido::Zen.runtime_settings, &sources)
+      @request = request
+      @settings = settings
+      @payload_sources = sources
+      @metadata = {}
+      @scanning = false
+    end
+
+    # Fetch some metadata stored in the Context.
+    #
+    # @param key [String]
+    # @return [Object, nil]
+    def [](key)
+      @metadata[key]
+    end
+
+    # Store some metadata in the Context so other Scanners can use it.
+    #
+    # @param key [String]
+    # @param value [Object]
+    # @return [void]
+    def []=(key, value)
+      @metadata[key] = value
+    end
+
+    # Overrides the current request, and invalidates any memoized data obtained
+    # from it. This is useful for scenarios where setting the request in the
+    # middleware isn't enough, such as Rails, where the router modifies it after
+    # the middleware has seen it.
+    #
+    # @param new_request [Rack::Request]
+    # @return [void]
+    def update_request(new_request)
+      @payloads = nil
+      request.__setobj__(new_request)
+    end
+
+    # @return [Array<Aikido::Zen::Payload>] list of user inputs from all the
+    #   different sources we recognize.
+    def payloads
+      @payloads ||= payload_sources.flat_map do |source, data|
+        extract_payloads_from(data, source)
+      end
+    end
+
+    # @return [Boolean] whether attack protection for the currently requested
+    #   endpoint was disabled on the Aikido dashboard, or if the source IP for
+    #   this request is in the "Bypass List".
+    def protection_disabled?
+      return false if request.nil?
+
+      !@settings.endpoints.match(request.route).all?(&:protected?) ||
+        @settings.allowed_ips.include?(request.ip)
+    end
+
+    # @!visibility private
+    def payload_sources
+      @payload_sources.call(request)
+    end
+
+    private
+
+    # @!visibility private
+    def extract_payloads_from(data, source_type, prefix = nil)
+      if data.respond_to?(:to_hash)
+        data.to_hash.flat_map do |key, value|
+          extract_payloads_from(value, source_type, [prefix, key].compact.join("."))
+        end
+      elsif data.respond_to?(:to_ary)
+        array = data.to_ary
+        return array if array.empty?
+
+        payloads = array.flat_map.with_index do |value, index|
+          extract_payloads_from(value, source_type, [prefix, index].compact.join("."))
+        end
+
+        unless Aikido::Zen.config.harden?
+          # Special case for File.join given a possibly nested array of strings,
+          # as might occur when a query parameter is an array.
+          begin
+            string = File.join__internal_for_aikido_zen(*array)
+            if unsafe_path?(string)
+              payloads << Payload.new(string, source_type, [prefix, "__File.join__"].compact.join("."))
+            end
+          rescue
+            # Could not create special payload for File.join.
+          end
+        end
+
+        payloads
+      else
+        [Payload.new(data, source_type, prefix.to_s)]
+      end
+    end
+
+    def unsafe_path?(filepath)
+      normalized_filepath = Pathname.new(filepath).cleanpath.to_s.downcase
+
+      Scanners::PathTraversal::DANGEROUS_PATH_PARTS.each do |dangerous_path_part|
+        return true if normalized_filepath.include?(dangerous_path_part)
+      end
+
+      Scanners::PathTraversal::DANGEROUS_PATH_STARTS.each do |dangerous_path_start|
+        return true if normalized_filepath.start_with?(dangerous_path_start)
+      end
+
+      false
+    end
+  end
+end
+
+require_relative "context/rack_request"
+require_relative "context/rails_request"

data/lib/aikido/zen/detached_agent/agent.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require "drb/drb"
+require "drb/unix"
+require_relative "front_object"
+require_relative "../background_worker"
+
+module Aikido::Zen::DetachedAgent
+  # Agent that runs in forked processes. It communicates with the parent process to dRB
+  # calls. It's in charge of schedule and send heartbeats to the *parent process*, to be
+  # later pushed.
+  #
+  # heartbeat & polling interval are configured to 10s , because they are connecting with
+  # parent process. We want to have the freshest data.
+  #
+  # It's possible to use `extend Forwardable` here for one-line forward calls to the
+  # @front_object object. Unfortunately, the methods to be called are
+  # created at runtime by `DRbObject`, which leads to an ugly warning about
+  # private methods after the delegator is bound.
+  class Agent
+    attr_reader :worker
+
+    def initialize(
+      config: Aikido::Zen.config,
+      worker: Aikido::Zen::Worker.new(config: config),
+      heartbeat_interval: 10,
+      polling_interval: 10,
+      collector: Aikido::Zen.collector
+    )
+      @config = config
+      @worker = worker
+      @heartbeat_interval = heartbeat_interval
+      @polling_interval = polling_interval
+
+      @collector = collector
+
+      @front_object = DRbObject.new_with_uri(config.detached_agent_socket_uri)
+
+      @has_forked = false
+      schedule_tasks
+    end
+
+    def send_collector_events
+      events_data = @collector.flush_events.map(&:as_json)
+      @front_object.send_collector_events(events_data)
+    end
+
+    def calculate_rate_limits(request)
+      @front_object.calculate_rate_limits(request.route.as_json, request.ip, request.actor.as_json)
+    end
+
+    # Every time a fork occurs (a new child process is created), we need to start
+    # a DRb service in a background thread within the child process. This service
+    # will manage the connection and handle resource cleanup.
+    def handle_fork
+      @has_forked = true
+      DRb.start_service
+      # we need to ensure that there are not more jobs in the queue, but
+      # we reuse the same object
+      @worker.restart
+      schedule_tasks
+    end
+
+    private
+
+    def schedule_tasks
+      @worker.every(@heartbeat_interval, run_now: false) { send_collector_events }
+
+      # Runtime_settings fetch must happens only in the child processes, otherwise, due to
+      # we are updating the global runtime_settings, we could have an infinite recursion.
+      if @has_forked
+        @worker.every(@polling_interval) do
+          Aikido::Zen.runtime_settings = @front_object.updated_settings
+          @config.logger.debug "Updated runtime settings after polling from child process #{Process.pid}"
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/detached_agent/front_object.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+# dRB Front object that will work as a bridge communication between child & parent
+# processes.
+# Every method is called from the child but it runs in the parent process.
+module Aikido::Zen::DetachedAgent
+  class FrontObject
+    def initialize(
+      config: Aikido::Zen.config,
+      runtime_settings: Aikido::Zen.runtime_settings,
+      collector: Aikido::Zen.collector,
+      rate_limiter: Aikido::Zen::RateLimiter.new
+    )
+      @config = config
+      @runtime_settings = runtime_settings
+      @collector = collector
+      @rate_limiter = rate_limiter
+    end
+
+    RequestKind = Struct.new(:route, :schema, :ip, :actor)
+
+    def send_collector_events(events_data)
+      events_data.each do |event_data|
+        event = Aikido::Zen::Collector::Event.from_json(event_data)
+        @collector.add_event(event)
+      end
+    end
+
+    # Method called by child processes to get an up-to-date version of the
+    # runtime_settings
+    def updated_settings
+      @runtime_settings
+    end
+
+    def calculate_rate_limits(route_data, ip, actor_data)
+      actor = Aikido::Zen::Actor.from_json(actor_data) if actor_data
+      route = Aikido::Zen::Route.from_json(route_data)
+      @rate_limiter.calculate_rate_limits(RequestKind.new(route, nil, ip, actor))
+    end
+  end
+end