aikido-zen 1.0.2.beta.10-x86_64-linux-musl → 1.0.2-x86_64-linux-musl

data/lib/aikido/zen/cache.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  class Cache
+    extend Forwardable
+
+    # @api private
+    # Visible for testing.
+    def_delegators :@data,
+      :size, :empty?
+
+    def initialize(capacity, default_value = nil, ttl:, clock: nil)
+      @default_value = default_value
+      @ttl = ttl
+      @clock = clock
+
+      @data = CappedMap.new(capacity, mode: :lru)
+    end
+
+    def key?(key)
+      @data.key?(key) && !@data[key].expired?
+    end
+
+    # @param key [Object] the key
+    # @param value [Object] the value
+    # @return [Object] the value that the key was set to
+    def []=(key, value)
+      if key?(key)
+        entry = @data[key]
+        entry.refresh
+        entry.value = value
+      else
+        @data[key] = CacheEntry.new(value, ttl: @ttl, clock: @clock)
+      end
+    end
+
+    def [](key)
+      if key?(key)
+        @data[key].value
+      else
+        @default_value
+      end
+    end
+
+    def delete(key)
+      if key?(key)
+        @data.delete(key).value
+      else
+        @data.delete(key)
+        nil
+      end
+    end
+
+    # @api private
+    # Visible for testing.
+    def to_a
+      @data.map { |key, entry| [key, entry.value] }
+    end
+
+    # @api private
+    # Visible for testing.
+    def to_h
+      to_a.to_h
+    end
+  end
+
+  class CacheEntry
+    attr_accessor :value
+
+    DEFAULT_CLOCK = -> { Process.clock_gettime(Process::CLOCK_MONOTONIC, :millisecond) }
+
+    # @param value [Object] the value
+    # @param ttl [Integer] the time-to-live in milliseconds
+    # @return [Aikido::Zen::CacheEntry]
+    def initialize(value, ttl:, clock: nil)
+      @value = value
+      @ttl = ttl
+      @clock = clock || DEFAULT_CLOCK
+
+      refresh
+    end
+
+    def refresh
+      @expires = @clock.call + @ttl
+    end
+
+    def expired?
+      @clock.call >= @expires
+    end
+  end
+end

data/lib/aikido/zen/capped_collections.rb

@@ -18,8 +18,8 @@ module Aikido::Zen
     # @return [Integer]
     attr_reader :capacity
 
-    def initialize(capacity)
-      @data = CappedMap.new(capacity)
+    def initialize(capacity, mode: :fifo)
+      @data = CappedMap.new(capacity, mode: mode)
     end
 
     def <<(element)
@@ -47,16 +47,23 @@ module Aikido::Zen
     extend Forwardable
 
     def_delegators :@data,
-      :[], :fetch, :delete, :key?,
+      :delete, :key?,
       :each, :each_key, :each_value,
       :size, :empty?, :to_hash
 
     # @return [Integer]
     attr_reader :capacity
 
-    def initialize(capacity)
+    def initialize(capacity, mode: :fifo)
       raise ArgumentError, "cannot set capacity lower than 1: #{capacity}" if capacity < 1
+
+      unless [:fifo, :lru].include?(mode)
+        raise ArgumentError, "unsupported mode: #{mode}"
+      end
+
       @capacity = capacity
+      @mode = mode
+
       @data = {}
     end
 
@@ -64,5 +71,16 @@ module Aikido::Zen
       @data[key] = value
       @data.delete(@data.each_key.first) if @data.size > @capacity
     end
+
+    def [](key)
+      @data[key] = @data.delete(key) if @mode == :lru && key?(key)
+      @data[key]
+    end
+
+    def fetch(key, ...)
+      return self[key] if key?(key)
+
+      @data.fetch(key, ...)
+    end
   end
 end

data/lib/aikido/zen/collector/event.rb

@@ -52,6 +52,35 @@ module Aikido::Zen
         end
       end
 
+      class TrackAttackWave < Event
+        register "track_attack_wave"
+
+        def self.from_json(data)
+          new(
+            being_blocked: data[:being_blocked]
+          )
+        end
+
+        def initialize(being_blocked:)
+          super()
+          @being_blocked = being_blocked
+        end
+
+        def as_json
+          super.update({
+            being_blocked: @being_blocked
+          })
+        end
+
+        def handle(collector)
+          collector.handle_track_attack_wave(being_blocked: @being_blocked)
+        end
+
+        def inspect
+          "#<#{self.class.name} #{@being_blocked}>"
+        end
+      end
+
       class TrackScan < Event
         register "track_scan"
 

data/lib/aikido/zen/collector/hosts.rb

@@ -7,9 +7,24 @@ module Aikido::Zen
   #
   # Keeps track of the hostnames to which the app has made outbound HTTP
   # requests.
-  class Collector::Hosts < Aikido::Zen::CappedSet
+  class Collector::Hosts < Aikido::Zen::CappedMap
     def initialize(config = Aikido::Zen.config)
       super(config.max_outbound_connections)
     end
+
+    # @param host [Aikido::Zen::OutboundConnection]
+    # @return [void]
+    def add(host)
+      self[host] ||= host
+      self[host].hit
+    end
+
+    def each(&blk)
+      each_value(&blk)
+    end
+
+    def as_json
+      map(&:as_json)
+    end
   end
 end

data/lib/aikido/zen/collector/stats.rb

@@ -8,7 +8,7 @@ module Aikido::Zen
   # Tracks information about how the Aikido Agent is used in the app.
   class Collector::Stats
     # @!visibility private
-    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :sinks
+    attr_reader :started_at, :ended_at, :requests, :aborted_requests, :attack_waves, :blocked_attack_waves, :sinks
 
     # @!visibility private
     attr_writer :ended_at
@@ -16,10 +16,13 @@ module Aikido::Zen
     def initialize(config = Aikido::Zen.config)
       super()
       @config = config
-      @sinks = Hash.new { |h, k| h[k] = Collector::SinkStats.new(k, @config) }
+
       @started_at = @ended_at = nil
       @requests = 0
       @aborted_requests = 0
+      @attack_waves = 0
+      @blocked_attack_waves = 0
+      @sinks = Hash.new { |h, k| h[k] = Collector::SinkStats.new(k, @config) }
     end
 
     # @return [Boolean]
@@ -60,6 +63,13 @@ module Aikido::Zen
       @requests += 1
     end
 
+    # @param being_blocked [Boolean] whether the Agent blocked the request
+    # @return [void]
+    def add_attack_wave(being_blocked:)
+      @attack_waves += 1
+      @blocked_attack_waves += 1 if being_blocked
+    end
+
     # @param sink_name [String] the name of the sink
     # @param duration [Float] the length the scan in seconds
     # @param has_errors [Boolean] whether errors occurred during the scan
@@ -85,13 +95,17 @@ module Aikido::Zen
       {
         startedAt: @started_at.to_i * 1000,
         endedAt: (@ended_at.to_i * 1000 if @ended_at),
-        sinks: @sinks.transform_values(&:as_json),
+        operations: @sinks.transform_values(&:as_json),
         requests: {
           total: @requests,
           aborted: @aborted_requests,
           attacksDetected: {
             total: total_attacks,
             blocked: total_blocked
+          },
+          attackWaves: {
+            total: @attack_waves,
+            blocked: @blocked_attack_waves
           }
         }
       }

data/lib/aikido/zen/collector/users.rb

@@ -21,8 +21,8 @@ module Aikido::Zen
       end
     end
 
-    def each(&b)
-      each_value(&b)
+    def each(&blk)
+      each_value(&blk)
     end
 
     def as_json

data/lib/aikido/zen/collector.rb

@@ -88,6 +88,20 @@ module Aikido::Zen
       synchronize(@stats) { |stats| stats.add_request }
     end
 
+    # Track stats about an attack detected by our scanners.
+    #
+    # @param attack [Aikido::Zen::Events::AttackWave]
+    # @return [void]
+    def track_attack_wave(being_blocked:)
+      add_event(Events::TrackAttackWave.new(being_blocked: being_blocked))
+    end
+
+    def handle_track_attack_wave(being_blocked:)
+      synchronize(@stats) do |stats|
+        stats.add_attack_wave(being_blocked: being_blocked)
+      end
+    end
+
     # Track stats about a scan performed by one of our sinks.
     #
     # @param scan [Aikido::Zen::Scan]

data/lib/aikido/zen/config.rb

@@ -11,7 +11,7 @@ module Aikido::Zen
     # @return [Boolean] whether Aikido should be turned completely off (no
     #   intercepting calls to protect the app, no agent process running, no
     #   middleware installed). Defaults to false (so, enabled). Can be set
-    #   via the AIKIDO_DISABLED environment variable.
+    #   via the AIKIDO_DISABLE environment variable.
     attr_accessor :disabled
     alias_method :disabled?, :disabled
 
@@ -158,15 +158,34 @@ module Aikido::Zen
     attr_accessor :harden
     alias_method :harden?, :harden
 
+    # @return [Integer] how many suspicious requests are allowed before an
+    #   attack wave detected event is reported.
+    #   Defaults to 15 requests.
+    attr_accessor :attack_wave_threshold
+
+    # @return [Integer] the minimum time in milliseconds between requests for
+    #   requests to be part of an attack wave.
+    #   Defaults to 1 minute in milliseconds.
+    attr_accessor :attack_wave_min_time_between_requests
+
+    # @return [Integer] the minimum time in milliseconds between reporting
+    #   attack wave events.
+    #   Defaults to 20 minutes in milliseconds.
+    attr_accessor :attack_wave_min_time_between_events
+
+    # @return [Integer] the maximum number of entries in the LRU cache.
+    #   Defaults to 10,000 entries.
+    attr_accessor :attack_wave_max_cache_entries
+
     def initialize
-      self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
+      self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLE", false)) || read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
       self.blocking_mode = read_boolean_from_env(ENV.fetch("AIKIDO_BLOCK", false))
       self.api_timeouts = 10
       self.api_endpoint = ENV.fetch("AIKIDO_ENDPOINT", DEFAULT_AIKIDO_ENDPOINT)
       self.realtime_endpoint = ENV.fetch("AIKIDO_REALTIME_ENDPOINT", DEFAULT_RUNTIME_BASE_URL)
       self.api_token = ENV.fetch("AIKIDO_TOKEN", nil)
-      self.polling_interval = 60
-      self.initial_heartbeat_delays = [30, 60 * 2]
+      self.polling_interval = 60 # 1 min
+      self.initial_heartbeat_delays = [30, 60 * 2] # 30 sec, 2 min
       self.json_encoder = DEFAULT_JSON_ENCODER
       self.json_decoder = DEFAULT_JSON_DECODER
       self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
@@ -181,8 +200,8 @@ module Aikido::Zen
       self.blocked_responder = DEFAULT_BLOCKED_RESPONDER
       self.rate_limited_responder = DEFAULT_RATE_LIMITED_RESPONDER
       self.rate_limiting_discriminator = DEFAULT_RATE_LIMITING_DISCRIMINATOR
-      self.server_rate_limit_deadline = 1800 # 30 min
-      self.client_rate_limit_period = 3600 # 1 hour
+      self.server_rate_limit_deadline = 30 * 60 # 30 min
+      self.client_rate_limit_period = 60 * 60 # 1 hour
       self.client_rate_limit_max_events = 100
       self.collect_api_schema = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_COLLECT_API_SCHEMA", true))
       self.api_schema_max_samples = Integer(ENV.fetch("AIKIDO_MAX_API_DISCOVERY_SAMPLES", 10))
@@ -191,6 +210,10 @@ module Aikido::Zen
       self.stored_ssrf = read_boolean_from_env(ENV.fetch("AIKIDO_FEATURE_STORED_SSRF", true))
       self.imds_allowed_hosts = ["metadata.google.internal", "metadata.goog"]
       self.harden = read_boolean_from_env(ENV.fetch("AIKIDO_HARDEN", true))
+      self.attack_wave_threshold = 15
+      self.attack_wave_min_time_between_requests = 60 * 1000 # 1 min (ms)
+      self.attack_wave_min_time_between_events = 20 * 60 * 1000 # 20 min (ms)
+      self.attack_wave_max_cache_entries = 10_000
     end
 
     # Set the base URL for API requests.

data/lib/aikido/zen/context/rack_request.rb

@@ -6,6 +6,9 @@ require_relative "../request/heuristic_router"
 module Aikido::Zen
   # @!visibility private
   Context::RACK_REQUEST_BUILDER = ->(env) do
+    # Normalize PATH_INFO so routes are correctly recognized in middleware.
+    env["PATH_INFO"] = Helpers.normalize_path(env["PATH_INFO"])
+
     delegate = Rack::Request.new(env)
     router = Aikido::Zen::Request::HeuristicRouter.new
     request = Aikido::Zen::Request.new(delegate, framework: "rack", router: router)

data/lib/aikido/zen/context/rails_request.rb

@@ -12,6 +12,9 @@ module Aikido::Zen
 
   # @!visibility private
   Context::RAILS_REQUEST_BUILDER = ->(env) do
+    # Normalize PATH_INFO so routes are correctly recognized in middleware.
+    env["PATH_INFO"] = Helpers.normalize_path(env["PATH_INFO"])
+
     # Duplicate the Rack environment to prevent unexpected modifications from
     # breaking Rails routing.
     delegate = ActionDispatch::Request.new(env.dup)

data/lib/aikido/zen/context.rb

@@ -81,8 +81,8 @@ module Aikido::Zen
     def protection_disabled?
       return false if request.nil?
 
-      !@settings.endpoints[request.route].protected? ||
-        @settings.skip_protection_for_ips.include?(request.ip)
+      !@settings.endpoints.match(request.route).all?(&:protected?) ||
+        @settings.allowed_ips.include?(request.ip)
     end
 
     # @!visibility private

data/lib/aikido/zen/event.rb

@@ -41,8 +41,10 @@ module Aikido::Zen
 
       def as_json
         super.update(
-          attack: @attack.as_json,
-          request: @attack.context.request.as_json
+          {
+            attack: @attack.as_json,
+            request: @attack.context&.request&.as_json
+          }.compact
         )
       end
     end
@@ -67,5 +69,48 @@ module Aikido::Zen
         )
       end
     end
+
+    class AttackWave < Event
+      # @param [Aikido::Zen::Context] a context
+      # @return [Aikido::Zen::Events::AttackWave] an attack wave event
+      def self.from_context(context)
+        request = Aikido::Zen::AttackWave::Request.new(
+          ip_address: context.request.client_ip,
+          user_agent: context.request.user_agent,
+          source: context.request.framework
+        )
+
+        attack = Aikido::Zen::AttackWave::Attack.new(
+          metadata: {}, # not used yet
+          user: context.request.actor
+        )
+
+        new(request: request, attack: attack)
+      end
+
+      # @return [Aikido::Zen::AttackWave::Request]
+      attr_reader :request
+
+      # @return [Aikido::Zen::AttackWave::Attack]
+      attr_reader :attack
+
+      # @param [Aikido::Zen::AttackWave::Request] the attack wave request
+      # @param [Aikido::Zen::AttackWave::Attack] the attack wave attack
+      # @param opts [Hash<Symbol, Object>] any other options to pass to
+      #   the superclass initializer.
+      # @return [Aikido::Zen::Events::AttackWave] an attack wave event
+      def initialize(request:, attack:, **opts)
+        super(type: "detected_attack_wave", **opts)
+        @request = request
+        @attack = attack
+      end
+
+      def as_json
+        super.update(
+          request: @request.as_json,
+          attack: @attack.as_json
+        )
+      end
+    end
   end
 end

data/lib/aikido/zen/helpers.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Aikido
+  module Zen
+    # @api private
+    module Helpers
+      # Normalizes a path by:
+      #
+      #   1. Collapsing consecutive forward slashes into a single forward slash.
+      #   2. Removing forward trailing slash, unless the normalized path is "/".
+      #
+      # @param path [String, nil] the path to normalize.
+      # @return [String, nil] the normalized path.
+      def self.normalize_path(path)
+        return path unless path
+
+        normalized_path = path.dup
+        normalized_path.squeeze!("/")
+        normalized_path.chomp!("/") unless normalized_path == "/"
+        normalized_path
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/{check_allowed_addresses.rb → allowed_address_checker.rb}

@@ -3,7 +3,7 @@
 module Aikido::Zen
   module Middleware
     # Middleware that rejects requests from IPs blocked in the Aikido dashboard.
-    class CheckAllowedAddresses
+    class AllowedAddressChecker
       def initialize(app, config: Aikido::Zen.config, settings: Aikido::Zen.runtime_settings)
         @app = app
         @config = config

data/lib/aikido/zen/middleware/attack_wave_protector.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Aikido
+  module Zen
+    module Middleware
+      class AttackWaveProtector
+        def initialize(app, zen: Aikido::Zen, settings: Aikido::Zen.runtime_settings)
+          @app = app
+          @zen = zen
+          @settings = settings
+        end
+
+        def call(env)
+          response = @app.call(env)
+
+          context = @zen.current_context
+          protect(context)
+
+          response
+        end
+
+        # @api private
+        # Visible for testing.
+        def attack_wave?(context)
+          request = context.request
+          return false if request.nil?
+
+          # Bypass attack wave protection for allowed IPs
+          return false if @settings.allowed_ips.include?(request.ip)
+
+          @zen.attack_wave_detector.attack_wave?(context)
+        end
+
+        # @api private
+        # Visible for testing.
+        def protect(context)
+          if attack_wave?(context)
+            attack_wave = Aikido::Zen::Events::AttackWave.from_context(context)
+            @zen.track_attack_wave(attack_wave)
+            @zen.agent.report(attack_wave)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aikido/zen/middleware/{set_context.rb → context_setter.rb}

@@ -9,7 +9,7 @@ module Aikido::Zen
   module Middleware
     # Rack middleware that keeps the current context in a Thread/Fiber-local
     # variable so that other parts of the agent/firewall can access it.
-    class SetContext
+    class ContextSetter
       def initialize(app)
         @app = app
       end

data/lib/aikido/zen/middleware/rack_throttler.rb

@@ -33,8 +33,10 @@ module Aikido::Zen
       private
 
       def should_throttle?(request)
+        # Bypass rate limiting for allowed IPs
+        return false if @settings.allowed_ips.include?(request.ip)
+
         return false unless @settings.endpoints[request.route].rate_limiting.enabled?
-        return false if @settings.skip_protection_for_ips.include?(request.ip)
 
         result = @detached_agent.calculate_rate_limits(request)
 

data/lib/aikido/zen/middleware/request_tracker.rb

@@ -5,8 +5,9 @@ module Aikido::Zen
     # Rack middleware used to track request
     # It implements the logic under that which is considered worthy of being tracked.
     class RequestTracker
-      def initialize(app)
+      def initialize(app, settings: Aikido::Zen.runtime_settings)
         @app = app
+        @settings = settings
       end
 
       def call(env)
@@ -16,7 +17,8 @@ module Aikido::Zen
         if request.route && track?(
           status_code: response[0],
           route: request.route.path,
-          http_method: request.request_method
+          http_method: request.request_method,
+          ip: request.ip
         )
           Aikido::Zen.track_request(request)
 
@@ -126,7 +128,10 @@ module Aikido::Zen
       # @param status_code [Integer]
       # @param route [String]
       # @param http_method [String]
-      def track?(status_code:, route:, http_method:)
+      def track?(status_code:, route:, http_method:, ip: nil)
+        # Bypass request and route tracking for allowed IPs
+        return false if @settings.allowed_ips.include?(ip)
+
         # In the UI we want to show only successful (2xx) or redirect (3xx) responses
         # anything else is discarded.
         return false unless status_code >= 200 && status_code <= 399

data/lib/aikido/zen/outbound_connection.rb

@@ -25,13 +25,23 @@ module Aikido::Zen
     # @return [Integer] the port number to which the connection was attempted.
     attr_reader :port
 
+    # @return [Integer] the number of times that this connection was seen by
+    #   the hosts collector.
+    attr_reader :hits
+
     def initialize(host:, port:)
       @host = host
       @port = port
     end
 
+    def hit
+      # Lazy initialize @hits, so it stays nil until the connection is tracked.
+      @hits ||= 0
+      @hits += 1
+    end
+
     def as_json
-      {hostname: host, port: port}
+      {hostname: host, port: port, hits: hits}.compact
     end
 
     def ==(other)

data/lib/aikido/zen/rails_engine.rb

@@ -12,8 +12,9 @@ module Aikido::Zen
     initializer "aikido.add_middleware" do |app|
       app.middleware.insert_before 0, Aikido::Zen::Middleware::ForkDetector
 
-      app.middleware.use Aikido::Zen::Middleware::SetContext
-      app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
+      app.middleware.use Aikido::Zen::Middleware::ContextSetter
+      app.middleware.use Aikido::Zen::Middleware::AllowedAddressChecker
+      app.middleware.use Aikido::Zen::Middleware::AttackWaveProtector
       # Request Tracker stats do not consider failed request or 40x, so the middleware
       # must be the last one wrapping the request.
       app.middleware.use Aikido::Zen::Middleware::RequestTracker

data/lib/aikido/zen/request/rails_router.rb

@@ -62,16 +62,31 @@ module Aikido::Zen
       nil
     end
 
-    private def build_route(route, request, prefix: request.script_name)
+    private
+
+    def build_route(route, request, prefix: request.script_name)
       route_wrapper = ActionDispatch::Routing::RouteWrapper.new(route)
 
       path = if prefix.present?
-        File.join(prefix.to_s, route_wrapper.path).chomp("/")
+        prefix_route_path(prefix.to_s, route_wrapper.path)
       else
         route_wrapper.path
       end
 
       Aikido::Zen::Route.new(verb: request.request_method, path: path)
     end
+
+    def prefix_route_path(string1, string2)
+      # The strings appear to start with "/", allowing them to be concatenated
+      # directly after removing trailing "/". However, as it is not currently
+      # known whether this is guaranteed, we insert a separator when necessary.
+
+      separator = string2.start_with?("/") ? "" : "/"
+
+      string1 = string1.chomp("/")
+      string2 = string2.chomp("/")
+
+      "#{string1}#{separator}#{string2}"
+    end
   end
 end