aikido-zen 1.0.2.beta.10-x86_64-darwin → 1.0.2-x86_64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06c1f2c47b0f89b6ac01829f58d780ba2a8afe79cb3ed7cb84ae3174a6b7b99b
-  data.tar.gz: a82b7e203f4e07ea1a27e2e95c1e16060fec493c66f96c64c704ad209b6e1367
+  metadata.gz: 56688012bf2ffa1f5e46297d3c33c922aaa296c36fed10f1241d59af612f6035
+  data.tar.gz: e5ccc6144cd3df2d7f2bace371a5c6db80e4c67549b944f33382169255ebe03a
 SHA512:
-  metadata.gz: 26f7e3ca103c02f3b8ad488dea789db23f80e13c619c98e2ec7fb84171b40f4e61322c22ebc40c69c2334fd654b9f094e7e2920012e24f5ef15d09c93fb9d952
-  data.tar.gz: 0d7f0dbc1498a1a12772db2b2ee6d00fa064a12e97905efa221ac4b810737a7b3cd0de33756c36608d2cfa27a195afa4ac91278d2bb4c972c3c860b84f516743
+  metadata.gz: c1403be3b7e971c1cf0cc209338cf31a1c819c92b7cd2355f29036528472a33f072fd5f92329a5801e17d77917cb1af5e17d4ece1f4262e80d6fc5003e3907b4
+  data.tar.gz: c1e83d45fbcc247daeee059f153719e3108a4b1509daf81cb26b5470659c5ac4df7e0b485d39380a6ea37722d0fc04fe3e8149ac87e155fb01156bd8f6626559

data/README.md

@@ -23,6 +23,7 @@ Zen will autonomously protect your Ruby applications against:
 * 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
 * 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked)
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
+* 🛡️ [Attack waves](https://help.aikido.dev/zen-firewall/zen-features/attack-wave-protection)
 
 Zen operates autonomously on the same server as your Ruby app to:
 

data/docs/config.md

@@ -8,7 +8,7 @@ other Rack-based apps).
 ## Disable Zen
 
 In order to fully turn off Zen and prevent it from intercepting any requests or
-reporting back to the Aikido servers, set `AIKIDO_DISABLED=true` in your
+reporting back to the Aikido servers, set `AIKIDO_DISABLE=true` in your
 environment, or set `Aikido::Zen.config.disabled = true`.
 
 (We recommend the ENV variable as you can normally change this easily without

data/docs/troubleshooting.md

@@ -0,0 +1,62 @@
+# Troubleshooting
+
+If the Zen Firewall isn't working as expected, follow these steps in order to diagnose common issues.
+
+## Review installation steps
+
+Double-check your setup against the [installation guide](../README.md#installation).
+
+Make sure:
+- Your runtime and framework are supported (see [Supported libraries and frameworks](../README.md#supported-libraries-and-frameworks)).
+- The package installed successfully.
+- Your framework-specific integration matches the example in the docs (for Rails, see the example in [docs/rails.md](../docs/rails.md)).
+
+## Check connection to Aikido
+
+The firewall must be able to reach Aikido's API endpoints.
+
+Test connectivity from the same environment where your app runs, following the instructions on this page: https://help.aikido.dev/zen-firewall/miscellaneous/outbound-network-connections-for-zen
+
+## Check logs for errors
+
+Common places:
+- Local dev: `cat log/development.log` or `tail -f log/development.log`
+- Docker: `docker logs <your-app-container>`
+- systemd: `journalctl -u <your-app-service> --since "1 hour ago"`
+
+Tip: search logs for lines containing `Aikido` or `Zen`.
+
+For example:
+
+```sh
+grep -Ei 'aikido|zen' log/development.log
+```
+
+## Enable debug output temporarily
+
+If you use Rails, set the log level to `info` or `debug` while you investigate.
+
+```ruby
+# config/environments/development.rb or production.rb
+config.log_level = :info # use :debug if needed
+```
+
+If you have your own logger, make sure Zen logs go to stdout.
+
+You can enable Zen debugging mode as follows.
+
+```ruby
+# config/initializers/zen.rb
+Rails.application.config.zen.debugging = true
+```
+
+Or set `AIKIDO_DEBUG=true` in your environment.
+
+## Contact support
+
+If you still can't resolve the problem:
+
+- Use the in-app chat to reach our support team directly.
+- Or create an issue on [GitHub](https://github.com/AikidoSec/firewall-ruby/issues) with details about your setup, framework, and logs.
+
+Include as much context as possible; this helps us respond faster.

data/lib/aikido/zen/agent.rb

@@ -43,7 +43,7 @@ module Aikido::Zen
       @started_at = Time.now.utc
       @collector.start(at: @started_at)
 
-      if @config.blocking_mode?
+      if Aikido::Zen.blocking_mode?
         @config.logger.info("Requests identified as attacks will be blocked")
       else
         @config.logger.warn("Non-blocking mode enabled! No requests will be blocked.")
@@ -106,7 +106,7 @@ module Aikido::Zen
     # @raise [Aikido::Zen::UnderAttackError] if the firewall is configured
     #   to block requests.
     def handle_attack(attack)
-      attack.will_be_blocked! if @config.blocking_mode?
+      attack.will_be_blocked! if Aikido::Zen.blocking_mode?
 
       @config.logger.error(
         format("Zen has %s a %s: %s", attack.blocked? ? "blocked" : "detected", attack.humanized_name, attack.as_json.to_json)

data/lib/aikido/zen/attack.rb

@@ -10,10 +10,11 @@ module Aikido::Zen
     attr_reader :operation
     attr_accessor :sink
 
-    def initialize(context:, sink:, operation:)
+    def initialize(context:, sink:, operation:, stack: nil)
       @context = context
       @operation = operation
       @sink = sink
+      @stack = stack
       @blocked = false
     end
 
@@ -46,8 +47,9 @@ module Aikido::Zen
         kind: kind,
         blocked: blocked?,
         metadata: metadata,
-        operation: @operation
-      }.merge(input.as_json)
+        operation: @operation,
+        stack: @stack
+      }.compact.merge(input.as_json)
     end
 
     def exception(*)
@@ -171,7 +173,7 @@ module Aikido::Zen
       def metadata
         {
           hostname: @request.uri.hostname,
-          port: @request.uri.port
+          port: @request.uri.port.to_s
         }
       end
     end
@@ -197,7 +199,7 @@ module Aikido::Zen
       end
 
       def kind
-        "ssrf"
+        "stored_ssrf"
       end
 
       def input
@@ -207,7 +209,7 @@ module Aikido::Zen
       def metadata
         {
           hostname: @hostname,
-          resolvedIP: @address
+          privateIP: @address
         }
       end
     end

data/lib/aikido/zen/attack_wave/helpers.rb

@@ -0,0 +1,457 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module AttackWave
+    module Helpers
+      def self.web_scanner?(context)
+        return true if suspicious_request?(context)
+
+        return true if include_suspicious_payload?(context)
+
+        false
+      end
+
+      def self.suspicious_request?(context)
+        request = context.request
+
+        suspicious_method?(request.request_method) || suspicious_path?(request.path_info)
+      end
+
+      def self.suspicious_method?(method)
+        SUSPICIOUS_METHODS.include?(method.downcase)
+      end
+
+      def self.suspicious_path?(path)
+        path_parts = path.downcase.split("/")
+
+        file_name = path_parts.pop if path_parts.length > 0
+
+        if file_name
+          return true if SUSPICIOUS_FILE_NAMES.include?(file_name)
+
+          file_name_parts = file_name.split(".")
+
+          file_extension = file_name_parts.pop if file_name_parts.length > 1
+
+          return true if SUSPICIOUS_FILE_EXTENSIONS.include?(file_extension)
+        end
+
+        path_parts.any? do |directory_name|
+          SUSPICIOUS_DIRECTORY_NAMES.include?(directory_name)
+        end
+      end
+
+      def self.include_suspicious_payload?(context)
+        context.payloads.each do |payload|
+          next unless payload.source == :query
+
+          value = payload.value.downcase
+
+          length = value.length
+
+          next if length < 5 || length > 1_000
+
+          return true if SUSPICIOUS_SQL_KEYWORDS.any? do |keyword|
+            value.include?(keyword)
+          end
+        end
+
+        false
+      end
+
+      SUSPICIOUS_METHODS = [
+        "BADMETHOD",
+        "BADHTTPMETHOD",
+        "BADDATA",
+        "BADMTHD",
+        "BDMTHD"
+      ].map(&:downcase).freeze
+
+      SUSPICIOUS_DIRECTORY_NAMES = [
+        ".",
+        "..",
+        ".anydesk",
+        ".aptitude",
+        ".aws",
+        ".azure",
+        ".cache",
+        ".circleci",
+        ".config",
+        ".dbus",
+        ".docker",
+        ".drush",
+        ".TODO: gem",
+        ".git",
+        ".github",
+        ".gnupg",
+        ".gsutil",
+        ".hg",
+        ".idea",
+        ".java",
+        ".kube",
+        ".lftp",
+        ".minikube",
+        ".npm",
+        ".nvm",
+        ".pki",
+        ".snap",
+        ".ssh",
+        ".subversion",
+        ".svn",
+        ".tconn",
+        ".thunderbird",
+        ".tor",
+        ".vagrant.d",
+        ".vidalia",
+        ".vim",
+        ".vmware",
+        ".vscode",
+        "apache",
+        "apache2",
+        "grub",
+        "System32",
+        "tmp",
+        "xampp",
+        "cgi-bin",
+        "%systemroot%"
+      ].map(&:downcase).freeze
+
+      SUSPICIOUS_FILE_NAMES = [
+        ".addressbook",
+        ".atom",
+        ".bashrc",
+        ".boto",
+        ".config",
+        ".config.json",
+        ".config.xml",
+        ".config.yaml",
+        ".config.yml",
+        ".envrc",
+        ".eslintignore",
+        ".fbcindex",
+        ".forward",
+        ".gitattributes",
+        ".gitconfig",
+        ".gitignore",
+        ".gitkeep",
+        ".gitlab-ci.yaml",
+        ".gitlab-ci.yml",
+        ".gitmodules",
+        ".google_authenticator",
+        ".hgignore",
+        ".htaccess",
+        ".htpasswd",
+        ".htdigest",
+        ".ksh_history",
+        ".lesshst",
+        ".lhistory",
+        ".lighttpdpassword",
+        ".lldb-history",
+        ".lynx_cookies",
+        ".my.cnf",
+        ".mysql_history",
+        ".nano_history",
+        ".netrc",
+        ".node_repl_history",
+        ".npmrc",
+        ".nsconfig",
+        ".nsr",
+        ".password-store",
+        ".pearrc",
+        ".pgpass",
+        ".php_history",
+        ".pinerc",
+        ".proclog",
+        ".procmailrc",
+        ".profile",
+        ".psql_history",
+        ".python_history",
+        ".rediscli_history",
+        ".rhosts",
+        ".selected_editor",
+        ".sh_history",
+        ".sqlite_history",
+        ".svnignore",
+        ".tcshrc",
+        ".tmux.conf",
+        ".travis.yaml",
+        ".travis.yml",
+        ".viminfo",
+        ".vimrc",
+        ".www_acl",
+        ".wwwacl",
+        ".xauthority",
+        ".yarnrc",
+        ".zhistory",
+        ".zsh_history",
+        ".zshenv",
+        ".zshrc",
+        "Dockerfile",
+        "aws-key.yaml",
+        "aws-key.yml",
+        "aws.yaml",
+        "aws.yml",
+        "docker-compose.yaml",
+        "docker-compose.yml",
+        "npm-shrinkwrap.json",
+        "package-lock.json",
+        "package.json",
+        "phpinfo.php",
+        "wp-config.php",
+        "wp-config.php3",
+        "wp-config.php4",
+        "wp-config.php5",
+        "wp-config.phtml",
+        "composer.json",
+        "composer.lock",
+        "composer.phar",
+        "yarn.lock",
+        ".env.local",
+        ".env.development",
+        ".env.test",
+        ".env.production",
+        ".env.prod",
+        ".env.dev",
+        ".env.example",
+        "php.ini",
+        "wp-settings.php",
+        "config.asp",
+        "config_dev.asp",
+        "config-dev.asp",
+        "config.dev.asp",
+        "config_prod.asp",
+        "config-prod.asp",
+        "config.prod.asp",
+        "config.sample.asp",
+        "config-sample.asp",
+        "config_sample.asp",
+        "config_test.asp",
+        "config-test.asp",
+        "config.test.asp",
+        "config.ini",
+        "config_dev.ini",
+        "config-dev.ini",
+        "config.dev.ini",
+        "config_prod.ini",
+        "config-prod.ini",
+        "config.prod.ini",
+        "config.sample.ini",
+        "config-sample.ini",
+        "config_sample.ini",
+        "config_test.ini",
+        "config-test.ini",
+        "config.test.ini",
+        "config.json",
+        "config_dev.json",
+        "config-dev.json",
+        "config.dev.json",
+        "config_prod.json",
+        "config-prod.json",
+        "config.prod.json",
+        "config.sample.json",
+        "config-sample.json",
+        "config_sample.json",
+        "config_test.json",
+        "config-test.json",
+        "config.test.json",
+        "config.php",
+        "config_dev.php",
+        "config-dev.php",
+        "config.dev.php",
+        "config_prod.php",
+        "config-prod.php",
+        "config.prod.php",
+        "config.sample.php",
+        "config-sample.php",
+        "config_sample.php",
+        "config_test.php",
+        "config-test.php",
+        "config.test.php",
+        "config.pl",
+        "config_dev.pl",
+        "config-dev.pl",
+        "config.dev.pl",
+        "config_prod.pl",
+        "config-prod.pl",
+        "config.prod.pl",
+        "config.sample.pl",
+        "config-sample.pl",
+        "config_sample.pl",
+        "config_test.pl",
+        "config-test.pl",
+        "config.test.pl",
+        "config.py",
+        "config_dev.py",
+        "config-dev.py",
+        "config.dev.py",
+        "config_prod.py",
+        "config-prod.py",
+        "config.prod.py",
+        "config.sample.py",
+        "config-sample.py",
+        "config_sample.py",
+        "config_test.py",
+        "config-test.py",
+        "config.test.py",
+        "config.rb",
+        "config_dev.rb",
+        "config-dev.rb",
+        "config.dev.rb",
+        "config_prod.rb",
+        "config-prod.rb",
+        "config.prod.rb",
+        "config.sample.rb",
+        "config-sample.rb",
+        "config_sample.rb",
+        "config_test.rb",
+        "config-test.rb",
+        "config.test.rb",
+        "config.toml",
+        "config_dev.toml",
+        "config-dev.toml",
+        "config.dev.toml",
+        "config_prod.toml",
+        "config-prod.toml",
+        "config.prod.toml",
+        "config.sample.toml",
+        "config-sample.toml",
+        "config_sample.toml",
+        "config_test.toml",
+        "config-test.toml",
+        "config.test.toml",
+        "config.txt",
+        "config_dev.txt",
+        "config-dev.txt",
+        "config.dev.txt",
+        "config_prod.txt",
+        "config-prod.txt",
+        "config.prod.txt",
+        "config.sample.txt",
+        "config-sample.txt",
+        "config_sample.txt",
+        "config_test.txt",
+        "config-test.txt",
+        "config.test.txt",
+        "config.xml",
+        "config_dev.xml",
+        "config-dev.xml",
+        "config.dev.xml",
+        "config_prod.xml",
+        "config-prod.xml",
+        "config.prod.xml",
+        "config.sample.xml",
+        "config-sample.xml",
+        "config_sample.xml",
+        "config_test.xml",
+        "config-test.xml",
+        "config.test.xml",
+        "config.yaml",
+        "config_dev.yaml",
+        "config-dev.yaml",
+        "config.dev.yaml",
+        "config_prod.yaml",
+        "config-prod.yaml",
+        "config.prod.yaml",
+        "config.sample.yaml",
+        "config-sample.yaml",
+        "config_sample.yaml",
+        "config_test.yaml",
+        "config-test.yaml",
+        "config.test.yaml",
+        "config.yml",
+        "config_dev.yml",
+        "config-dev.yml",
+        "config.dev.yml",
+        "config_prod.yml",
+        "config-prod.yml",
+        "config.prod.yml",
+        "config.sample.yml",
+        "config-sample.yml",
+        "config_sample.yml",
+        "config_test.yml",
+        "config-test.yml",
+        "config.test.yml",
+        "boot.ini",
+        "gruntfile.js",
+        "localsettings.php",
+        "my.ini",
+        "npm-debug.log",
+        "parameters.yml",
+        "parameters.yaml",
+        "services.yml",
+        "services.yaml",
+        "web.config",
+        "webpack.config.js",
+        "config.old",
+        "config.inc.php",
+        "error.log",
+        "access.log",
+        ".DS_Store",
+        "passwd",
+        "win.ini",
+        "cmd.exe",
+        "my.cnf",
+        ".bash_history",
+        "docker-compose-dev.yml",
+        "docker-compose.override.yml",
+        "docker-compose.dev.yml",
+        "Cargo.lock",
+        "secrets.yml",
+        "secrets.yaml",
+        "docker-compose.staging.yml",
+        "docker-compose.production.yml",
+        "yaws-key.pem",
+        "mysql_config.ini",
+        "firewall.log",
+        "log4j.properties",
+        "serviceAccountCredentials.json",
+        "haproxy.cfg",
+        "service-account-credentials.json",
+        "vpn.log",
+        "system.log",
+        "webuser-auth.xml",
+        "fastcgi.conf",
+        "smb.conf",
+        "iis.log",
+        "pom.xml",
+        "openapi.json",
+        "vim_settings.xml",
+        "winscp.ini",
+        "ws_ftp.ini"
+      ].map(&:downcase).freeze
+
+      SUSPICIOUS_FILE_EXTENSIONS = [
+        "env",
+        "bak",
+        "sql",
+        "sqlite",
+        "sqlite3",
+        "db",
+        "old",
+        "save",
+        "orig",
+        "sqlitedb",
+        "sqlite3db"
+      ].map(&:downcase).freeze
+
+      SUSPICIOUS_SQL_KEYWORDS = [
+        "SELECT (CASE WHEN",
+        "SELECT COUNT(",
+        "SLEEP(",
+        "WAITFOR DELAY",
+        "SELECT LIKE(CHAR(",
+        "INFORMATION_SCHEMA.COLUMNS",
+        "INFORMATION_SCHEMA.TABLES",
+        "MD5(",
+        "DBMS_PIPE.RECEIVE_MESSAGE",
+        "SYSIBM.SYSTABLES",
+        "RANDOMBLOB(",
+        "SELECT * FROM",
+        "1'='1",
+        "PG_SLEEP(",
+        "UNION ALL SELECT",
+        "../"
+      ].map(&:downcase).freeze
+    end
+  end
+end

data/lib/aikido/zen/attack_wave.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require_relative "cache"
+require_relative "attack_wave/helpers"
+
+module Aikido::Zen
+  module AttackWave
+    class Detector
+      def initialize(config: Aikido::Zen.config, clock: nil)
+        @config = config
+
+        @event_times = Cache.new(@config.attack_wave_max_cache_entries, ttl: @config.attack_wave_min_time_between_events, clock: clock)
+
+        @request_counts = Cache.new(@config.attack_wave_max_cache_entries, 0, ttl: @config.attack_wave_min_time_between_requests, clock: clock)
+      end
+
+      def attack_wave?(context)
+        client_ip = context.request.client_ip
+
+        return false unless client_ip
+
+        return false if @event_times[client_ip]
+
+        return false unless AttackWave::Helpers.web_scanner?(context)
+
+        request_count = @request_counts[client_ip] += 1
+
+        return false if request_count < @config.attack_wave_threshold
+
+        @event_times[client_ip] = Time.now.utc
+
+        true
+      end
+    end
+
+    class Request
+      # @return [String]
+      attr_reader :ip_address
+
+      # @return [String]
+      attr_reader :user_agent
+
+      # @return [String]
+      attr_reader :source
+
+      # @param ip_address [String]
+      # @param user_agent [String]
+      # @param source [String]
+      # @return [Aikido::Zen::AttackWave::Request]
+      def initialize(ip_address:, user_agent:, source:)
+        @ip_address = ip_address
+        @user_agent = user_agent
+        @source = source
+      end
+
+      def as_json
+        {
+          ipAddress: @ip_address,
+          userAgent: @user_agent,
+          source: @source
+        }.compact
+      end
+    end
+
+    class Attack
+      # @return [Hash<String, String>]
+      attr_reader :metadata
+
+      # @return [Aikido::Zen::Actor]
+      attr_reader :user
+
+      # @param metadata [Hash<String, String>]
+      # @param metadata [Aikido::Zen::Actor]
+      # @return [Aikido::Zen::AttackWave::Attack]
+      def initialize(metadata:, user:)
+        @metadata = metadata
+        @user = user
+      end
+
+      def as_json
+        {
+          metadata: @metadata.as_json,
+          user: @user.as_json
+        }.compact
+      end
+    end
+  end
+end